mcpico 0.1.2 → 0.2.0

package/README.md

@@ -28,6 +28,8 @@ Group related tools under a single entry point. The model sees 9 groups instead
 - **Dual listen transport** — MCPico itself listens via stdio or HTTP/SSE (configurable port)
 - **Configurable timeouts** — Per-server connection timeout with sensible default (30s)
 - **Resource & prompt passthrough** — Namespaced to avoid collisions across servers
+- **Authentication** — Bearer, custom header, and OAuth2 client_credentials with automatic token refresh
+- **Listen endpoint auth** — Protect the SSE endpoint with bearer token validation
 
 ## Usage
 
@@ -178,12 +180,111 @@ Groups from different servers are merged if they share a prefix. Otherwise each
 | `type` | `"sse"` | yes | Transport type |
 | `url` | `string` | yes | Full URL to MCP Streamable HTTP endpoint |
 
+## Authentication
+
+MCPico supports two layers of authentication:
+
+### Layer 1: Protecting the listen endpoint
+
+When MCPico exposes an SSE endpoint, you can require a bearer token from clients:
+
+```json
+{
+  "servers": [...],
+  "listen": {
+    "type": "sse",
+    "port": 3000,
+    "auth": {
+      "type": "bearer",
+      "token": "${MCPICO_API_KEY}"
+    }
+  }
+}
+```
+
+Clients must include `Authorization: Bearer <token>` in requests. Invalid or missing tokens receive a 401 response.
+
+### Layer 2: Authenticating to upstream servers
+
+Upstream servers can require authentication. MCPico supports three methods:
+
+**Bearer token** — standard `Authorization: Bearer <token>` header:
+
+```json
+{
+  "servers": [
+    {
+      "name": "internal-api",
+      "transport": {
+        "type": "sse",
+        "url": "https://api.internal/mcp"
+      },
+      "auth": {
+        "type": "bearer",
+        "token": "${INTERNAL_KEY}"
+      }
+    }
+  ]
+}
+```
+
+**Custom header** — arbitrary headers (e.g. `X-API-Key`):
+
+```json
+{
+  "auth": {
+    "type": "header",
+    "name": "X-API-Key",
+    "value": "${WIDGET_KEY}"
+  }
+}
+```
+
+**OAuth 2.0 client credentials** — machine-to-machine authentication with automatic token refresh:
+
+```json
+{
+  "auth": {
+    "type": "oauth",
+    "grant_type": "client_credentials",
+    "client_id": "${PROVIDER_CLIENT_ID}",
+    "client_secret": "${PROVIDER_CLIENT_SECRET}",
+    "token_url": "https://auth.example.com/oauth/token",
+    "scopes": ["read", "write"]
+  }
+}
+```
+
+MCPico handles the full OAuth flow:
+- Fetches initial access token on startup
+- Caches tokens in `~/.mcplico/credentials.json`
+- Automatically refreshes before expiry
+- Retries on 401 with fresh tokens
+
+All auth fields support `${ENV_VAR}` interpolation — never hardcode secrets.
+
+### Auth config reference
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `auth.type` | `"bearer"` \| `"header"` \| `"oauth"` | yes | Auth method |
+| `auth.token` | `string` | for `bearer` | Bearer token value |
+| `auth.name` | `string` | for `header` | Header name |
+| `auth.value` | `string` | for `header` | Header value |
+| `auth.grant_type` | `"client_credentials"` | for `oauth` | OAuth grant type |
+| `auth.client_id` | `string` | for `oauth` | OAuth client ID |
+| `auth.client_secret` | `string` | for `oauth` | OAuth client secret |
+| `auth.token_url` | `string` | for `oauth` | Token endpoint URL |
+| `auth.scopes` | `string[]` | no | OAuth scopes to request |
+| `auth.authorization_server_url` | `string` | no | Auth server URL (if different from token_url issuer) |
+
+## Development
 ## Development
 
 ```bash
 npm install
 npm run build    # TypeScript compilation
-npm test         # Run tests (105 tests, vitest)
+npm test         # Run tests (138 tests, vitest)
 npm run dev      # Run directly with tsx
 ```
 

