morpheus-cli 0.9.32 → 0.9.40

package/dist/runtime/oauth/manager.js

@@ -0,0 +1,218 @@
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { DynamicStructuredTool } from '@langchain/core/tools';
+import { OAuthStore } from './store.js';
+import { MorpheusOAuthProvider } from './provider.js';
+import { DisplayManager } from '../display.js';
+const display = DisplayManager.getInstance();
+/**
+ * OAuthManager — singleton coordinating OAuth 2 flows for HTTP MCP servers.
+ *
+ * Responsibilities:
+ * - Creates MorpheusOAuthProvider per server
+ * - Tracks pending transports awaiting user authorization (auth_code flow)
+ * - Handles callback (finishAuth) after user authorizes
+ * - Provides status of all OAuth MCP servers
+ */
+export class OAuthManager {
+    static instance = null;
+    store;
+    pending = new Map();
+    redirectUri;
+    notifyFn = null;
+    constructor(port) {
+        this.store = OAuthStore.getInstance();
+        this.redirectUri = `http://localhost:${port}/api/oauth/callback`;
+    }
+    static getInstance(port) {
+        if (!OAuthManager.instance) {
+            if (!port)
+                throw new Error('OAuthManager.getInstance() requires port on first call');
+            OAuthManager.instance = new OAuthManager(port);
+        }
+        return OAuthManager.instance;
+    }
+    static resetInstance() {
+        OAuthManager.instance = null;
+    }
+    /** Set the notification function (called when user needs to authorize) */
+    setNotifyFn(fn) {
+        this.notifyFn = fn;
+    }
+    getRedirectUri() {
+        return this.redirectUri;
+    }
+    // ── Connection ────────────────────────────────────────
+    /**
+     * Attempt to connect to an HTTP MCP server with OAuth support.
+     * Returns loaded tools if successful, or empty array if auth is pending.
+     */
+    async connectHttpMcp(serverName, serverUrl, oauth2Config, extraHeaders) {
+        const provider = new MorpheusOAuthProvider(serverName, this.store, async (url) => {
+            display.log(`MCP '${serverName}' requires OAuth authorization`, {
+                level: 'info',
+                source: 'OAuth',
+                meta: { url: url.toString() },
+            });
+            if (this.notifyFn) {
+                await this.notifyFn(serverName, url);
+            }
+        }, this.redirectUri, oauth2Config?.scope, oauth2Config?.client_id, oauth2Config?.client_secret, oauth2Config?.grant_type);
+        const transportUrl = new URL(serverUrl);
+        const transport = new StreamableHTTPClientTransport(transportUrl, {
+            authProvider: provider,
+            requestInit: extraHeaders ? { headers: extraHeaders } : undefined,
+        });
+        try {
+            const client = new Client({ name: `morpheus-${serverName}`, version: '1.0.0' });
+            await client.connect(transport);
+            // Connection succeeded — extract tools
+            const { tools: toolDefs } = await client.listTools();
+            const tools = toolDefs.map((td) => this.mcpToolToStructuredTool(serverName, td, client));
+            display.log(`OAuth MCP '${serverName}': loaded ${tools.length} tools`, {
+                level: 'info',
+                source: 'OAuth',
+            });
+            return { tools, authPending: false };
+        }
+        catch (error) {
+            // Check if auth redirect was triggered (SDK calls redirectToAuthorization)
+            if (error?.message?.includes('Unauthorized') || error?.code === 401) {
+                display.log(`OAuth MCP '${serverName}': authorization required, waiting for user`, {
+                    level: 'info',
+                    source: 'OAuth',
+                });
+                this.pending.set(serverName, { transport, provider, serverUrl });
+                return { tools: [], authPending: true };
+            }
+            // The SDK may throw after calling redirectToAuthorization for auth_code flow.
+            // Check if we have a pending state for this server (set during redirectToAuthorization).
+            const hasPkce = this.store.getLatestPkceVerifier(serverName);
+            if (hasPkce) {
+                display.log(`OAuth MCP '${serverName}': authorization redirect sent, waiting for callback`, {
+                    level: 'info',
+                    source: 'OAuth',
+                });
+                this.pending.set(serverName, { transport, provider, serverUrl });
+                return { tools: [], authPending: true };
+            }
+            throw error;
+        }
+    }
+    // ── Callback ──────────────────────────────────────────
+    /**
+     * Handle OAuth callback after user authorizes.
+     * Called by GET /api/oauth/callback?code=...&state=...
+     */
+    async finishAuth(code, state) {
