memory-journal-mcp 7.7.0 → 8.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +126 -56
- package/dist/chunk-6OHRCNYW.js +3231 -0
- package/dist/chunk-JFMITANR.js +5168 -0
- package/dist/{chunk-QCQPAF4I.js → chunk-MWNLAEHR.js} +301 -4321
- package/dist/{chunk-ARLYSFSI.js → chunk-UHSO65A4.js} +4242 -6092
- package/dist/cli.js +21 -3
- package/dist/index.d.ts +16 -13
- package/dist/index.js +4 -2
- package/dist/resources-IJVKDFGS.js +2 -0
- package/dist/tools-44DGXE3V.js +2 -0
- package/dist/worker-script.js +201 -20
- package/package.json +7 -4
- package/skills/README.md +62 -25
- package/skills/adversarial-performance/SKILL.md +139 -0
- package/skills/adversarial-performance/references/audit-categories.md +462 -0
- package/skills/adversarial-performance/references/copilot-performance-prompts.md +44 -0
- package/skills/adversarial-performance/references/copilot-usage.md +16 -0
- package/skills/adversarial-performance/references/feedback-loop.md +177 -0
- package/skills/adversarial-performance/references/multi-pass-performance-protocol.md +398 -0
- package/skills/adversarial-planner/SKILL.md +23 -54
- package/skills/adversarial-planner/references/copilot-integration.md +25 -40
- package/skills/adversarial-planner/references/copilot-usage.md +16 -0
- package/skills/adversarial-planner/references/multi-pass-protocol.md +4 -0
- package/skills/adversarial-security/SKILL.md +149 -0
- package/skills/adversarial-security/references/adversarial-base-protocol.md +44 -0
- package/skills/adversarial-security/references/audit-categories.md +723 -0
- package/skills/adversarial-security/references/copilot-security-prompts.md +142 -0
- package/skills/adversarial-security/references/copilot-usage.md +16 -0
- package/skills/adversarial-security/references/feedback-loop.md +206 -0
- package/skills/adversarial-security/references/journal-opt-out.md +7 -0
- package/skills/adversarial-security/references/multi-pass-security-protocol.md +403 -0
- package/skills/adversarial-skill-audit/SKILL.md +118 -0
- package/skills/adversarial-skill-audit/references/audit-categories.md +308 -0
- package/skills/adversarial-skill-audit/references/copilot-skill-prompts.md +68 -0
- package/skills/adversarial-skill-audit/references/copilot-usage.md +16 -0
- package/skills/adversarial-skill-audit/references/feedback-loop.md +155 -0
- package/skills/adversarial-skill-audit/references/multi-pass-skill-protocol.md +367 -0
- package/skills/adversarial-skill-audit/scripts/check-skills.ps1 +48 -0
- package/skills/adversarial-skill-audit/scripts/run-copilot.ps1 +52 -0
- package/skills/adversarial-workflow-audit/SKILL.md +82 -0
- package/skills/adversarial-workflow-audit/references/audit-categories.md +28 -0
- package/skills/adversarial-workflow-audit/references/copilot-usage.md +16 -0
- package/skills/adversarial-workflow-audit/scripts/check-workflows.ps1 +24 -0
- package/skills/agents-sdk/SKILL.md +220 -0
- package/skills/agents-sdk/references/callable.md +92 -0
- package/skills/agents-sdk/references/codemode.md +209 -0
- package/skills/agents-sdk/references/email.md +144 -0
- package/skills/agents-sdk/references/mcp/SKILL.md +65 -0
- package/skills/agents-sdk/references/mcp/code-mode-reference.md +245 -0
- package/skills/agents-sdk/references/mcp/oauth-reference.md +359 -0
- package/skills/agents-sdk/references/mcp/references/architecture-reference.md +208 -0
- package/skills/agents-sdk/references/mcp/references/cloudflare-quickstart.md +156 -0
- package/skills/agents-sdk/references/mcp/references/error-handling.md +343 -0
- package/skills/agents-sdk/references/mcp/references/http-security.md +164 -0
- package/skills/agents-sdk/references/mcp/references/implementation-guide.md +507 -0
- package/skills/agents-sdk/references/mcp/references/testing-reference.md +171 -0
- package/skills/agents-sdk/references/mcp.md +157 -0
- package/skills/agents-sdk/references/state-scheduling.md +164 -0
- package/skills/agents-sdk/references/streaming-chat.md +168 -0
- package/skills/agents-sdk/references/workflows.md +136 -0
- package/skills/auth-identity/SKILL.md +48 -0
- package/skills/autonomous-dev/SKILL.md +46 -23
- package/skills/autonomous-dev/references/workflow_orchestration.md +22 -0
- package/skills/aws/SKILL.md +39 -0
- package/skills/azure/SKILL.md +38 -0
- package/skills/bin/sync.js +7 -1
- package/skills/biome/SKILL.md +59 -0
- package/skills/bun/SKILL.md +8 -2
- package/skills/cloudflare/SKILL.md +37 -0
- package/skills/cloudflare/references/agents-sdk/README.md +95 -0
- package/skills/cloudflare/references/agents-sdk/api.md +195 -0
- package/skills/cloudflare/references/agents-sdk/configuration.md +178 -0
- package/skills/cloudflare/references/agents-sdk/gotchas.md +173 -0
- package/skills/cloudflare/references/agents-sdk/patterns.md +215 -0
- package/skills/cloudflare/references/ai-gateway/README.md +176 -0
- package/skills/cloudflare/references/ai-gateway/configuration.md +117 -0
- package/skills/cloudflare/references/ai-gateway/dynamic-routing.md +88 -0
- package/skills/cloudflare/references/ai-gateway/features.md +96 -0
- package/skills/cloudflare/references/ai-gateway/sdk-integration.md +110 -0
- package/skills/cloudflare/references/ai-gateway/troubleshooting.md +90 -0
- package/skills/cloudflare/references/ai-search/README.md +145 -0
- package/skills/cloudflare/references/ai-search/api.md +87 -0
- package/skills/cloudflare/references/ai-search/configuration.md +91 -0
- package/skills/cloudflare/references/ai-search/gotchas.md +92 -0
- package/skills/cloudflare/references/ai-search/patterns.md +87 -0
- package/skills/cloudflare/references/analytics-engine/README.md +96 -0
- package/skills/cloudflare/references/analytics-engine/api.md +112 -0
- package/skills/cloudflare/references/analytics-engine/configuration.md +107 -0
- package/skills/cloudflare/references/analytics-engine/gotchas.md +87 -0
- package/skills/cloudflare/references/analytics-engine/patterns.md +83 -0
- package/skills/cloudflare/references/api/README.md +66 -0
- package/skills/cloudflare/references/api/api.md +205 -0
- package/skills/cloudflare/references/api/configuration.md +158 -0
- package/skills/cloudflare/references/api/gotchas.md +231 -0
- package/skills/cloudflare/references/api/patterns.md +208 -0
- package/skills/cloudflare/references/api-shield/README.md +44 -0
- package/skills/cloudflare/references/api-shield/api.md +153 -0
- package/skills/cloudflare/references/api-shield/configuration.md +210 -0
- package/skills/cloudflare/references/api-shield/gotchas.md +132 -0
- package/skills/cloudflare/references/api-shield/patterns.md +185 -0
- package/skills/cloudflare/references/argo-smart-routing/README.md +96 -0
- package/skills/cloudflare/references/argo-smart-routing/api.md +253 -0
- package/skills/cloudflare/references/argo-smart-routing/configuration.md +205 -0
- package/skills/cloudflare/references/argo-smart-routing/gotchas.md +115 -0
- package/skills/cloudflare/references/argo-smart-routing/patterns.md +107 -0
- package/skills/cloudflare/references/bindings/README.md +127 -0
- package/skills/cloudflare/references/bindings/api.md +214 -0
- package/skills/cloudflare/references/bindings/configuration.md +200 -0
- package/skills/cloudflare/references/bindings/gotchas.md +210 -0
- package/skills/cloudflare/references/bindings/patterns.md +205 -0
- package/skills/cloudflare/references/bot-management/README.md +95 -0
- package/skills/cloudflare/references/bot-management/api.md +175 -0
- package/skills/cloudflare/references/bot-management/configuration.md +175 -0
- package/skills/cloudflare/references/bot-management/gotchas.md +116 -0
- package/skills/cloudflare/references/bot-management/patterns.md +181 -0
- package/skills/cloudflare/references/browser-rendering/README.md +84 -0
- package/skills/cloudflare/references/browser-rendering/api.md +108 -0
- package/skills/cloudflare/references/browser-rendering/configuration.md +78 -0
- package/skills/cloudflare/references/browser-rendering/gotchas.md +91 -0
- package/skills/cloudflare/references/browser-rendering/patterns.md +93 -0
- package/skills/cloudflare/references/c3/README.md +111 -0
- package/skills/cloudflare/references/c3/api.md +71 -0
- package/skills/cloudflare/references/c3/configuration.md +85 -0
- package/skills/cloudflare/references/c3/gotchas.md +97 -0
- package/skills/cloudflare/references/c3/patterns.md +84 -0
- package/skills/cloudflare/references/cache-reserve/README.md +150 -0
- package/skills/cloudflare/references/cache-reserve/api.md +184 -0
- package/skills/cloudflare/references/cache-reserve/configuration.md +170 -0
- package/skills/cloudflare/references/cache-reserve/gotchas.md +136 -0
- package/skills/cloudflare/references/cache-reserve/patterns.md +197 -0
- package/skills/cloudflare/references/containers/README.md +87 -0
- package/skills/cloudflare/references/containers/api.md +197 -0
- package/skills/cloudflare/references/containers/configuration.md +191 -0
- package/skills/cloudflare/references/containers/gotchas.md +182 -0
- package/skills/cloudflare/references/containers/patterns.md +204 -0
- package/skills/cloudflare/references/cron-triggers/README.md +101 -0
- package/skills/cloudflare/references/cron-triggers/api.md +224 -0
- package/skills/cloudflare/references/cron-triggers/configuration.md +190 -0
- package/skills/cloudflare/references/cron-triggers/gotchas.md +207 -0
- package/skills/cloudflare/references/cron-triggers/patterns.md +274 -0
- package/skills/cloudflare/references/d1/README.md +137 -0
- package/skills/cloudflare/references/d1/api.md +213 -0
- package/skills/cloudflare/references/d1/configuration.md +198 -0
- package/skills/cloudflare/references/d1/gotchas.md +98 -0