package/dist/auth-types.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Authentication types for MCPico.
+ *
+ * Two layers:
+ *   Layer 1 — Auth for the listen endpoint (protecting MCPico from clients)
+ *   Layer 2 — Auth passthrough to upstream MCP servers
+ */
+export interface BearerAuth {
+    type: "bearer";
+    /** Bearer token value. Supports ${ENV_VAR} interpolation. */
+    token: string;
+}
+export interface HeaderAuth {
+    type: "header";
+    /** Header name (e.g. "X-API-Key", "X-Auth-Token") */
+    name: string;
+    /** Header value. Supports ${ENV_VAR} interpolation. */
+    value: string;
+}
+export interface OAuthClientCredentials {
+    type: "oauth";
+    /** OAuth 2.0 grant type */
+    grant_type: "client_credentials";
+    /** Client ID for the OAuth provider */
+    client_id: string;
+    /** Client secret for the OAuth provider */
+    client_secret: string;
+    /** Token endpoint URL */
+    token_url: string;
+    /** Optional scopes to request */
+    scopes?: string[];
+    /** Optional authorization server metadata URL (if different from token_url issuer) */
+    authorization_server_url?: string;
+}
+export type UpstreamAuth = BearerAuth | HeaderAuth | OAuthClientCredentials;
+export interface ListenBearerAuth {
+    type: "bearer";
+    /** Bearer token that clients must provide. Supports ${ENV_VAR} interpolation. */
+    token: string;
+}
+export type ListenAuth = ListenBearerAuth;
+export interface ResolvedBearerAuth {
+    type: "bearer";
+    token: string;
+}
+export interface ResolvedHeaderAuth {
+    type: "header";
+    name: string;
+    value: string;
+}
+export type ResolvedUpstreamAuth = ResolvedBearerAuth | ResolvedHeaderAuth | (OAuthClientCredentials & {
+    type: "oauth";
+});
+export type ResolvedListenAuth = ResolvedBearerAuth;

package/dist/auth-types.js

@@ -0,0 +1,9 @@
+/**
+ * Authentication types for MCPico.
+ *
+ * Two layers:
+ *   Layer 1 — Auth for the listen endpoint (protecting MCPico from clients)
+ *   Layer 2 — Auth passthrough to upstream MCP servers
+ */
+export {};
+//# sourceMappingURL=auth-types.js.map

package/dist/auth-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-types.js","sourceRoot":"","sources":["../src/auth-types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/auth.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Auth utilities: env var resolution, header generation, listen token validation.
+ */
+import type { IncomingMessage, ServerResponse } from "node:http";
+import type { UpstreamAuth, ListenAuth, ResolvedUpstreamAuth, ResolvedListenAuth } from "./auth-types.js";
+/**
+ * Replace ${VAR} patterns with process.env values.
+ * Throws if a referenced env var is not set.
+ */
+export declare function resolveEnvVars(value: string): string;
+/**
+ * Resolve an UpstreamAuth config to a ResolvedUpstreamAuth with env vars interpolated.
+ */
+export declare function resolveUpstreamAuth(auth: UpstreamAuth): ResolvedUpstreamAuth;
+/**
+ * Resolve a ListenAuth config to ResolvedListenAuth.
+ */
+export declare function resolveListenAuth(auth: ListenAuth): ResolvedListenAuth;
+/**
+ * Generate HTTP headers from a resolved upstream auth config.
+ * For bearer/header types, returns headers to attach to requests.
+ * For OAuth, returns empty — the SDK authProvider handles it.
+ */
+export declare function upstreamAuthHeaders(auth: ResolvedUpstreamAuth): Record<string, string>;
+/**
+ * Extract bearer token from an Authorization header.
+ * Returns undefined if no Bearer token found.
+ */
+export declare function extractBearerToken(req: IncomingMessage): string | undefined;
+/**
+ * Validate a bearer token against the configured token.
+ * Returns true if token is valid, false otherwise.
+ */
+export declare function validateBearerToken(providedToken: string | undefined, expectedToken: string): boolean;
+/**
+ * Send a 401 Unauthorized response with a WWW-Authenticate header.
+ */
+export declare function sendUnauthorized(res: ServerResponse): void;