+        // Resolve which server this callback is for
+        let serverName;
+        if (state) {
+            serverName = this.store.resolveServerByState(state);
+        }
+        if (!serverName) {
+            // Fallback: use the only pending server if there's just one
+            const pendingNames = [...this.pending.keys()];
+            if (pendingNames.length === 1) {
+                serverName = pendingNames[0];
+            }
+        }
+        if (!serverName) {
+            throw new Error('Could not resolve OAuth callback: unknown state parameter');
+        }
+        const entry = this.pending.get(serverName);
+        if (!entry) {
+            throw new Error(`No pending OAuth flow for server '${serverName}'`);
+        }
+        // Complete the auth flow — SDK exchanges code for token
+        await entry.transport.finishAuth(code);
+        this.pending.delete(serverName);
+        // Clean up PKCE
+        if (state)
+            this.store.deletePkce(serverName, state);
+        // Now reconnect to get tools
+        const client = new Client({ name: `morpheus-${serverName}`, version: '1.0.0' });
+        const transport = new StreamableHTTPClientTransport(new URL(entry.serverUrl), {
+            authProvider: entry.provider,
+        });
+        await client.connect(transport);
+        const { tools: toolDefs } = await client.listTools();
+        display.log(`OAuth MCP '${serverName}': authorized! ${toolDefs.length} tools available`, {
+            level: 'info',
+            source: 'OAuth',
+        });
+        return { serverName, toolCount: toolDefs.length };
+    }
+    // ── Status ────────────────────────────────────────────
+    getStatus() {
+        const statuses = [];
+        for (const name of this.store.listServers()) {
+            const tokens = this.store.getTokens(name);
+            if (!tokens) {
+                statuses.push({ name, status: this.pending.has(name) ? 'pending_auth' : 'no_token' });
+                continue;
+            }
+            // OAuthTokens may have expires_in but not expires_at — check if present
+            const expiresAt = tokens.expires_at;
+            if (expiresAt && Date.now() > expiresAt) {
+                statuses.push({ name, status: 'expired', expiresAt });
+            }
+            else {
+                statuses.push({ name, status: 'authorized', expiresAt });
+            }
+        }
+        // Add pending servers that aren't in the store yet
+        for (const name of this.pending.keys()) {
+            if (!statuses.find(s => s.name === name)) {
+                statuses.push({ name, status: 'pending_auth' });
+            }
+        }
+        return statuses;
+    }
+    isPending(serverName) {
+        return this.pending.has(serverName);
+    }
+    // ── Revoke ────────────────────────────────────────────
+    revokeToken(serverName) {
+        this.store.deleteTokens(serverName);
+        this.pending.delete(serverName);
+        display.log(`OAuth tokens revoked for MCP '${serverName}'`, {
+            level: 'info',
+            source: 'OAuth',
+        });
+    }
+    // ── Internal: convert MCP tool def to LangChain StructuredTool ──
+    mcpToolToStructuredTool(serverName, toolDef, mcpClient) {
+        const prefixedName = `${serverName}_${toolDef.name}`;
+        const originalToolName = toolDef.name;
+        // Pass raw JSON Schema directly (same approach as @langchain/mcp-adapters).
+        // Avoids Zod v4 $required serialization issues with LangChain's zodToJsonSchema.
+        const rawSchema = toolDef.inputSchema ?? { type: 'object', properties: {} };
+        if (!rawSchema.properties)
+            rawSchema.properties = {};
+        return new DynamicStructuredTool({
+            name: prefixedName,
+            description: toolDef.description || `MCP tool ${toolDef.name} from ${serverName}`,
+            schema: rawSchema,
+            func: async (input) => {
+                try {
+                    const result = await mcpClient.callTool({
+                        name: originalToolName,
+                        arguments: input,
+                    });
+                    if (Array.isArray(result.content)) {
+                        return result.content
+                            .map((c) => c.text ?? JSON.stringify(c))
+                            .join('\n');
+                    }
+                    return typeof result.content === 'string'
+                        ? result.content
+                        : JSON.stringify(result.content);
+                }
+                catch (error) {
+                    return `Error calling MCP tool ${originalToolName}: ${error.message}`;
+                }
+            },
+        });
+    }
+}