- package/skills/cloudflare/references/d1/patterns.md +240 -0
- package/skills/cloudflare/references/ddos/README.md +42 -0
- package/skills/cloudflare/references/ddos/api.md +158 -0
- package/skills/cloudflare/references/ddos/configuration.md +94 -0
- package/skills/cloudflare/references/ddos/gotchas.md +114 -0
- package/skills/cloudflare/references/ddos/patterns.md +220 -0
- package/skills/cloudflare/references/decision-trees.md +95 -0
- package/skills/cloudflare/references/do-storage/README.md +79 -0
- package/skills/cloudflare/references/do-storage/api.md +107 -0
- package/skills/cloudflare/references/do-storage/configuration.md +114 -0
- package/skills/cloudflare/references/do-storage/gotchas.md +153 -0
- package/skills/cloudflare/references/do-storage/patterns.md +210 -0
- package/skills/cloudflare/references/do-storage/testing.md +186 -0
- package/skills/cloudflare/references/durable-objects/README.md +194 -0
- package/skills/cloudflare/references/durable-objects/api.md +205 -0
- package/skills/cloudflare/references/durable-objects/configuration.md +160 -0
- package/skills/cloudflare/references/durable-objects/gotchas.md +200 -0
- package/skills/cloudflare/references/durable-objects/patterns.md +205 -0
- package/skills/cloudflare/references/email-routing/README.md +89 -0
- package/skills/cloudflare/references/email-routing/api.md +192 -0
- package/skills/cloudflare/references/email-routing/configuration.md +187 -0
- package/skills/cloudflare/references/email-routing/gotchas.md +203 -0
- package/skills/cloudflare/references/email-routing/patterns.md +241 -0
- package/skills/cloudflare/references/email-workers/README.md +153 -0
- package/skills/cloudflare/references/email-workers/api.md +227 -0
- package/skills/cloudflare/references/email-workers/configuration.md +115 -0
- package/skills/cloudflare/references/email-workers/gotchas.md +133 -0
- package/skills/cloudflare/references/email-workers/patterns.md +108 -0
- package/skills/cloudflare/references/graphql-api/README.md +147 -0
- package/skills/cloudflare/references/graphql-api/api.md +175 -0
- package/skills/cloudflare/references/graphql-api/configuration.md +151 -0
- package/skills/cloudflare/references/graphql-api/gotchas.md +111 -0
- package/skills/cloudflare/references/graphql-api/patterns.md +276 -0
- package/skills/cloudflare/references/hyperdrive/README.md +84 -0
- package/skills/cloudflare/references/hyperdrive/api.md +149 -0
- package/skills/cloudflare/references/hyperdrive/configuration.md +166 -0
- package/skills/cloudflare/references/hyperdrive/gotchas.md +77 -0
- package/skills/cloudflare/references/hyperdrive/patterns.md +203 -0
- package/skills/cloudflare/references/images/README.md +65 -0
- package/skills/cloudflare/references/images/api.md +101 -0
- package/skills/cloudflare/references/images/configuration.md +206 -0
- package/skills/cloudflare/references/images/gotchas.md +106 -0
- package/skills/cloudflare/references/images/patterns.md +126 -0
- package/skills/cloudflare/references/kv/README.md +90 -0
- package/skills/cloudflare/references/kv/api.md +163 -0
- package/skills/cloudflare/references/kv/configuration.md +148 -0
- package/skills/cloudflare/references/kv/gotchas.md +133 -0
- package/skills/cloudflare/references/kv/patterns.md +195 -0
- package/skills/cloudflare/references/miniflare/README.md +113 -0
- package/skills/cloudflare/references/miniflare/api.md +204 -0
- package/skills/cloudflare/references/miniflare/configuration.md +174 -0
- package/skills/cloudflare/references/miniflare/gotchas.md +179 -0
- package/skills/cloudflare/references/miniflare/patterns.md +187 -0
- package/skills/cloudflare/references/network-interconnect/README.md +104 -0
- package/skills/cloudflare/references/network-interconnect/api.md +220 -0
- package/skills/cloudflare/references/network-interconnect/configuration.md +123 -0
- package/skills/cloudflare/references/network-interconnect/gotchas.md +175 -0
- package/skills/cloudflare/references/network-interconnect/patterns.md +174 -0
- package/skills/cloudflare/references/observability/README.md +93 -0
- package/skills/cloudflare/references/observability/api.md +168 -0
- package/skills/cloudflare/references/observability/configuration.md +178 -0
- package/skills/cloudflare/references/observability/gotchas.md +125 -0
- package/skills/cloudflare/references/observability/patterns.md +105 -0
- package/skills/cloudflare/references/pages/README.md +92 -0
- package/skills/cloudflare/references/pages/api.md +205 -0
- package/skills/cloudflare/references/pages/configuration.md +216 -0
- package/skills/cloudflare/references/pages/gotchas.md +218 -0
- package/skills/cloudflare/references/pages/patterns.md +215 -0
- package/skills/cloudflare/references/pages-functions/README.md +104 -0
- package/skills/cloudflare/references/pages-functions/api.md +159 -0
- package/skills/cloudflare/references/pages-functions/configuration.md +130 -0
- package/skills/cloudflare/references/pages-functions/gotchas.md +102 -0
- package/skills/cloudflare/references/pages-functions/patterns.md +148 -0
- package/skills/cloudflare/references/pipelines/README.md +109 -0
- package/skills/cloudflare/references/pipelines/api.md +214 -0
- package/skills/cloudflare/references/pipelines/configuration.md +98 -0
- package/skills/cloudflare/references/pipelines/gotchas.md +84 -0
- package/skills/cloudflare/references/pipelines/patterns.md +87 -0
- package/skills/cloudflare/references/product-index.md +112 -0
- package/skills/cloudflare/references/pulumi/README.md +113 -0
- package/skills/cloudflare/references/pulumi/api.md +230 -0
- package/skills/cloudflare/references/pulumi/configuration.md +213 -0
- package/skills/cloudflare/references/pulumi/gotchas.md +205 -0
- package/skills/cloudflare/references/pulumi/patterns.md +260 -0
- package/skills/cloudflare/references/queues/README.md +99 -0
- package/skills/cloudflare/references/queues/api.md +211 -0
- package/skills/cloudflare/references/queues/configuration.md +151 -0
- package/skills/cloudflare/references/queues/gotchas.md +210 -0
- package/skills/cloudflare/references/queues/patterns.md +220 -0
- package/skills/cloudflare/references/r2/README.md +97 -0
- package/skills/cloudflare/references/r2/api.md +235 -0
- package/skills/cloudflare/references/r2/configuration.md +176 -0
- package/skills/cloudflare/references/r2/gotchas.md +190 -0
- package/skills/cloudflare/references/r2/patterns.md +203 -0
- package/skills/cloudflare/references/r2-data-catalog/README.md +157 -0
- package/skills/cloudflare/references/r2-data-catalog/api.md +199 -0
- package/skills/cloudflare/references/r2-data-catalog/configuration.md +205 -0
- package/skills/cloudflare/references/r2-data-catalog/gotchas.md +170 -0
- package/skills/cloudflare/references/r2-data-catalog/patterns.md +191 -0
- package/skills/cloudflare/references/r2-sql/README.md +138 -0
- package/skills/cloudflare/references/r2-sql/SKILL.md.backup +512 -0
- package/skills/cloudflare/references/r2-sql/api.md +159 -0
- package/skills/cloudflare/references/r2-sql/configuration.md +152 -0
- package/skills/cloudflare/references/r2-sql/gotchas.md +228 -0
- package/skills/cloudflare/references/r2-sql/patterns.md +230 -0
- package/skills/cloudflare/references/realtime-sfu/README.md +66 -0
- package/skills/cloudflare/references/realtime-sfu/api.md +164 -0
- package/skills/cloudflare/references/realtime-sfu/configuration.md +141 -0
- package/skills/cloudflare/references/realtime-sfu/gotchas.md +138 -0
- package/skills/cloudflare/references/realtime-sfu/patterns.md +187 -0
- package/skills/cloudflare/references/realtimekit/README.md +118 -0
- package/skills/cloudflare/references/realtimekit/api.md +234 -0
- package/skills/cloudflare/references/realtimekit/configuration.md +226 -0
- package/skills/cloudflare/references/realtimekit/gotchas.md +206 -0
- package/skills/cloudflare/references/realtimekit/patterns.md +240 -0
- package/skills/cloudflare/references/sandbox/README.md +104 -0
- package/skills/cloudflare/references/sandbox/api.md +200 -0
- package/skills/cloudflare/references/sandbox/configuration.md +154 -0
- package/skills/cloudflare/references/sandbox/gotchas.md +201 -0
- package/skills/cloudflare/references/sandbox/patterns.md +195 -0
- package/skills/cloudflare/references/secrets-store/README.md +77 -0
- package/skills/cloudflare/references/secrets-store/api.md +199 -0
- package/skills/cloudflare/references/secrets-store/configuration.md +187 -0
- package/skills/cloudflare/references/secrets-store/gotchas.md +97 -0
- package/skills/cloudflare/references/secrets-store/patterns.md +218 -0
- package/skills/cloudflare/references/smart-placement/README.md +143 -0
- package/skills/cloudflare/references/smart-placement/api.md +192 -0
- package/skills/cloudflare/references/smart-placement/configuration.md +202 -0
- package/skills/cloudflare/references/smart-placement/gotchas.md +180 -0
- package/skills/cloudflare/references/smart-placement/patterns.md +190 -0
- package/skills/cloudflare/references/snippets/README.md +74 -0
- package/skills/cloudflare/references/snippets/api.md +214 -0
- package/skills/cloudflare/references/snippets/configuration.md +239 -0
- package/skills/cloudflare/references/snippets/gotchas.md +104 -0
- package/skills/cloudflare/references/snippets/patterns.md +135 -0
- package/skills/cloudflare/references/spectrum/README.md +52 -0
- package/skills/cloudflare/references/spectrum/api.md +184 -0
- package/skills/cloudflare/references/spectrum/configuration.md +203 -0
- package/skills/cloudflare/references/spectrum/gotchas.md +155 -0
- package/skills/cloudflare/references/spectrum/patterns.md +206 -0
- package/skills/cloudflare/references/static-assets/README.md +65 -0