package/dist/auth.js

@@ -0,0 +1,122 @@
+// ── Env var interpolation ──
+/**
+ * Replace ${VAR} patterns with process.env values.
+ * Throws if a referenced env var is not set.
+ */
+export function resolveEnvVars(value) {
+    return value.replace(/\$\{(\w+)\}/g, (_match, varName) => {
+        const envValue = process.env[varName];
+        if (envValue === undefined) {
+            throw new Error(`Environment variable "${varName}" is not set. ` +
+                `Referenced in auth config. Set it or remove the auth block.`);
+        }
+        return envValue;
+    });
+}
+// ── Auth resolution ──
+/**
+ * Resolve an UpstreamAuth config to a ResolvedUpstreamAuth with env vars interpolated.
+ */
+export function resolveUpstreamAuth(auth) {
+    switch (auth.type) {
+        case "bearer":
+            return {
+                type: "bearer",
+                token: resolveEnvVars(auth.token),
+            };
+        case "header":
+            return {
+                type: "header",
+                name: resolveEnvVars(auth.name),
+                value: resolveEnvVars(auth.value),
+            };
+        case "oauth":
+            // OAuth credentials are resolved at request time by the provider
+            return {
+                type: "oauth",
+                grant_type: auth.grant_type,
+                client_id: resolveEnvVars(auth.client_id),
+                client_secret: resolveEnvVars(auth.client_secret),
+                token_url: resolveEnvVars(auth.token_url),
+                scopes: auth.scopes,
+                authorization_server_url: auth.authorization_server_url
+                    ? resolveEnvVars(auth.authorization_server_url)
+                    : undefined,
+            };
+    }
+}
+/**
+ * Resolve a ListenAuth config to ResolvedListenAuth.
+ */
+export function resolveListenAuth(auth) {
+    return {
+        type: "bearer",
+        token: resolveEnvVars(auth.token),
+    };
+}
+// ── Header generation for upstream requests ──
+/**
+ * Generate HTTP headers from a resolved upstream auth config.
+ * For bearer/header types, returns headers to attach to requests.
+ * For OAuth, returns empty — the SDK authProvider handles it.
+ */
+export function upstreamAuthHeaders(auth) {
+    if (auth.type === "bearer") {
+        return { Authorization: `Bearer ${auth.token}` };
+    }
+    if (auth.type === "header") {
+        return { [auth.name]: auth.value };
+    }
+    // OAuth is handled by the MCP SDK's authProvider — no static headers
+    return {};
+}
+// ── Listen endpoint auth middleware ──
+/**
+ * Extract bearer token from an Authorization header.
+ * Returns undefined if no Bearer token found.
+ */
+export function extractBearerToken(req) {
+    const auth = req.headers.authorization;
+    if (!auth)
+        return undefined;
+    const match = auth.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1] : undefined;
+}
+/**
+ * Validate a bearer token against the configured token.
+ * Returns true if token is valid, false otherwise.
+ */
+export function validateBearerToken(providedToken, expectedToken) {
+    if (!providedToken)
+        return false;
+    // Constant-time comparison to prevent timing attacks
+    return timingSafeEqual(providedToken, expectedToken);
+}
+/**
+ * Send a 401 Unauthorized response with a WWW-Authenticate header.
+ */
+export function sendUnauthorized(res) {
+    res.writeHead(401, {
+        "Content-Type": "application/json",
+        "WWW-Authenticate": 'Bearer realm="mcplico"',
+    });
+    res.end(JSON.stringify({ error: "Unauthorized", message: "Bearer token required" }));
+}
+// ── Constant-time string comparison ──
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length) {
+        // Still compare to avoid leaking length via timing
+        const maxLen = Math.max(a.length, b.length);
+        let result = 0;
+        for (let i = 0; i < maxLen; i++) {
+            result |= a.charCodeAt(i % a.length) ^ b.charCodeAt(i % b.length);
+        }
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAcA,8BAA8B;AAE9B;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,OAAO,KAAK,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,MAAM,EAAE,OAAe,EAAE,EAAE;QAC/D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,yBAAyB,OAAO,gBAAgB;gBAC9C,6DAA6D,CAChE,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,wBAAwB;AAExB;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAkB;IAElB,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,KAAK,EAAE,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;aACV,CAAC;QAE5B,KAAK,QAAQ;YACX,OAAO;gBACL,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC/B,KAAK,EAAE,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;aACV,CAAC;QAE5B,KAAK,OAAO;YACV,iEAAiE;YACjE,OAAO;gBACL,IAAI,EAAE,OAAO;gBACb,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,SAAS,EAAE,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC;gBACzC,aAAa,EAAE,cAAc,CAAC,IAAI,CAAC,aAAa,CAAC;gBACjD,SAAS,EAAE,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC;gBACzC,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,wBAAwB,EAAE,IAAI,CAAC,wBAAwB;oBACrD,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,wBAAwB,CAAC;oBAC/C,CAAC,CAAC,SAAS;aACU,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAgB;IAEhB,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,KAAK,EAAE,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;KAClC,CAAC;AACJ,CAAC;AAED,gDAAgD;AAEhD;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAA0B;IAE1B,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;IACrC,CAAC;IACD,qEAAqE;IACrE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,wCAAwC;AAExC;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAoB;IACrD,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,aAAiC,EACjC,aAAqB;IAErB,IAAI,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACjC,qDAAqD;IACrD,OAAO,eAAe,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAmB;IAClD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;QACjB,cAAc,EAAE,kBAAkB;QAClC,kBAAkB,EAAE,wBAAwB;KAC7C,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC,CAAC,CAAC;AACvF,CAAC;AAED,wCAAwC;AAExC,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,mDAAmD;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACtB,CAAC"}