package/dist/runtime/oauth/provider.js

@@ -0,0 +1,90 @@
+import crypto from 'crypto';
+/**
+ * Morpheus implementation of OAuthClientProvider from the MCP SDK.
+ * Delegates persistence to OAuthStore and user notification to a callback.
+ */
+export class MorpheusOAuthProvider {
+    serverName;
+    store;
+    notifyUser;
+    _redirectUri;
+    _scope;
+    _clientId;
+    _clientSecret;
+    _grantType;
+    _lastState;
+    constructor(serverName, store, notifyUser, _redirectUri, _scope, _clientId, _clientSecret, _grantType) {
+        this.serverName = serverName;
+        this.store = store;
+        this.notifyUser = notifyUser;
+        this._redirectUri = _redirectUri;
+        this._scope = _scope;
+        this._clientId = _clientId;
+        this._clientSecret = _clientSecret;
+        this._grantType = _grantType;
+    }
+    get redirectUrl() {
+        if (this._grantType === 'client_credentials')
+            return undefined;
+        return this._redirectUri;
+    }
+    get clientMetadata() {
+        const meta = {
+            redirect_uris: [new URL(this._redirectUri)],
+            client_name: `Morpheus - ${this.serverName}`,
+            grant_types: this._grantType === 'client_credentials'
+                ? ['client_credentials']
+                : ['authorization_code', 'refresh_token'],
+            response_types: this._grantType === 'client_credentials' ? [] : ['code'],
+        };
+        if (this._scope)
+            meta.scope = this._scope;
+        return meta;
+    }
+    async state() {
+        this._lastState = crypto.randomUUID();
+        return this._lastState;
+    }
+    async clientInformation() {
+        // If user provided client_id, return it as pre-registered info
+        if (this._clientId) {
+            return {
+                client_id: this._clientId,
+                client_secret: this._clientSecret,
+            };
+        }
+        // Otherwise check store for dynamically registered client info
+        return this.store.getClientInfo(this.serverName);
+    }
+    async saveClientInformation(info) {
+        // OAuthClientInformationFull has client_id_issued_at
+        this.store.saveClientInfo(this.serverName, info);
+    }
+    async tokens() {
+        return this.store.getTokens(this.serverName);
+    }
+    async saveTokens(tokens) {
+        this.store.saveTokens(this.serverName, tokens);
+    }
+    async redirectToAuthorization(authorizationUrl) {
+        await this.notifyUser(authorizationUrl);
+    }
+    async saveCodeVerifier(codeVerifier) {
+        const state = this._lastState ?? '__default';
+        this.store.savePkceVerifier(this.serverName, state, codeVerifier);
+    }
+    async codeVerifier() {
+        const verifier = this.store.getLatestPkceVerifier(this.serverName);
+        if (!verifier)
+            throw new Error(`No PKCE code verifier found for ${this.serverName}`);
+        return verifier;
+    }
+    async invalidateCredentials(scope) {
+        if (scope === 'all' || scope === 'tokens') {
+            this.store.deleteTokens(this.serverName);
+        }
+        if (scope === 'all') {
+            this.store.deleteServer(this.serverName);
+        }
+    }
+}