- package/skills/cloudflare/references/static-assets/api.md +201 -0
- package/skills/cloudflare/references/static-assets/configuration.md +186 -0
- package/skills/cloudflare/references/static-assets/gotchas.md +164 -0
- package/skills/cloudflare/references/static-assets/patterns.md +189 -0
- package/skills/cloudflare/references/stream/README.md +123 -0
- package/skills/cloudflare/references/stream/api-live.md +202 -0
- package/skills/cloudflare/references/stream/api.md +206 -0
- package/skills/cloudflare/references/stream/configuration.md +151 -0
- package/skills/cloudflare/references/stream/gotchas.md +139 -0
- package/skills/cloudflare/references/stream/patterns.md +217 -0
- package/skills/cloudflare/references/tail-workers/README.md +92 -0
- package/skills/cloudflare/references/tail-workers/api.md +203 -0
- package/skills/cloudflare/references/tail-workers/configuration.md +178 -0
- package/skills/cloudflare/references/tail-workers/gotchas.md +206 -0
- package/skills/cloudflare/references/tail-workers/patterns.md +190 -0
- package/skills/cloudflare/references/terraform/README.md +100 -0
- package/skills/cloudflare/references/terraform/api.md +178 -0
- package/skills/cloudflare/references/terraform/configuration.md +197 -0
- package/skills/cloudflare/references/terraform/gotchas.md +150 -0
- package/skills/cloudflare/references/terraform/patterns.md +174 -0
- package/skills/cloudflare/references/tunnel/README.md +137 -0
- package/skills/cloudflare/references/tunnel/api.md +205 -0
- package/skills/cloudflare/references/tunnel/configuration.md +163 -0
- package/skills/cloudflare/references/tunnel/gotchas.md +159 -0
- package/skills/cloudflare/references/tunnel/networking.md +174 -0
- package/skills/cloudflare/references/tunnel/patterns.md +199 -0
- package/skills/cloudflare/references/turn/README.md +86 -0
- package/skills/cloudflare/references/turn/api.md +236 -0
- package/skills/cloudflare/references/turn/configuration.md +181 -0
- package/skills/cloudflare/references/turn/gotchas.md +236 -0
- package/skills/cloudflare/references/turn/patterns.md +228 -0
- package/skills/cloudflare/references/turnstile/README.md +102 -0
- package/skills/cloudflare/references/turnstile/api.md +253 -0
- package/skills/cloudflare/references/turnstile/configuration.md +242 -0
- package/skills/cloudflare/references/turnstile/gotchas.md +253 -0
- package/skills/cloudflare/references/turnstile/patterns.md +195 -0
- package/skills/cloudflare/references/vectorize/README.md +133 -0
- package/skills/cloudflare/references/vectorize/api.md +89 -0
- package/skills/cloudflare/references/vectorize/configuration.md +91 -0
- package/skills/cloudflare/references/vectorize/gotchas.md +83 -0
- package/skills/cloudflare/references/vectorize/patterns.md +92 -0
- package/skills/cloudflare/references/waf/README.md +125 -0
- package/skills/cloudflare/references/waf/api.md +203 -0
- package/skills/cloudflare/references/waf/configuration.md +215 -0
- package/skills/cloudflare/references/waf/gotchas.md +208 -0
- package/skills/cloudflare/references/waf/patterns.md +236 -0
- package/skills/cloudflare/references/web-analytics/README.md +149 -0
- package/skills/cloudflare/references/web-analytics/configuration.md +81 -0
- package/skills/cloudflare/references/web-analytics/gotchas.md +86 -0
- package/skills/cloudflare/references/web-analytics/integration.md +63 -0
- package/skills/cloudflare/references/web-analytics/patterns.md +98 -0
- package/skills/cloudflare/references/workerd/README.md +85 -0
- package/skills/cloudflare/references/workerd/api.md +219 -0
- package/skills/cloudflare/references/workerd/configuration.md +200 -0
- package/skills/cloudflare/references/workerd/gotchas.md +151 -0
- package/skills/cloudflare/references/workerd/patterns.md +205 -0
- package/skills/cloudflare/references/workers/README.md +110 -0
- package/skills/cloudflare/references/workers/api.md +197 -0
- package/skills/cloudflare/references/workers/configuration.md +184 -0
- package/skills/cloudflare/references/workers/frameworks.md +200 -0
- package/skills/cloudflare/references/workers/gotchas.md +145 -0
- package/skills/cloudflare/references/workers/patterns.md +220 -0
- package/skills/cloudflare/references/workers-ai/README.md +206 -0
- package/skills/cloudflare/references/workers-ai/api.md +115 -0
- package/skills/cloudflare/references/workers-ai/configuration.md +98 -0
- package/skills/cloudflare/references/workers-ai/gotchas.md +130 -0
- package/skills/cloudflare/references/workers-ai/patterns.md +122 -0
- package/skills/cloudflare/references/workers-for-platforms/README.md +95 -0
- package/skills/cloudflare/references/workers-for-platforms/api.md +212 -0
- package/skills/cloudflare/references/workers-for-platforms/configuration.md +178 -0
- package/skills/cloudflare/references/workers-for-platforms/gotchas.md +134 -0
- package/skills/cloudflare/references/workers-for-platforms/patterns.md +210 -0
- package/skills/cloudflare/references/workers-playground/README.md +131 -0
- package/skills/cloudflare/references/workers-playground/api.md +101 -0
- package/skills/cloudflare/references/workers-playground/configuration.md +169 -0
- package/skills/cloudflare/references/workers-playground/gotchas.md +88 -0
- package/skills/cloudflare/references/workers-playground/patterns.md +134 -0
- package/skills/cloudflare/references/workers-vpc/README.md +130 -0
- package/skills/cloudflare/references/workers-vpc/api.md +196 -0
- package/skills/cloudflare/references/workers-vpc/configuration.md +151 -0
- package/skills/cloudflare/references/workers-vpc/gotchas.md +171 -0
- package/skills/cloudflare/references/workers-vpc/patterns.md +235 -0
- package/skills/cloudflare/references/workflows/README.md +72 -0
- package/skills/cloudflare/references/workflows/api.md +237 -0
- package/skills/cloudflare/references/workflows/configuration.md +158 -0
- package/skills/cloudflare/references/workflows/gotchas.md +97 -0
- package/skills/cloudflare/references/workflows/patterns.md +245 -0
- package/skills/cloudflare/references/wrangler/README.md +143 -0
- package/skills/cloudflare/references/wrangler/api.md +188 -0
- package/skills/cloudflare/references/wrangler/configuration.md +198 -0
- package/skills/cloudflare/references/wrangler/gotchas.md +212 -0
- package/skills/cloudflare/references/wrangler/patterns.md +211 -0
- package/skills/cloudflare/references/zaraz/IMPLEMENTATION_SUMMARY.md +131 -0
- package/skills/cloudflare/references/zaraz/README.md +114 -0
- package/skills/cloudflare/references/zaraz/api.md +118 -0
- package/skills/cloudflare/references/zaraz/configuration.md +94 -0
- package/skills/cloudflare/references/zaraz/gotchas.md +88 -0
- package/skills/cloudflare/references/zaraz/patterns.md +77 -0
- package/skills/docker/SKILL.md +7 -101
- package/skills/docker/references/advanced-examples.md +71 -0
- package/skills/docker/references/templates.md +34 -0
- package/skills/docs-marketer/SKILL.md +178 -0
- package/skills/docs-marketer/references/audit-categories.md +328 -0
- package/skills/docs-marketer/references/copilot-docs-prompts.md +88 -0
- package/skills/docs-marketer/references/copilot-usage.md +16 -0
- package/skills/docs-marketer/references/feedback-loop.md +155 -0
- package/skills/docs-marketer/references/multi-pass-docs-protocol.md +410 -0
- package/skills/drizzle-orm/SKILL.md +82 -0
- package/skills/durable-objects/SKILL.md +167 -0
- package/skills/durable-objects/references/advanced_features.md +29 -0
- package/skills/durable-objects/references/rules.md +300 -0
- package/skills/durable-objects/references/testing.md +261 -0
- package/skills/durable-objects/references/workers.md +336 -0
- package/skills/gcp/SKILL.md +37 -0
- package/skills/github-actions/SKILL.md +5 -58
- package/skills/github-actions/references/templates.md +65 -0
- package/skills/github-commander/SKILL.md +13 -21
- package/skills/github-commander/workflows/copilot-audit.md +12 -12
- package/skills/github-copilot-cli/SKILL.md +21 -26
- package/skills/github-repo-setup/SKILL.md +136 -0
- package/skills/github-repo-setup/references/community-standards.md +136 -0
- package/skills/github-repo-setup/references/github-automation.md +490 -0
- package/skills/github-repo-setup/references/inline-templates.md +205 -0
- package/skills/github-repo-setup/references/project-config.md +320 -0
- package/skills/gitlab/SKILL.md +7 -2
- package/skills/gitlab/package-lock.json +389 -389
- package/skills/golang/SKILL.md +8 -1
- package/skills/graphql/SKILL.md +30 -0
- package/skills/hono/SKILL.md +82 -0
- package/skills/journal-optimizer/SKILL.md +206 -0
- package/skills/journal-optimizer/references/optimizer-scripts.md +169 -0
- package/skills/llm-app-engineering/SKILL.md +18 -0
- package/skills/monorepo/SKILL.md +56 -0
- package/skills/multi-agent-orchestration/SKILL.md +14 -0
- package/skills/mysql/SKILL.md +6 -2
- package/skills/next-best-practices/SKILL.md +86 -0
- package/skills/next-best-practices/references/cache-components-examples.md +234 -0
- package/skills/next-best-practices/references/cache-components.md +210 -0
- package/skills/next-best-practices/references/upgrade-decision-tree.md +33 -0
- package/skills/next-best-practices/references/upgrade.md +43 -0
- package/skills/next-cache-components/SKILL.md +441 -0
- package/skills/next-upgrade/SKILL.md +43 -0
- package/skills/next-upgrade/references/decision-tree.md +33 -0
- package/skills/nodejs/SKILL.md +46 -0
- package/skills/opentelemetry/SKILL.md +62 -0
- package/skills/package.json +39 -4
- package/skills/playwright-standard/SKILL.md +6 -11
- package/skills/playwright-standard/references/locators.md +7 -0
- package/skills/postgres/SKILL.md +6 -1
- package/skills/python/SKILL.md +8 -70