package/dist/config.d.ts

@@ -1,6 +1,7 @@
 /**
  * Transport configuration for connecting to an upstream MCP server.
  */
+import type { UpstreamAuth, ListenAuth } from "./auth-types.js";
 export type TransportConfig = {
     type: "stdio";
     command: string;
@@ -22,6 +23,8 @@ export interface ServerConfig {
     transport: TransportConfig;
     /** Connection timeout in milliseconds (default: 30000) */
     connectTimeoutMs?: number;
+    /** Authentication config for this upstream server */
+    auth?: UpstreamAuth;
 }
 /**
  * Tool grouping override — map group names to explicit tool lists.
@@ -38,6 +41,7 @@ export type ListenConfig = {
     type: "sse";
     port: number;
     host?: string;
+    auth?: ListenAuth;
 };
 /**
  * Full MCPico configuration.

package/dist/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAyDA;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAoB;IACvD,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACpD,OAAO,mDAAmD,CAAC;IAC7D,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,WAAW,MAAM,CAAC,IAAI,wBAAwB,CAAC;IACxD,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO,WAAW,MAAM,CAAC,IAAI,uCAAuC,CAAC;QACvE,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC;YAC1B,OAAO,WAAW,MAAM,CAAC,IAAI,iCAAiC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,WAAW,MAAM,CAAC,IAAI,+CAA+C,MAAM,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC;QACtG,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,MAAM,CAAC,IAAI,8BAA+B,MAAM,CAAC,SAAoC,CAAC,IAAI,0BAA0B,CAAC;IACzI,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AA8DA;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAoB;IACvD,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACpD,OAAO,mDAAmD,CAAC;IAC7D,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,WAAW,MAAM,CAAC,IAAI,wBAAwB,CAAC;IACxD,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YAC9B,OAAO,WAAW,MAAM,CAAC,IAAI,uCAAuC,CAAC;QACvE,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC;YAC1B,OAAO,WAAW,MAAM,CAAC,IAAI,iCAAiC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,WAAW,MAAM,CAAC,IAAI,+CAA+C,MAAM,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC;QACtG,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,MAAM,CAAC,IAAI,8BAA+B,MAAM,CAAC,SAAoC,CAAC,IAAI,0BAA0B,CAAC;IACzI,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/discoverer.d.ts