package/dist/runtime/oauth/store.js

@@ -0,0 +1,118 @@
+import fs from 'fs';
+import path from 'path';
+import { PATHS } from '../../config/paths.js';
+/**
+ * Persists OAuth tokens, client info, and PKCE state in ~/.morpheus/oauth-tokens.json.
+ * Atomic writes (temp → rename). Lazy reads.
+ */
+export class OAuthStore {
+    static instance = null;
+    data = null;
+    filePath;
+    constructor() {
+        this.filePath = PATHS.oauthTokens;
+    }
+    static getInstance() {
+        if (!OAuthStore.instance) {
+            OAuthStore.instance = new OAuthStore();
+        }
+        return OAuthStore.instance;
+    }
+    static resetInstance() {
+        OAuthStore.instance = null;
+    }
+    // ── Read ──────────────────────────────────────────────
+    read() {
+        if (this.data)
+            return this.data;
+        try {
+            const raw = fs.readFileSync(this.filePath, 'utf-8');
+            this.data = JSON.parse(raw);
+        }
+        catch {
+            this.data = {};
+        }
+        return this.data;
+    }
+    getRecord(serverName) {
+        const data = this.read();
+        if (!data[serverName])
+            data[serverName] = {};
+        return data[serverName];
+    }
+    // ── Write ─────────────────────────────────────────────
+    persist() {
+        const dir = path.dirname(this.filePath);
+        if (!fs.existsSync(dir))
+            fs.mkdirSync(dir, { recursive: true });
+        const tmp = this.filePath + '.tmp';
+        fs.writeFileSync(tmp, JSON.stringify(this.data ?? {}, null, 2), 'utf-8');
+        fs.renameSync(tmp, this.filePath);
+    }
+    // ── Tokens ────────────────────────────────────────────
+    getTokens(serverName) {
+        return this.getRecord(serverName).tokens;
+    }
+    saveTokens(serverName, tokens) {
+        this.getRecord(serverName).tokens = tokens;
+        this.persist();
+    }
+    deleteTokens(serverName) {
+        const record = this.getRecord(serverName);
+        delete record.tokens;
+        this.persist();
+    }
+    // ── Client Info (dynamic registration) ────────────────
+    getClientInfo(serverName) {
+        return this.getRecord(serverName).clientInfo;
+    }
+    saveClientInfo(serverName, info) {
+        this.getRecord(serverName).clientInfo = info;
+        this.persist();
+    }
+    // ── PKCE ──────────────────────────────────────────────
+    savePkceVerifier(serverName, state, verifier) {
+        const record = this.getRecord(serverName);
+        if (!record.pkce)
+            record.pkce = {};
+        record.pkce[state] = verifier;
+        this.persist();
+    }
+    getPkceVerifier(serverName, state) {
+        return this.getRecord(serverName).pkce?.[state];
+    }
+    getLatestPkceVerifier(serverName) {
+        const pkce = this.getRecord(serverName).pkce;
+        if (!pkce)
+            return undefined;
+        const entries = Object.values(pkce);
+        return entries[entries.length - 1];
+    }
+    deletePkce(serverName, state) {
+        const pkce = this.getRecord(serverName).pkce;
+        if (pkce) {
+            delete pkce[state];
+            this.persist();
+        }
+    }
+    // ── Queries ───────────────────────────────────────────
+    /** List all server names with stored OAuth data */
+    listServers() {
+        return Object.keys(this.read());
+    }
+    /** Remove all data for a server */
+    deleteServer(serverName) {
+        const data = this.read();
+        delete data[serverName];
+        this.persist();
+    }
+    /** Map state → serverName for callback resolution */
+    resolveServerByState(state) {
+        const data = this.read();
+        for (const [name, record] of Object.entries(data)) {
+            if (record.pkce?.[state])
+                return name;
+        }
+        return undefined;
+    }
+}

package/dist/runtime/oauth/types.js

@@ -0,0 +1 @@
+export {};