- package/skills/python/references/advanced-patterns.md +37 -0
- package/skills/python/references/config-templates.md +48 -0
- package/skills/rag-pipelines/SKILL.md +14 -0
- package/skills/redis/SKILL.md +31 -0
- package/skills/render/SKILL.md +35 -0
- package/skills/rust/SKILL.md +15 -25
- package/skills/rust/references/borrow-checker.md +13 -0
- package/skills/rust/references/ecosystem.md +11 -0
- package/skills/sandbox-sdk/SKILL.md +186 -0
- package/skills/sandbox-sdk/references/api-quick-ref.md +113 -0
- package/skills/sandbox-sdk/references/examples.md +52 -0
- package/skills/shadcn-ui/SKILL.md +22 -57
- package/skills/skill-builder/SKILL.md +23 -424
- package/skills/skill-builder/references/tutorial.md +457 -0
- package/skills/sqlite/SKILL.md +16 -5
- package/skills/table.md +59 -0
- package/skills/tailwind-css/SKILL.md +11 -60
- package/skills/tailwind-css/references/component-patterns.md +52 -0
- package/skills/trpc/SKILL.md +56 -0
- package/skills/typescript/SKILL.md +30 -433
- package/skills/typescript/references/tutorial.md +453 -0
- package/skills/vercel-ai-sdk/SKILL.md +48 -0
- package/skills/vitest-standard/SKILL.md +5 -11
- package/skills/vitest-standard/references/assertions.md +11 -0
- package/skills/web-perf/SKILL.md +207 -0
- package/skills/workers-best-practices/SKILL.md +120 -0
- package/skills/workers-best-practices/references/anti-patterns.md +18 -0
- package/skills/workers-best-practices/references/review.md +174 -0
- package/skills/workers-best-practices/references/rules.md +485 -0
- package/skills/wrangler/SKILL.md +43 -0
- package/skills/wrangler/references/cli-commands.md +861 -0
- package/skills/zod/SKILL.md +48 -0
- package/dist/tools-P4VGG4FH.js +0 -1
- package/skills/react-best-practices/AGENTS.md +0 -2883
- package/skills/react-best-practices/SKILL.md +0 -138
- /package/skills/{react-best-practices → next-best-practices}/README.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/metadata.json +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/_sections.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/_template.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/advanced-event-handler-refs.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/advanced-init-once.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/advanced-use-latest.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/async-api-routes.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/async-defer-await.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/async-dependencies.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/async-parallel.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/async-suspense-boundaries.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/bundle-barrel-imports.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/bundle-conditional.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/bundle-defer-third-party.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/bundle-dynamic-imports.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/bundle-preload.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/client-event-listeners.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/client-localstorage-schema.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/client-passive-event-listeners.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/client-swr-dedup.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-batch-dom-css.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-cache-function-results.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-cache-property-access.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-cache-storage.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-combine-iterations.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-early-exit.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-hoist-regexp.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-index-maps.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-length-check-first.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-min-max-loop.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-set-map-lookups.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/js-tosorted-immutable.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-activity.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-animate-svg-wrapper.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-conditional-render.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-content-visibility.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-hoist-jsx.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-hydration-no-flicker.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-hydration-suppress-warning.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-svg-precision.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rendering-usetransition-loading.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-defer-reads.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-dependencies.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-derived-state-no-effect.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-derived-state.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-functional-setstate.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-lazy-state-init.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-memo-with-default-value.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-memo.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-move-effect-to-event.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-simple-expression-in-memo.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-transitions.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/rerender-use-ref-transient-values.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-after-nonblocking.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-auth-actions.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-cache-lru.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-cache-react.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-dedup-props.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-parallel-fetching.md +0 -0
- /package/skills/{react-best-practices → next-best-practices}/rules/server-serialization.md +0 -0
|
@@ -0,0 +1,359 @@
|
|
|
1
|
+
# OAuth 2.1 Reference — MCP Builder Skill
|
|
2
|
+
|
|
3
|
+
> Production-tested OAuth 2.1 implementation pattern for MCP servers. Standardized across db-mcp, mysql-mcp, postgres-mcp, and memory-journal-mcp (March 2026).
|
|
4
|
+
|
|
5
|
+
## When to Implement
|
|
6
|
+
|
|
7
|
+
Add OAuth when the MCP server:
|
|
8
|
+
|
|
9
|
+
- Exposes an **HTTP transport** accessible over a network
|
|
10
|
+
- Needs **multi-tenant access control** (different clients get different permissions)
|
|
11
|
+
- Requires **production-grade security** beyond simple shared token auth
|
|
12
|
+
|
|
13
|
+
OAuth is **opt-in** — servers always support a fallback chain: OAuth → simple token (`MCP_AUTH_TOKEN`) → no auth.
|
|
14
|
+
|
|
15
|
+
## Architecture Overview
|
|
16
|
+
|
|
17
|
+
```
|
|
18
|
+
┌──────────────────────────────────────────────────────────────┐
|
|
19
|
+
│ HTTP Request Pipeline │
|
|
20
|
+
│ │
|
|
21
|
+
│ Request ──► Security Headers ──► Rate Limiter │
|
|
22
|
+
│ │ │
|
|
23
|
+
│ ▼ │
|
|
24
|
+
│ Public Path? ──(yes)──► /.well-known/* ──► RFC 9728 metadata│
|
|
25
|
+
│ │ /health ──► Health check │
|
|
26
|
+
│ │(no) │
|
|
27
|
+
│ ▼ │
|
|
28
|
+
│ Extract Bearer Token (Authorization header) │
|
|
29
|
+
│ │ │
|
|
30
|
+
│ ┌────┴────┐ │
|
|
31
|
+
│ │ OAuth? │──(yes)──► JWT Validation (JWKS/jose) │
|
|
32
|
+
│ └────┬────┘ ├─ Signature verification │
|
|
33
|
+
│ │(no) ├─ Issuer/audience/expiry checks │
|
|
34
|
+
│ │ └─ Scope extraction → req.auth │
|
|
35
|
+
│ ▼ │
|
|
36
|
+
│ Token Auth? ──(MCP_AUTH_TOKEN set)──► Simple comparison │
|
|
37
|
+
│ │(no) │
|
|
38
|
+
│ ▼ │
|
|
39
|
+
│ No Auth ──► Allow all requests │
|
|
40
|
+
│ │
|
|
41
|
+
│ Route Handler ──► Scope Enforcement (tool group → scope) │
|
|
42
|
+
└──────────────────────────────────────────────────────────────┘
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## Module Structure (`src/auth/` — 11 files)
|
|
46
|
+
|
|
47
|
+
| File | Purpose | Lines |
|
|
48
|
+
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ----- |
|
|
49
|
+
| `types.ts` | RFC 9728/8414/7591 type definitions, config interfaces | ~250 |
|
|
50
|
+
| `errors.ts` | OAuth error hierarchy (`OAuthError` extends server base class + `httpStatus`, `wwwAuthenticate`, `AUTH_` prefixed codes) | ~200 |
|
|
51
|
+
| `scopes.ts` | Scope definitions, hierarchy, tool group → scope mapping, utilities | ~200 |
|
|
52
|
+
| `token-validator.ts` | JWT validation via `jose`, JWKS caching, claim extraction | ~275 |
|
|
53
|
+
| `oauth-resource-server.ts` | RFC 9728 Protected Resource Metadata endpoint | ~170 |
|
|
54
|
+
| `authorization-server-discovery.ts` | RFC 8414 metadata discovery with TTL caching | ~260 |
|
|
55
|
+
| `scope-map.ts` | O(1) reverse lookup: tool name → required scope | ~50 |
|
|
56
|
+
| `auth-context.ts` | `AsyncLocalStorage` per-request auth context | ~50 |
|
|
57
|
+
| `middleware.ts` | Express middleware for token extraction & scope enforcement | ~520 |
|
|
58
|
+
| `transport-agnostic.ts` | Transport-agnostic auth utilities (`createAuthenticatedContext`, `validateAuth`, `formatOAuthError`) | ~100 |
|
|
59
|
+
| `index.ts` | Barrel re-exports | ~40 |
|
|
60
|
+
|
|
61
|
+
> [!TIP]
|
|
62
|
+
> **Auth module submodule variant:** For complex servers (db-mcp), `middleware.ts` → `middleware/index.ts` and `scopes.ts` → `scopes/index.ts` when these files exceed ~500 lines. All other files remain flat.