@@ -1,5 +1,6 @@
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import type { TransportConfig } from "./config.js";
+import type { ResolvedUpstreamAuth } from "./auth-types.js";
 /**
  * Tool metadata from an upstream MCP server.
  */
@@ -45,7 +46,7 @@ export interface DiscoveredServer {
  * Supports stdio and streamable HTTP transports.
  * Default connection timeout is 30 seconds.
  */
-export declare function discoverServer(name: string, transportConfig: TransportConfig, connectTimeoutMs?: number): Promise<DiscoveredServer>;
+export declare function discoverServer(name: string, transportConfig: TransportConfig, connectTimeoutMs?: number, auth?: ResolvedUpstreamAuth): Promise<DiscoveredServer>;
 /**
  * Disconnect from an upstream server.
  */

package/dist/discoverer.js

@@ -1,13 +1,15 @@
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { upstreamAuthHeaders } from "./auth.js";
+import { createClientCredentialsProvider } from "./oauth-provider.js";
 /**
  * Connect to an upstream MCP server and discover its tools.
  *
  * Supports stdio and streamable HTTP transports.
  * Default connection timeout is 30 seconds.
  */
-export async function discoverServer(name, transportConfig, connectTimeoutMs = 30_000) {
+export async function discoverServer(name, transportConfig, connectTimeoutMs = 30_000, auth) {
     let transport;
     if (transportConfig.type === "stdio") {
         transport = new StdioClientTransport({
@@ -18,12 +20,22 @@ export async function discoverServer(name, transportConfig, connectTimeoutMs = 3
         });
     }
     else if (transportConfig.type === "sse") {
-        transport = new StreamableHTTPClientTransport(new URL(transportConfig.url));
+        const url = new URL(transportConfig.url);
+        const opts = {};
+        if (auth) {
+            if (auth.type === "oauth") {
+                opts.authProvider = createClientCredentialsProvider(auth.client_id, auth.client_secret, transportConfig.url);
+            }
+            else {
+                opts.requestInit = { headers: upstreamAuthHeaders(auth) };
+            }
+        }
+        transport = new StreamableHTTPClientTransport(url, opts);
     }
     else {
         throw new Error(`Unsupported transport type: ${transportConfig.type}`);
     }
-    const client = new Client({ name: `MCPico-${name}`, version: "0.1.0" }, { capabilities: {} });
+    const client = new Client({ name: `MCPico-${name}`, version: "0.2.0" }, { capabilities: {} });
     // Connect with timeout
     await withTimeout(client.connect(transport), connectTimeoutMs, `Connection to "${name}" timed out after ${connectTimeoutMs}ms`);
     // Discover tools