package/dist/runtime/oracle.js

@@ -19,7 +19,7 @@ import { SetupRepository } from './setup/repository.js';
 import { buildSetupTool } from './tools/setup-tool.js';
 import { SmithDelegator } from "./smiths/delegator.js";
 import { PATHS } from "../config/paths.js";
-import { writeFileSync } from "fs";
+import { writeFile } from "fs/promises";
 export class Oracle {
     provider;
     config;
@@ -200,6 +200,13 @@ export class Oracle {
             this.registerSmithIfEnabled();
             // Refresh dynamic tool catalogs so delegate descriptions contain runtime info.
             await SubagentRegistry.refreshAllCatalogs();
+            // Eagerly initialize subagents so first delegation doesn't pay init cost.
+            await Promise.allSettled([
+                Apoc.getInstance().initialize(),
+                Neo.getInstance().initialize(),
+                Trinity.getInstance().initialize(),
+                Link.getInstance().initialize(),
+            ]);
             // Initialize setup repository (creates table if needed)
             SetupRepository.getInstance();
             const coreTools = [
@@ -459,10 +466,7 @@ ${SkillRegistry.getInstance().getSystemPromptSection()}
 ${SmithRegistry.getInstance().getSystemPromptSection()}
 `);
             //save the system prompt on ~/.morpheus/system_prompt.txt for debugging and prompt engineering purposes
-            try {
-                writeFileSync(`${PATHS.root}/system_prompt.txt`, String(systemMessage.content), 'utf-8');
-            }
-            catch { }
+            writeFile(`${PATHS.root}/system_prompt.txt`, String(systemMessage.content), 'utf-8').catch(() => { });
             // Resolve the authoritative session ID for this call.
             // Priority: explicit taskContext > current history instance > fallback.
             const currentSessionId = taskContext?.session_id
@@ -482,13 +486,20 @@ ${SmithRegistry.getInstance().getSystemPromptSection()}
             // Load existing history from database in reverse order (most recent first)
             let previousMessages = await callHistory.getMessages();
             previousMessages = previousMessages.reverse();
-            // Sati Middleware: Retrieval
+            // Sati Middleware: Retrieval (with 3s timeout to avoid blocking the response)
             let memoryMessage = null;
             try {
-                memoryMessage = await this.satiMiddleware.beforeAgent(message, previousMessages, currentSessionId);
+                const satiTimeout = new Promise((resolve) => setTimeout(() => resolve(null), 3000));
+                memoryMessage = await Promise.race([
+                    this.satiMiddleware.beforeAgent(message, previousMessages, currentSessionId),
+                    satiTimeout,
+                ]);
                 if (memoryMessage) {
                     this.display.log('Sati memory retrieved.', { source: 'Sati' });
                 }
+                else if (memoryMessage === null) {
+                    // Could be timeout or no memories found — either way, proceed
+                }
             }
             catch (e) {
                 // Fail open - do not disrupt main flow