|
|
63
|
+
|
|
64
|
+
## RFC Compliance
|
|
65
|
+
|
|
66
|
+
| RFC | Component | What It Does |
|
|
67
|
+
| ------------ | ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
|
|
68
|
+
| **RFC 9728** | `oauth-resource-server.ts` | Serves `GET /.well-known/oauth-protected-resource` — tells clients which auth servers to use and what scopes are supported |
|
|
69
|
+
| **RFC 8414** | `authorization-server-discovery.ts` | Fetches `GET {issuer}/.well-known/oauth-authorization-server` — discovers token/JWKS endpoints |
|
|
70
|
+
| **RFC 7591** | `types.ts` | Type definitions for dynamic client registration (optional) |
|
|
71
|
+
| **RFC 8707** | Token validation | Resource Indicators — binds tokens to specific MCP server URIs |
|
|
72
|
+
|
|
73
|
+
### Client ID Metadata Documents (CIMDs) — MCP 2025-11-25
|
|
74
|
+
|
|
75
|
+
The **preferred** client registration mechanism. Clients use HTTPS URLs as `client_id`, pointing to a JSON metadata document. This addresses the common MCP scenario where servers and clients have no pre-existing relationship.
|
|
76
|
+
|
|
77
|
+
**Client requirements:**
|
|
78
|
+
|
|
79
|
+
- Host metadata at an HTTPS URL with a path component (e.g., `https://app.example.com/client.json`)
|
|
80
|
+
- Document MUST include: `client_id`, `client_name`, `redirect_uris`
|
|
81
|
+
- `client_id` value must match the document URL exactly
|
|
82
|
+
|
|
83
|
+
**Server requirements:**
|
|
84
|
+
|
|
85
|
+
- Fetch metadata when encountering URL-formatted `client_id`
|
|
86
|
+
- Validate `client_id` matches URL exactly
|
|
87
|
+
- Cache metadata respecting HTTP cache headers
|
|
88
|
+
- Validate redirect URIs against the metadata document
|
|
89
|
+
|
|
90
|
+
```json
|
|
91
|
+
{
|
|
92
|
+
"client_id": "https://app.example.com/oauth/client-metadata.json",
|
|
93
|
+
"client_name": "Example MCP Client",
|
|
94
|
+
"redirect_uris": ["http://127.0.0.1:3000/callback"],
|
|
95
|
+
"grant_types": ["authorization_code"],
|
|
96
|
+
"response_types": ["code"],
|
|
97
|
+
"token_endpoint_auth_method": "none"
|
|
98
|
+
}
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
### Resource Indicators (RFC 8707) — MCP 2025-11-25
|
|
102
|
+
|
|
103
|
+
MCP clients MUST include the `resource` parameter in both authorization and token requests to bind tokens to a specific MCP server:
|
|
104
|
+
|
|
105
|
+
- Use the canonical URI of the target MCP server
|
|
106
|
+
- Prevents token replay across different servers
|
|
107
|
+
- Authorization servers validate the `resource` parameter matches expected values
|
|
108
|
+
|
|
109
|
+
### Incremental Scope Consent — MCP 2025-11-25
|
|
110
|
+
|
|
111
|
+
Support step-up authorization for runtime scope escalation:
|
|
112
|
+
|
|
113
|
+
**Server-side (403 response):**
|
|
114
|
+
|
|
115
|
+
```http
|
|
116
|
+
HTTP/1.1 403 Forbidden
|
|
117
|
+
WWW-Authenticate: Bearer error="insufficient_scope",
|
|
118
|
+
scope="files:read files:write",
|
|
119
|
+
resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource"
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
**Scope inclusion strategies:**
|
|
123
|
+
| Strategy | What to include |
|
|
124
|
+
|----------|----------------|
|
|
125
|
+
| Minimum | Only newly-required scopes + existing required scopes |
|
|
126
|
+
| Recommended | Existing + newly required scopes (prevents losing permissions) |
|
|
127
|
+
| Extended | Existing + new + commonly related scopes |
|
|
128
|
+
|
|
129
|
+
**Client-side (step-up flow):**
|
|
130
|
+
|
|
131
|
+
1. Parse error info from `WWW-Authenticate` header
|
|
132
|
+
2. Determine required scopes from `scope` parameter or fallback to `scopes_supported`
|
|
133
|
+
3. Re-authorize with expanded scope set
|
|
134
|
+
4. Retry original request (with retry limit to avoid loops)
|
|
135
|
+
|
|
136
|
+
## Scope Model
|
|
137
|
+
|
|
138
|
+
### Three-Tier Hierarchy
|
|
139
|
+
|
|
140
|
+
```
|
|
141
|
+
full (superscope — grants everything)
|
|
142
|
+
└── admin
|
|
143
|
+
└── write
|
|
144
|
+
└── read
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
Each scope **inherits** all scopes below it: `admin` grants `write` + `read`.
|
|
148
|
+
|
|
149
|
+
### Tool Group → Scope Mapping
|
|
150
|
+
|
|
151
|
+
Map each tool group to a single scope. The mapping is server-specific but follows this pattern:
|
|
152
|
+
|
|
153
|
+
| Scope | Typical Tool Groups | Rationale |
|
|
154
|
+
| ------- | ------------------------------------------------------------- | --------------------------------------------------- |
|
|
155
|
+
| `read` | core, search, analytics, relationships, export, introspection | Read-only operations |
|
|
156
|
+
| `write` | github, team, migration | Mutations to external systems |
|
|
157
|
+
| `admin` | admin, backup, codemode | Destructive, administrative, or elevated operations |
|
|
158
|
+
|
|
159
|
+
**Implementation pattern** (`scopes.ts`):
|
|
160
|
+
|
|
161
|
+
```typescript
|
|
162
|
+
export const TOOL_GROUP_SCOPES: Record<string, string> = {
|
|
163
|
+
core: 'read',
|
|
164
|
+
search: 'read',
|
|
165
|
+
analytics: 'read',
|
|
166
|
+
admin: 'admin',
|
|
167
|
+
backup: 'admin',
|
|
168
|
+
codemode: 'admin',
|
|
169
|
+
// ... server-specific groups
|
|
170
|
+
}
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### Reverse Lookup (`scope-map.ts`)
|
|
174
|
+
|
|
175
|
+
Build an O(1) map from individual tool names → required scope at startup:
|
|
176
|
+
|
|
177
|
+
```typescript
|
|
178
|
+
const toolScopeMap = new Map<string, string>()
|
|
179
|
+
for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
|
|
180
|
+
const scope = TOOL_GROUP_SCOPES[group] ?? 'admin'
|
|
181
|
+
for (const toolName of tools) {
|
|
182
|
+
toolScopeMap.set(toolName, scope)
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
export function getRequiredScope(toolName: string): string {
|
|
187
|
+
return toolScopeMap.get(toolName) ?? 'admin' // Fail-closed: unknown tools require admin
|
|
188
|
+
}
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
## Error Hierarchy
|
|
192
|
+
|
|
193
|
+
All OAuth errors extend the server's base error class (e.g., `OAuthError extends DbMcpError`) with `httpStatus` and `wwwAuthenticate`:
|
|
194
|
+
|
|
195
|
+
```typescript
|
|
196
|
+
{Server}McpError (base — code, category, suggestion, recoverable, toResponse())
|
|
197
|
+
└── OAuthError (adds httpStatus, wwwAuthenticate; category auto-inferred from status)
|
|
198
|
+
├── TokenMissingError → 401, AUTH_TOKEN_MISSING, category: authentication
|
|
199
|
+
├── InvalidTokenError → 401, AUTH_TOKEN_INVALID, category: authentication
|
|
200
|
+
├── TokenExpiredError → 401, AUTH_TOKEN_EXPIRED, category: authentication
|
|
201
|
+
├── InvalidSignatureError → 401, AUTH_SIGNATURE_INVALID, category: authentication
|
|
202
|
+
├── InsufficientScopeError → 403, AUTH_SCOPE_DENIED, category: authorization
|
|
203
|
+
├── AuthServerDiscoveryError → 503, AUTH_DISCOVERY_FAILED, category: internal
|
|
204
|
+
├── JwksFetchError → 503, AUTH_JWKS_FETCH_FAILED, category: internal
|
|
205
|
+
└── ClientRegistrationError → 500, AUTH_REGISTRATION_FAILED, category: internal
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
**Key changes from March 2026 harmonization:**
|
|
209
|
+
|
|
210
|
+
- All error codes prefixed with `AUTH_` (e.g., `TOKEN_MISSING` → `AUTH_TOKEN_MISSING`)
|
|
211
|
+
- Category auto-inferred: 401 → `AUTHENTICATION`, 403 → `AUTHORIZATION`, 5xx → `INTERNAL`
|
|
212
|
+
- `toResponse()` inherited from base class returns full `ErrorResponse` with code, category, suggestion, recoverable
|
|
213
|
+
- Deprecated standalone `getWWWAuthenticateHeader()` utility — removed from barrel export
|
|
214
|
+
|
|
215
|
+
> [!TIP]
|
|
216
|
+
> OAuthError extends the server's typed base class. The only server-specific customization is the `extends` declaration (e.g., `extends DbMcpError` vs `extends PostgresMcpError`). All other OAuth error logic is portable.