package/dist/discoverer.js.map

@@ -1 +1 @@
-{"version":3,"file":"discoverer.js","sourceRoot":"","sources":["../src/discoverer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AA0CnG;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,eAAgC,EAChC,mBAA2B,MAAM;IAEjC,IAAI,SAAS,CAAC;IAEd,IAAI,eAAe,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACrC,SAAS,GAAG,IAAI,oBAAoB,CAAC;YACnC,OAAO,EAAE,eAAe,CAAC,OAAO;YAChC,IAAI,EAAE,eAAe,CAAC,IAAI;YAC1B,GAAG,EAAE,eAAe,CAAC,GAAG;YACxB,GAAG,EAAE,eAAe,CAAC,GAAG;SACzB,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,eAAe,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1C,SAAS,GAAG,IAAI,6BAA6B,CAC3C,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAC7B,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,+BAAgC,eAAmC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,EAC5C,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;IAEF,uBAAuB;IACvB,MAAM,WAAW,CACf,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EACzB,gBAAgB,EAChB,kBAAkB,IAAI,qBAAqB,gBAAgB,IAAI,CAChE,CAAC;IAEF,iBAAiB;IACjB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;IAC7C,MAAM,KAAK,GAAmB,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClE,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,WAAW,EAAG,CAAC,CAAC,WAAuC,IAAI,EAAE;KAC9D,CAAC,CAAC,CAAC;IAEJ,oCAAoC;IACpC,IAAI,SAAS,GAAuB,EAAE,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,aAAa,EAAE,CAAC;QAC/C,SAAS,GAAG,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAClD,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;IAED,kCAAkC;IAClC,IAAI,OAAO,GAAqB,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,GAAG,CAAC,YAAY,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjD,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACzC,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC;SACJ,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAAwB;IAC7D,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CACxB,OAAmB,EACnB,SAAiB,EACjB,YAAoB;IAEpB,OAAO,OAAO,CAAC,IAAI,CAAC;QAClB,OAAO;QACP,IAAI,OAAO,CAAI,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC3B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,SAAS,CAAC,CAC7D;KACF,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"discoverer.js","sourceRoot":"","sources":["../src/discoverer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAGnG,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,EAAE,+BAA+B,EAAE,MAAM,qBAAqB,CAAC;AAyCtE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,eAAgC,EAChC,mBAA2B,MAAM,EACjC,IAA2B;IAE3B,IAAI,SAAS,CAAC;IAEd,IAAI,eAAe,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACrC,SAAS,GAAG,IAAI,oBAAoB,CAAC;YACnC,OAAO,EAAE,eAAe,CAAC,OAAO;YAChC,IAAI,EAAE,eAAe,CAAC,IAAI;YAC1B,GAAG,EAAE,eAAe,CAAC,GAAG;YACxB,GAAG,EAAE,eAAe,CAAC,GAAG;SACzB,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,eAAe,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,IAAI,GAGN,EAAE,CAAC;QAEP,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC1B,IAAI,CAAC,YAAY,GAAG,+BAA+B,CACjD,IAAI,CAAC,SAAS,EACd,IAAI,CAAC,aAAa,EAClB,eAAe,CAAC,GAAG,CACpB,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,WAAW,GAAG,EAAE,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,SAAS,GAAG,IAAI,6BAA6B,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,+BAAgC,eAAmC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,EAC5C,EAAE,YAAY,EAAE,EAAE,EAAE,CACrB,CAAC;IAEF,uBAAuB;IACvB,MAAM,WAAW,CACf,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EACzB,gBAAgB,EAChB,kBAAkB,IAAI,qBAAqB,gBAAgB,IAAI,CAChE,CAAC;IAEF,iBAAiB;IACjB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;IAC7C,MAAM,KAAK,GAAmB,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClE,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,WAAW,EAAG,CAAC,CAAC,WAAuC,IAAI,EAAE;KAC9D,CAAC,CAAC,CAAC;IAEJ,oCAAoC;IACpC,IAAI,SAAS,GAAuB,EAAE,CAAC;IACvC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,aAAa,EAAE,CAAC;QAC/C,SAAS,GAAG,CAAC,SAAS,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAClD,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;IAED,kCAAkC;IAClC,IAAI,OAAO,GAAqB,EAAE,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,GAAG,CAAC,YAAY,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjD,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACzC,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC;SACJ,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,MAAwB;IAC7D,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CACxB,OAAmB,EACnB,SAAiB,EACjB,YAAoB;IAEpB,OAAO,OAAO,CAAC,IAAI,CAAC;QAClB,OAAO;QACP,IAAI,OAAO,CAAI,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC3B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,SAAS,CAAC,CAC7D;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/index.js