package/dist/runtime/providers/factory.js

@@ -5,8 +5,99 @@ import { ConfigManager } from "../../config/manager.js";
 import { TaskRequestContext } from "../tasks/context.js";
 import { ChannelRegistry } from "../../channels/registry.js";
 import { getStrategy, registerStrategy } from "./strategies.js";
+import { isInteropZodSchema } from "@langchain/core/utils/types";
+import { toJsonSchema } from "@langchain/core/utils/json_schema";
 /** Channels that should NOT receive verbose tool notifications */
 const SILENT_CHANNELS = new Set(['api', 'ui']);
+/** The ONLY JSON Schema keywords the Gemini API accepts.
+ *  Anything not in this set is stripped after $ref dereferencing. */
+const GEMINI_ALLOWED_SCHEMA_FIELDS = new Set([
+    'type', 'description', 'properties', 'required',
+    'enum', 'items', 'format', 'nullable',
+    'anyOf', 'oneOf', 'allOf',
+    'minimum', 'maximum',
+]);
+/**
+ * Collect all entries from $defs and definitions into a flat lookup map.
+ */
+function collectDefs(obj, defs = {}) {
+    if (obj === null || typeof obj !== 'object' || Array.isArray(obj))
+        return defs;
+    const record = obj;
+    for (const key of ['$defs', 'definitions']) {
+        if (record[key] && typeof record[key] === 'object' && !Array.isArray(record[key])) {
+            Object.assign(defs, record[key]);
+        }
+    }
+    for (const v of Object.values(record))
+        collectDefs(v, defs);
+    return defs;
+}
+/**
+ * Resolve a $ref string like "#/$defs/Foo" or "#/definitions/Foo" to its def name.
+ */
+function resolveRef(ref) {
+    const m = ref.match(/^#\/(?:\$defs|definitions)\/(.+)$/);
+    return m ? m[1] : null;
+}
+/**
+ * Recursively strip unsupported keywords and inline $ref references.
+ */
+function sanitizeSchemaForGemini(obj, defs, depth = 0) {
+    if (depth > 20)
+        return {}; // guard against circular refs
+    if (obj === null || typeof obj !== 'object')
+        return obj;
+    if (Array.isArray(obj))
+        return obj.map((v) => sanitizeSchemaForGemini(v, defs, depth));
+    const record = obj;
+    // Inline $ref — look up and recurse into the definition
+    if ('$ref' in record && typeof record['$ref'] === 'string') {
+        const defName = resolveRef(record['$ref']);
+        if (defName && defs[defName]) {
+            return sanitizeSchemaForGemini(defs[defName], defs, depth + 1);
+        }
+        return {}; // unresolvable ref — fall back to empty schema
+    }
+    const out = {};
+    for (const [k, v] of Object.entries(record)) {
+        if (!GEMINI_ALLOWED_SCHEMA_FIELDS.has(k))
+            continue;
+        out[k] = sanitizeSchemaForGemini(v, defs, depth);
+    }
+    // Ensure every entry in `required` has a matching key in `properties`
+    if (Array.isArray(out['required']) && out['properties'] && typeof out['properties'] === 'object') {
+        const props = out['properties'];
+        out['required'] = out['required'].filter((r) => r in props);
+        if (out['required'].length === 0)
+            delete out['required'];
+    }
+    return out;
+}
+function sanitizeToolSchemasForGemini(tools) {
+    for (const tool of tools) {
+        const schema = tool.schema;
+        if (!schema || typeof schema !== 'object')
+            continue;
+        // If the schema is a Zod instance, convert to plain JSON Schema first.
+        // Otherwise LangChain recognises it as Zod and re-generates $defs.
+        let jsonSchema;
+        if (isInteropZodSchema(schema)) {
+            try {
+                jsonSchema = toJsonSchema(schema);
+            }
+            catch {
+                jsonSchema = schema;
+            }
+        }
+        else {
+            jsonSchema = schema;
+        }
+        const defs = collectDefs(jsonSchema);
+        tool.schema = sanitizeSchemaForGemini(jsonSchema, defs);
+    }
+    return tools;
+}
 export { registerStrategy };
 export class ProviderFactory {
     static buildMonitoringMiddleware() {
@@ -84,7 +175,8 @@ export class ProviderFactory {
         try {
             const model = ProviderFactory.buildModel(config);
             const middleware = ProviderFactory.buildMonitoringMiddleware();
-            return createAgent({ model, tools, middleware: [middleware] });
+            const safeTools = config.provider === 'gemini' ? sanitizeToolSchemasForGemini(tools) : tools;
+            return createAgent({ model, tools: safeTools, middleware: [middleware] });
         }
         catch (error) {
             ProviderFactory.handleProviderError(config, error);

package/dist/runtime/tasks/event-bus.js

@@ -0,0 +1,11 @@
+import { EventEmitter } from 'events';
+/**
+ * Singleton event bus for task lifecycle events.
+ * Emitted by TaskWorker, consumed by TaskNotifier for immediate dispatch.
+ *
+ * Events:
+ *   'task:ready' (taskId: string) — task is completed/failed/cancelled and ready to notify
+ */
+class TaskEventBus extends EventEmitter {
+}
+export const taskEventBus = new TaskEventBus();