|
|
217
|
+
|
|
218
|
+
## Token Validation (`token-validator.ts`)
|
|
219
|
+
|
|
220
|
+
Uses `jose` (transitive dependency via `@modelcontextprotocol/sdk`) — no extra install needed.
|
|
221
|
+
|
|
222
|
+
Key behaviors:
|
|
223
|
+
|
|
224
|
+
- Creates `createRemoteJWKSet()` once with TTL-based caching
|
|
225
|
+
- Validates with `jwtVerify(token, jwks, { issuer, audience, clockTolerance })`
|
|
226
|
+
- Extracts scopes from `scope` claim (space-delimited string) or `scopes` claim (array)
|
|
227
|
+
- Maps `jose` error classes → typed OAuth errors:
|
|
228
|
+
- `JWTExpired` → `TokenExpiredError`
|
|
229
|
+
- `JWSSignatureVerificationFailed` → `InvalidTokenError`
|
|
230
|
+
- `JWTClaimValidationFailed` → `InvalidTokenError`
|
|
231
|
+
|
|
232
|
+
## Middleware Pattern (`middleware.ts`)
|
|
233
|
+
|
|
234
|
+
The middleware file exports both **Express-specific** and **transport-agnostic** utilities:
|
|
235
|
+
|
|
236
|
+
### Express Middleware
|
|
237
|
+
|
|
238
|
+
```typescript
|
|
239
|
+
// Main auth middleware — extracts + validates Bearer token
|
|
240
|
+
createAuthMiddleware(config) → RequestHandler
|
|
241
|
+
|
|
242
|
+
// Scope enforcement
|
|
243
|
+
requireScope(scope) → RequestHandler // Single scope check
|
|
244
|
+
requireAnyScope(scopes) → RequestHandler // Any of multiple scopes
|
|
245
|
+
requireToolScope(tool) → RequestHandler // Tool-specific scope via scope-map
|
|
246
|
+
|
|
247
|
+
// Error handler (add after routes)
|
|
248
|
+
oauthErrorHandler → ErrorRequestHandler
|
|
249
|
+
```
|
|
250
|
+
|
|
251
|
+
### Transport-Agnostic Utilities
|
|
252
|
+
|
|
253
|
+
```typescript
|
|
254
|
+
// For any transport (stdio, HTTP, WebSocket, etc.)
|
|
255
|
+
extractBearerToken(authHeader) → string | null
|
|
256
|
+
createAuthenticatedContext(authHeader, validator) → AuthenticatedContext
|
|
257
|
+
validateAuth(authHeader, validator, options) → AuthenticatedContext // throws
|
|
258
|
+
formatOAuthError(error) → { status, body }
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
### Public Path Exemption
|
|
262
|
+
|
|
263
|
+
```typescript
|
|
264
|
+
// Well-known paths are ALWAYS public (RFC requirement)
|
|
265
|
+
if (path.startsWith('/.well-known/')) return true
|
|
266
|
+
// Health endpoint is always public
|
|
267
|
+
if (path === '/health') return true
|
|
268
|
+
```
|
|
269
|
+
|
|
270
|
+
## CLI Flags & Environment Variables
|
|
271
|
+
|
|
272
|
+
| CLI Flag | Env Variable | Default | Description |
|
|
273
|
+
| ----------------------------- | ----------------------- | ------- | -------------------- |
|
|
274
|
+
| `--oauth-enabled` | `OAUTH_ENABLED` | `false` | Enable OAuth 2.1 |
|
|
275
|
+
| `--oauth-issuer <url>` | `OAUTH_ISSUER` | — | Issuer URL |
|
|
276
|
+
| `--oauth-audience <aud>` | `OAUTH_AUDIENCE` | — | Expected audience |
|
|
277
|
+
| `--oauth-jwks-uri <url>` | `OAUTH_JWKS_URI` | — | JWKS endpoint |
|
|
278
|
+
| `--oauth-clock-tolerance <s>` | `OAUTH_CLOCK_TOLERANCE` | `30` | Clock skew tolerance |
|
|
279
|
+
|
|
280
|
+
**Wiring in `cli.ts`:**
|
|
281
|
+
|
|
282
|
+
```typescript
|
|
283
|
+
.option('--oauth-enabled', 'Enable OAuth 2.1', false)
|
|
284
|
+
.option('--oauth-issuer <url>', 'OAuth issuer URL', process.env.OAUTH_ISSUER)
|
|
285
|
+
.option('--oauth-audience <aud>', 'JWT audience', process.env.OAUTH_AUDIENCE)
|
|
286
|
+
// ... pass these through ServerOptions → HttpTransportConfig
|
|
287
|
+
```
|
|
288
|
+
|
|
289
|
+
## Server Integration Pattern
|
|
290
|
+
|
|
291
|
+
In `server.ts` (the HTTP transport), conditionally wire OAuth:
|
|
292
|
+
|
|
293
|
+
```typescript
|
|
294
|
+
// 1. Always register the RFC 9728 metadata endpoint
|
|
295
|
+
app.get('/.well-known/oauth-protected-resource', resourceServer.getMetadataHandler())
|
|
296
|
+
|
|
297
|
+
// 2. Conditionally apply OAuth middleware
|
|
298
|
+
if (config.oauthEnabled) {
|
|
299
|
+
const tokenValidator = new TokenValidator({ issuer, audience, jwksUri, clockTolerance })
|
|
300
|
+
const authMiddleware = createAuthMiddleware({ tokenValidator, resourceServer })
|
|
301
|
+
app.use(authMiddleware)
|
|
302
|
+
} else if (config.authToken) {
|
|
303
|
+
// Simple token auth fallback — uses crypto.timingSafeEqual, NOT raw ===
|
|
304
|
+
app.use(basicTokenMiddleware(config.authToken))
|
|
305
|
+
}
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
## Testing Patterns (`src/auth/__tests__/` — 8 files)
|
|
309
|
+
|
|
310
|
+
| Test File | What It Covers |
|
|
311
|
+
| ---------------------------------------- | ---------------------------------------------------------------------------- |
|
|
312
|
+
| `errors.test.ts` | Error hierarchy, HTTP status codes, WWW-Authenticate headers, type guards |
|
|
313
|
+
| `scopes.test.ts` | Scope hierarchy, parsing, validation, tool group mapping, accessible tools |
|
|
314
|
+
| `scope-map.test.ts` | O(1) reverse lookup, full coverage of all tool groups |
|
|
315
|
+
| `token-validator.test.ts` | JWT validation (mocked `jose`), scope parsing, error mapping, JWKS cache |
|
|
316
|
+
| `auth-context.test.ts` | AsyncLocalStorage context, isolation between requests |
|
|
317
|
+
| `oauth-resource-server.test.ts` | RFC 9728 metadata, caching, scope support, accessors |
|
|
318
|
+
| `authorization-server-discovery.test.ts` | RFC 8414 discovery (mocked `fetch`), caching, validation |
|
|
319
|
+
| `middleware.test.ts` | Token extraction, scope enforcement, error handler, transport-agnostic utils |
|
|
320
|
+
|
|
321
|
+
**Mocking strategy:**
|
|
322
|
+
|
|
323
|
+
- Mock `jose` module for token validation tests (avoid real JWKS)
|
|
324
|
+
- Mock `globalThis.fetch` for discovery tests (avoid real network)
|
|
325
|
+
- Use `as never` casts for Express req/res in middleware tests
|
|
326
|
+
|
|
327
|
+
**Token Validation Hardening:**
|
|
328
|
+
|
|
329
|
+
- **JWT claims sanitization:** In `token-validator.ts`, filter prototype-polluting keys (`__proto__`, `constructor`, `prototype`) from JWT payload before spreading into `TokenClaims`. This prevents prototype pollution attacks via crafted JWT tokens.
|
|
330
|
+
- **Constant-time token comparison:** In `basicTokenMiddleware`, use `crypto.timingSafeEqual(Buffer.from(provided), Buffer.from(expected))` with a length pre-check. Short-circuiting on different lengths is acceptable since length is not the secret.
|
|
331
|
+
- **Bearer auth scope limitation:** Emit a startup warning when simple bearer auth (`--auth-token`) is configured: `"Simple token auth does not enforce per-tool scopes. Use OAuth 2.1 for granular access control."` This prevents operators from assuming bearer tokens provide scope-level access control.