@@ -20,7 +20,7 @@ async function main() {
             i++;
         }
         else if (args[i] === "--version" || args[i] === "-v") {
-            console.log("MCPico v0.1.0");
+            console.log("MCPico v0.2.0");
             process.exit(0);
         }
         else if (args[i] === "--help" || args[i] === "-h") {

package/dist/oauth-provider.d.ts

@@ -0,0 +1,19 @@
+/**
+ * OAuth client_credentials provider for MCPico.
+ *
+ * Implements the MCP SDK's OAuthClientProvider interface so that
+ * StreamableHTTPClientTransport handles auth discovery, token exchange,
+ * and refresh automatically.
+ */
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+/**
+ * Create an OAuthClientProvider for client_credentials grant.
+ *
+ * Uses a fixed server URL for token storage key and provides
+ * client metadata from config. The MCP SDK handles:
+ *  - RFC 9728 resource metadata discovery
+ *  - RFC 8414 authorization server metadata discovery
+ *  - Token exchange
+ *  - Token refresh via refreshAuthorization()
+ */
+export declare function createClientCredentialsProvider(clientId: string, clientSecret: string, serverUrl: string): OAuthClientProvider;

package/dist/oauth-provider.js

@@ -0,0 +1,79 @@
+import { loadTokens, saveTokens, clearTokens } from "./token-store.js";
+/**
+ * Create an OAuthClientProvider for client_credentials grant.
+ *
+ * Uses a fixed server URL for token storage key and provides
+ * client metadata from config. The MCP SDK handles:
+ *  - RFC 9728 resource metadata discovery
+ *  - RFC 8414 authorization server metadata discovery
+ *  - Token exchange
+ *  - Token refresh via refreshAuthorization()
+ */
+export function createClientCredentialsProvider(clientId, clientSecret, serverUrl) {
+    return new ClientCredentialsProvider(clientId, clientSecret, serverUrl);
+}
+class ClientCredentialsProvider {
+    clientId;
+    clientSecret;
+    serverUrl;
+    _tokens;
+    constructor(clientId, clientSecret, serverUrl) {
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        this.serverUrl = serverUrl;
+        // Load any cached tokens on creation
+        this._tokens = loadTokens(serverUrl);
+    }
+    get redirectUrl() {
+        // client_credentials is non-interactive — no redirect URL
+        return undefined;
+    }
+    get clientMetadata() {
+        return {
+            redirect_uris: ["http://localhost:0/mcplico-callback"],
+            grant_types: ["client_credentials"],
+            client_name: "MCPico",
+        };
+    }
+    // Client information for token exchange
+    clientInformation() {
+        return {
+            client_id: this.clientId,
+            client_secret: this.clientSecret,
+            client_secret_expires_at: 0, // Never expires
+        };
+    }
+    // Return cached tokens (or undefined for initial auth)
+    tokens() {
+        return this._tokens;
+    }
+    // Persist tokens after successful auth/refresh
+    saveTokens(tokens) {
+        this._tokens = tokens;
+        saveTokens(this.serverUrl, tokens);
+    }
+    // No redirect needed for client_credentials
+    redirectToAuthorization(_authorizationUrl) {
+        // Non-interactive — no redirect
+    }
+    // PKCE not needed for client_credentials
+    saveCodeVerifier(_codeVerifier) {
+        // No-op for client_credentials
+    }
+    codeVerifier() {
+        return "";
+    }
+    // Use client_credentials grant
+    prepareTokenRequest(_scope) {
+        const params = new URLSearchParams({
+            grant_type: "client_credentials",
+        });
+        return params;
+    }
+    // Clear tokens on invalidation
+    invalidateCredentials(_scope) {
+        this._tokens = undefined;
+        clearTokens(this.serverUrl);
+    }
+}
+//# sourceMappingURL=oauth-provider.js.map

package/dist/oauth-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEvE;;;;;;;;;GASG;AACH,MAAM,UAAU,+BAA+B,CAC7C,QAAgB,EAChB,YAAoB,EACpB,SAAiB;IAEjB,OAAO,IAAI,yBAAyB,CAAC,QAAQ,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,yBAAyB;IAInB;IACA;IACA;IALF,OAAO,CAA0B;IAEzC,YACU,QAAgB,EAChB,YAAoB,EACpB,SAAiB;QAFjB,aAAQ,GAAR,QAAQ,CAAQ;QAChB,iBAAY,GAAZ,YAAY,CAAQ;QACpB,cAAS,GAAT,SAAS,CAAQ;QAEzB,qCAAqC;QACrC,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,WAAW;QACb,0DAA0D;QAC1D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,cAAc;QAChB,OAAO;YACL,aAAa,EAAE,CAAC,qCAAqC,CAAC;YACtD,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,WAAW,EAAE,QAAQ;SACtB,CAAC;IACJ,CAAC;IAED,wCAAwC;IACxC,iBAAiB;QACf,OAAO;YACL,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,aAAa,EAAE,IAAI,CAAC,YAAY;YAChC,wBAAwB,EAAE,CAAC,EAAE,gBAAgB;SAC9C,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,MAAM;QACJ,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,+CAA+C;IAC/C,UAAU,CAAC,MAAmB;QAC5B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,4CAA4C;IAC5C,uBAAuB,CAAC,iBAAsB;QAC5C,gCAAgC;IAClC,CAAC;IAED,yCAAyC;IACzC,gBAAgB,CAAC,aAAqB;QACpC,+BAA+B;IACjC,CAAC;IAED,YAAY;QACV,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,+BAA+B;IAC/B,mBAAmB,CACjB,MAAe;QAEf,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;SACjC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,+BAA+B;IAC/B,qBAAqB,CAAC,MAA8D;QAClF,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QACzB,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;CACF"}

package/dist/server.js

@@ -9,6 +9,7 @@ import { groupTools } from "./grouper.js";
 import { parseCommand } from "./parser.js";
 import { generateHelpText } from "./help.js";
 import { forwardToolCall } from "./proxy.js";
+import { resolveUpstreamAuth, resolveListenAuth, extractBearerToken, validateBearerToken, sendUnauthorized } from "./auth.js";
 /** Helper: create a simple text content result */
 export function textResult(text) {
     return {
@@ -128,7 +129,10 @@ export async function startServer(config) {
                 ? serverConfig.transport.url
                 : serverConfig.transport.command;
             console.error(`  Connecting to "${serverConfig.name}" (${serverConfig.transport.type}: ${transportLabel})...`);
-            const discovered = await discoverServer(serverConfig.name, serverConfig.transport, serverConfig.connectTimeoutMs);
+            const resolvedAuth = serverConfig.auth
+                ? resolveUpstreamAuth(serverConfig.auth)
+                : undefined;
+            const discovered = await discoverServer(serverConfig.name, serverConfig.transport, serverConfig.connectTimeoutMs, resolvedAuth);
             servers.push(discovered);
             const groups = groupTools(serverConfig.name, discovered.tools, separator, config.groups);
             console.error(`  → ${discovered.tools.length} tools → ${groups.length} groups: ${groups.map((g) => g.groupName).join(", ")}`);
@@ -145,7 +149,7 @@ export async function startServer(config) {
     // Build lookup: groupName → ToolGroup (merged across servers)
     const mergedGroups = mergeGroups(allGroups);
     // Create the MCPico server
-    const server = new McpServer({ name: "MCPico", version: "0.1.0" }, {
+    const server = new McpServer({ name: "MCPico", version: "0.2.0" }, {
         capabilities: { tools: {}, resources: {}, prompts: {} },
         instructions: "MCPico bundles upstream MCP tools into hierarchical groups. " +
             "Use 'help' on any group to discover available subcommands. " +
@@ -231,8 +235,21 @@ export async function startServer(config) {
     // Connect to client via configured transport
     const listenConfig = config.listen || { type: "stdio" };
     if (listenConfig.type === "sse") {
+        // Resolve listen auth
+        let listenAuth;
+        if (listenConfig.auth) {
+            listenAuth = resolveListenAuth(listenConfig.auth);
+        }
         const transport = new StreamableHTTPServerTransport();
         const httpServer = createServer(async (req, res) => {
+            // Auth check
+            if (listenAuth) {
+                const providedToken = extractBearerToken(req);
+                if (!validateBearerToken(providedToken, listenAuth.token)) {
+                    sendUnauthorized(res);
+                    return;
+                }
+            }
             // Collect body for handleRequest
             const chunks = [];
             for await (const chunk of req) {