|
|
332
|
+
|
|
333
|
+
## Integration Checklist
|
|
334
|
+
|
|
335
|
+
When adding OAuth to a new MCP server:
|
|
336
|
+
|
|
337
|
+
- [ ] Create `src/auth/` directory with all 11 files
|
|
338
|
+
- [ ] Add `jose` to dependencies (or verify it's a transitive dep of `@modelcontextprotocol/sdk`)
|
|
339
|
+
- [ ] Define server-specific `TOOL_GROUP_SCOPES` in `scopes.ts`
|
|
340
|
+
- [ ] Build `scope-map.ts` from your server's `TOOL_GROUPS`
|
|
341
|
+
- [ ] Add 5 OAuth CLI flags to `cli.ts` with env var fallbacks
|
|
342
|
+
- [ ] Add OAuth fields to `HttpTransportConfig` and `ServerOptions`
|
|
343
|
+
- [ ] Wire OAuth middleware into `server.ts` with conditional enablement
|
|
344
|
+
- [ ] Register `/.well-known/oauth-protected-resource` endpoint
|
|
345
|
+
- [ ] Write 8 test files in `src/auth/__tests__/`
|
|
346
|
+
- [ ] Update README, DOCKER_README, wiki (Security + HTTP-Transport)
|
|
347
|
+
- [ ] Add CHANGELOG entry
|
|
348
|
+
|
|
349
|
+
## Documentation Updates
|
|
350
|
+
|
|
351
|
+
When adding OAuth, update these documentation sections:
|
|
352
|
+
|
|
353
|
+
| Doc | Updates Needed |
|
|
354
|
+
| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
355
|
+
| **README.md** | Add OAuth well-known to endpoint table, OAuth to security features, OAuth env vars, dedicated OAuth 2.1 section (compliance table + scopes + quick start) |
|
|
356
|
+
| **DOCKER_README.md** | Same endpoint table, security features, env vars, Docker run example with `-e OAUTH_*` |
|
|
357
|
+
| **Wiki/Security.md** | Full OAuth section (enabling, how it works, fallback), update access control levels, add to self-audit checklist |
|
|
358
|
+
| **Wiki/HTTP-Transport.md** | OAuth endpoint in table, 5 OAuth CLI flags in configuration reference |
|
|
359
|
+
| **CHANGELOG.md** | OAuth 2.1 module entry under `[Unreleased]` |
|
|
@@ -0,0 +1,208 @@
|
|
|
1
|
+
# Reference Architecture
|
|
2
|
+
|
|
3
|
+
Canonical directory layout for MCP servers in the fleet. All new servers should converge toward this structure.
|
|
4
|
+
|
|
5
|
+
> Read this reference when scaffolding a new MCP server or reviewing project structure.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Directory Layout
|
|
10
|
+
|
|
11
|
+
```
|
|
12
|
+
src/
|
|
13
|
+
├── cli.ts # CLI entry point (delegates to cli/ submodules)
|
|
14
|
+
├── index.ts # Barrel re-export for library consumers
|
|
15
|
+
│
|
|
16
|
+
├── cli/ # CLI submodules (split when cli.ts >300 lines)
|
|
17
|
+
│ ├── args.ts # Argument parsing, transport selection
|
|
18
|
+
│ ├── config.ts # DB/OAuth config builders
|
|
19
|
+
│ ├── server.ts # stdio/HTTP server starters
|
|
20
|
+
│ └── index.ts # Barrel
|
|
21
|
+
│
|
|
22
|
+
├── server/
|
|
23
|
+
│ ├── mcp-server.ts # McpServer setup, adapter registration
|
|
24
|
+
│ ├── built-in-tools.ts # Built-in tool registration (server_info, server_health, list_adapters)
|
|
25
|
+
│ ├── help-resources.ts # Help resource registration (filtered by --tool-filter)
|
|
26
|
+
│ └── audit-tools.ts # Audit resource + snapshot resource registration (when audit enabled)
|
|
27
|
+
│
|
|
28
|
+
├── types/ # Core TS types (barrel: types/index.ts)
|
|
29
|
+
│ ├── adapters.ts # ToolDefinition, ResourceDefinition, PromptDefinition
|
|
30
|
+
│ ├── auth.ts # OAuthConfig, OAuthScope, TokenClaims
|
|
31
|
+
│ ├── database.ts # DatabaseConfig, QueryResult, ColumnInfo, TableInfo
|
|
32
|
+
│ ├── errors.ts # {Server}McpError base + subclasses (adapter-style flat)
|
|
33
|
+
│ ├── filtering.ts # ToolGroup, MetaGroup, ToolFilterRule
|
|
34
|
+
│ ├── server.ts # TransportType, McpServerConfig
|
|
35
|
+
│ └── index.ts # Barrel (also re-exports error classes)
|
|
36
|
+
│
|
|
37
|
+
├── constants/
|
|
38
|
+
│ ├── server-instructions.ts # Generated or runtime: slim INSTRUCTIONS + HELP_CONTENT/GOTCHAS_CONTENT
|
|
39
|
+
│ ├── server-instructions.md # (Hybrid approach) Single source markdown for instruction levels
|
|
40
|
+
│ └── server-instructions/ # (Build-time approach) Per-group .md source files
|
|
41
|
+
│
|
|
42
|
+
├── filtering/
|
|
43
|
+
│ ├── tool-constants.ts # (Optional) TOOL_GROUPS arrays, META_GROUPS shortcuts — split when imported by 3+ modules
|
|
44
|
+
│ └── tool-filter.ts # ToolFilter class (may include group constants for simpler servers)
|
|
45
|
+
│
|
|
46
|
+
├── utils/
|
|
47
|
+
│ ├── annotations.ts # MCP tool annotation helpers
|
|
48
|
+
│ ├── icons.ts # MCP icon definitions per tool group
|
|
49
|
+
│ ├── identifiers.ts # SQL identifier validation/sanitization
|
|
50
|
+
│ ├── where-clause.ts # WHERE clause builder/validator
|
|
51
|
+
│ ├── fts-config.ts # FTS configuration name validation (SQL injection prevention)
|
|
52
|
+
│ ├── query-helpers.ts # coerceNumber(), coerceLimit(), buildLimitClause(), DEFAULT_QUERY_LIMIT, toStr()
|
|
53
|
+
│ ├── validate-path.ts # Path traversal validation (backup, dump, restore, attach tools)
|
|
54
|
+
│ ├── insights-manager.ts # In-memory insights memo (memo://insights resource)
|
|
55
|
+
│ ├── progress-utils.ts # MCP progress notification helpers (sendProgress, buildProgressContext)
|
|
56
|
+
│ ├── resource-annotations.ts # Resource annotation presets (HIGH/MEDIUM/LOW_PRIORITY, ASSISTANT_FOCUSED)
|
|
57
|
+
│ ├── error-suggestions.ts # Pattern-based error suggestions + findSuggestion() (auto-refinement)
|
|
58
|
+
│ ├── version.ts # SSoT version (reads package.json via createRequire)
|
|
59
|
+
│ ├── index.ts # Barrel
|
|
60
|
+
│ ├── errors/ # Error class hierarchy (non-adapter servers — full decomposition)
|
|
61
|
+
│ │ ├── base.ts # Abstract base — auto-refines generic codes
|
|
62
|
+
│ │ ├── categories.ts # ErrorCategory enum + ErrorResponse interface
|
|
63
|
+
│ │ ├── classes.ts # Concrete error subclasses
|
|
64
|
+
│ │ ├── error-response-fields.ts # ErrorFieldsMixin (SSoT)
|
|
65
|
+
│ │ ├── format.ts # formatHandlerError()
|
|
66
|
+
│ │ ├── suggestions.ts # Fuzzy typo hints
|
|
67
|
+
│ │ └── index.ts
|
|
68
|
+
│ └── logger/ # Logger (subdirectory for complex servers)
|
|
69
|
+
│ ├── logger.ts # Structured JSON logger
|
|
70
|
+
│ ├── module-logger.ts # createModuleLogger() factory
|
|
71
|
+
│ ├── error-codes.ts # Module-prefixed codes
|
|
72
|
+
│ ├── types.ts
|
|
73
|
+
│ └── index.ts
|
|
74
|
+
│
|
|
75
|
+
├── pool/ # DB connection pool (separate from adapter)
|
|
76
|
+
│ └── connection-pool.ts # Pool manager with health checks
|
|
77
|
+
│
|
|
78
|
+
├── auth/ # OAuth 2.1 implementation (11 files)
|
|
79
|
+
│ ├── auth-context.ts # AsyncLocalStorage per-request auth context
|
|
80
|
+
│ ├── authorization-server-discovery.ts # RFC 8414 metadata discovery with TTL caching
|
|
81
|
+
│ ├── errors.ts # OAuthError extends server base class (httpStatus, wwwAuthenticate)
|
|
82
|
+
│ ├── middleware.ts # Express middleware — token extraction, scope enforcement, error handler
|
|
83
|
+
│ ├── oauth-resource-server.ts # RFC 9728 /.well-known/oauth-protected-resource
|
|
84
|
+
│ ├── scope-map.ts # O(1) reverse lookup: tool name → required scope
|
|
85
|
+
│ ├── scopes.ts # Scope definitions, hierarchy, tool group → scope mapping
|
|
86
|
+
│ ├── token-validator.ts # JWT validation via jose, JWKS caching, claim extraction
|
|
87
|
+
│ ├── transport-agnostic.ts # Transport-agnostic auth utilities (createAuthenticatedContext, validateAuth)
|
|
88
|
+
│ ├── types.ts # RFC 9728/8414/7591 type definitions, config interfaces
|
|
89
|
+
│ └── index.ts # Barrel
|
|
90
|
+
│ # Variant for complex auth (db-mcp): middleware.ts → middleware/index.ts, scopes.ts → scopes/index.ts
|
|
91
|
+
│
|
|
92
|
+
├── audit/ # Audit logging subsystem (servers with --audit-log)
|
|
93
|
+
│ ├── types.ts # AuditEntry, AuditConfig, AuditStats interfaces
|
|
94
|
+
│ ├── logger.ts # Async-buffered JSONL writer with log rotation
|
|
95
|
+
│ ├── interceptor.ts # AuditInterceptor — scope-based tool invocation filtering
|
|
96
|
+
│ ├── backup-manager.ts # Pre-mutation DDL snapshot generator (.tar.gz compressed)
|
|
97
|
+
│ └── index.ts # Barrel
|
|
98
|
+
│
|
|
99
|
+
├── transports/
|
|
100
|
+
│ ├── index.ts # Barrel
|
|
101
|
+
│ └── http/
|
|
102
|
+
│ ├── server.ts # HTTP/SSE transport orchestrator (route registration, server lifecycle)
|
|
103
|
+
│ ├── streamable.ts # Streamable HTTP transport handler (POST/GET/DELETE /mcp)
|
|
104
|
+
│ ├── stateless.ts # Stateless HTTP transport handler (serverless mode)
|
|
105
|
+
│ ├── legacy-sse.ts # Legacy SSE transport handler (GET /sse, POST /messages)
|
|
106
|
+
│ ├── handlers.ts # Route handlers (health, 404, shared utilities)
|
|
107
|
+
│ ├── security.ts # Security headers, rate limiting, CORS, DNS rebinding, body parsing
|
|
108
|
+
│ ├── types.ts # Config interfaces, constants, timeout constants
|
|
109
|
+
│ └── index.ts # Barrel
|
|
110
|
+
│
|
|
111
|
+
├── codemode/ # Code Mode sandbox (10 files for non-adapter, 5+api/ for adapter)
|
|
112
|
+
│ ├── sandbox.ts # SandboxPool lifecycle (LRU script cache, vm.createContext)
|
|
113
|
+
│ ├── sandbox-factory.ts # Runtime mode selection (CodeModeSandbox or WorkerSandbox)
|
|
114
|
+
│ ├── auto-return.ts # Last-expression auto-return transform (IIFE helper)
|
|
115
|
+
│ ├── worker-sandbox.ts # Worker thread (MessagePort RPC, resource limits, hard timeout)
|
|
116
|
+
│ ├── worker-script.ts # Worker entry point (async Proxy API, vm isolation)
|
|
117
|
+
│ ├── api.ts # Tool API bridge — non-adapter servers (single file + api-constants.ts)
|
|
118
|
+
│ ├── api-constants.ts # JSON-RPC codes, method names, aliases, examples, positional maps
|
|
119
|
+
│ ├── security.ts # Code validation, blocked patterns, rate limiting, result size
|
|
120
|
+
│ ├── types.ts # SandboxOptions, PoolOptions, SecurityConfig, RPC types
|
|
121
|
+
│ └── index.ts # Barrel
|
|
122
|
+
│ # Adapter servers with large tool sets (50+ tools) use api/ subdirectory instead:
|
|
123
|
+
│ # api/
|
|
124
|
+
│ # index.ts # Main API bridge — exposes tools to sandbox
|
|
125
|
+
│ # maps.ts # Tool name → handler function mapping
|
|
126
|
+
│ # group-api.ts # Per-group API surface generation
|
|
127
|
+
│ # aliases.ts # Tool alias resolution
|
|
128
|
+
│ # normalize.ts # Parameter normalization utilities
|
|
129
|
+
│
|
|
130
|
+
├── adapters/ # Adapter-based servers (db-mcp, postgres-mcp, mysql-mcp)
|
|
131
|
+
│ ├── database-adapter.ts # Abstract base class
|
|
132
|
+
│ ├── query-validation.ts # SELECT vs write detection
|
|
133
|
+
│ └── {engine}/
|
|
134
|
+
│ ├── {engine}-adapter.ts # Concrete adapter
|
|
135
|
+
│ ├── transaction-operations.ts # Transaction helper operations (extracted from adapter)
|
|
136
|
+
│ ├── index.ts # Barrel
|
|
137
|
+
│ ├── schema-operations/ # Schema introspection queries
|
|
138
|
+
│ │ ├── describe.ts # Table/column metadata queries
|
|
139
|
+
│ │ ├── list.ts # List tables/schemas/indexes
|
|
140
|
+
│ │ └── index.ts # Barrel
|
|
141
|
+
│ ├── schemas/ # Zod schemas (per group, never inline)
|
|
142
|
+
│ │ ├── error-response-fields.ts # ErrorFieldsMixin (SSoT — adapter servers store here)
|
|
143
|
+
│ │ └── {group}/ # One subdirectory per tool group
|
|
144
|
+
│ ├── prompts/ # MCP prompts
|
|
145
|
+
│ ├── resources/ # MCP resources
|
|
146
|
+
│ └── tools/ # Tool handler files (per group subdirectories)
|
|
147
|
+
│ ├── column-validation.ts # Shared existence validators
|
|
148
|
+
│ ├── core/error-parser.ts # Engine-specific error code mapping
|
|
149
|
+
│ ├── core/error-helpers.ts # formatHandlerError() orchestrator
|
|
150
|
+
│ └── {group}/ # One subdirectory per tool group
|
|
151
|
+
│
|
|
152
|
+
├── handlers/ # Non-adapter servers (e.g., memory-journal-mcp)
|
|
153
|
+
│ ├── tools/ # Tool handlers (per-group files or subdirectories)
|
|
154
|
+
│ │ ├── index.ts # getTools() / callTool() dispatch, tool map cache
|
|
155
|
+
│ │ ├── schemas.ts # Shared Zod schemas (cross-group)
|
|
156
|
+
│ │ ├── error-fields-mixin.ts # Re-export stub → utils/errors/error-response-fields.ts
|
|
157
|
+
│ │ ├── {group}.ts # Single-file tool groups
|
|
158
|
+
│ │ ├── {group}/ # Multi-file tool groups (e.g., github/, team/)
|
|
159
|
+
│ │ └── team/ # Team DB mirrored tools (if multi-DB)
|
|
160
|
+
│ ├── resources/ # MCP Resource handlers
|
|
161
|
+
│ │ ├── index.ts # Resource registration barrel
|
|
162
|
+
│ │ ├── shared.ts # Shared helpers (formatters, renderers)
|
|
163
|
+
│ │ ├── help.ts # Dynamic help resources ({prefix}://help)
|
|
164
|
+
│ │ ├── templates.ts # URI template resources
|
|
165
|
+
│ │ ├── {domain}.ts # Domain resources (github.ts, graph.ts, team.ts)
|
|
166
|
+
│ │ └── core/ # Core static resources
|
|
167
|
+
│ │ ├── briefing/ # Briefing system (modular sections)
|
|
168
|
+
│ │ ├── health.ts # Health resource
|
|
169
|
+
│ │ └── utilities.ts # Utility resources
|
|
170
|
+
│ └── prompts/ # MCP Prompt handlers
|
|
171
|
+
│ ├── index.ts
|
|
172
|
+
│ ├── workflow.ts
|
|
173
|
+
│ └── {domain}.ts
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
---
|
|
177
|
+
|
|
178
|
+
## Structural Rules
|
|
179
|
+
|
|
180
|
+
- Every directory has `index.ts` barrel
|
|
181
|
+
- Imports use `.js` extension (ESM)
|
|
182
|
+
- After splitting `foo.ts` → `foo/` directory: update imports from `./foo.js` → `./foo/index.js`
|
|
183
|
+
- Output schemas: one file per tool group, never inline
|
|
184
|
+
- **Error hierarchy (two valid patterns):**
|
|
185
|
+
- _Non-adapter servers_ (db-mcp, memory-journal-mcp): Full `utils/errors/` decomposition (7 files) with `ErrorFieldsMixin` in `error-response-fields.ts`
|
|
186
|
+
- _Adapter servers_ (postgres-mcp, mysql-mcp): Flat `types/errors.ts` with `ErrorFieldsMixin` in `schemas/error-response-fields.ts`
|
|
187
|
+
- Both patterns use the same auto-refinement mechanism and `formatHandlerError()` — the difference is organizational
|
|
188
|
+
- **Logger (two valid patterns):**
|
|
189
|
+
- _Complex servers_: `utils/logger/` subdirectory (5 files: logger, module-logger, error-codes, types, index)
|
|
190
|
+
- _Simpler servers_: Flat `utils/logger.ts` + `utils/module-logger.ts` (2 files)
|
|
191
|
+
- Error classes: importable from both direct path and `types/` barrel (re-exported subset)
|
|
192
|
+
- Shared helpers: `column-validation.ts`, `helpers.ts`, `schemas.ts` per group — no tools registered in these files
|
|
193
|
+
- Connection pool: separate `pool/` directory when pool management has its own lifecycle (health checks, size tuning)
|
|
194
|
+
- Engine error parser: `tools/core/error-parser.ts` maps DB-native error codes to structured errors
|
|
195
|
+
- **Codemode API bridge (two valid patterns):**
|
|
196
|
+
- _Non-adapter servers_: Single `api.ts` + `api-constants.ts` (aliases, examples, positional maps co-located)
|
|
197
|
+
- _Adapter servers_ (50+ tools): `api/` subdirectory with dedicated `maps.ts`, `group-api.ts`, `aliases.ts`, `normalize.ts`
|
|
198
|
+
- **Server file extraction (progressive decomposition):**
|
|
199
|
+
- When `mcp-server.ts` exceeds ~400 lines, extract into `server/` with dedicated files:
|
|
200
|
+
- `built-in-tools.ts` — server_info, server_health, list_adapters registration
|
|
201
|
+
- `help-resources.ts` — help resource registration filtered by `--tool-filter`
|
|
202
|
+
- `audit-tools.ts` — audit resource + snapshot resource (when audit enabled)
|
|
203
|
+
- **Auth module (two valid patterns):**
|
|
204
|
+
- _Standard_: Flat 11-file `src/auth/` directory
|
|
205
|
+
- _Complex servers_ (db-mcp): `middleware.ts` → `middleware/index.ts` and `scopes.ts` → `scopes/index.ts` when these files exceed ~500 lines
|
|
206
|
+
- **Audit subsystem:** `src/audit/` directory (4 files + barrel) for servers with `--audit-log`. Separate from `utils/` because it has its own lifecycle (buffered writes, log rotation, graceful close)
|
|
207
|
+
- **Path validation:** `utils/validate-path.ts` for tools that accept file paths. Resolves canonical path, rejects `..` traversal, enforces `ALLOWED_IO_ROOTS` boundary
|
|
208
|
+
- **Insights manager:** `utils/insights-manager.ts` for servers with analysis/memo capabilities. In-memory bounded list exposed via `memo://insights` resource
|