ofw-mcp 2.0.13 → 2.0.15

package/dist/client.js

@@ -1,5 +1,6 @@
 import { dirname, join } from 'path';
 import { fileURLToPath } from 'url';
+import { resolveAuth } from './auth.js';
 // Load .env for local dev; silently skip if dotenv is unavailable (e.g. mcpb bundle)
 try {
     const { config } = await import('dotenv');
@@ -9,24 +10,6 @@ try {
 catch {
     // not available — rely on process.env (mcpb sets credentials via mcp_config.env)
 }
-/**
- * Read an env var, trim whitespace, and treat as unset if blank or if the value
- * looks like an unsubstituted shell placeholder (e.g. `${FOO}`) — defends
- * against MCP hosts that pass .mcp.json env blocks through unexpanded.
- */
-function readVar(key) {
-    const raw = process.env[key];
-    if (typeof raw !== 'string')
-        return undefined;
-    const trimmed = raw.trim();
-    if (trimmed.length === 0)
-        return undefined;
-    if (trimmed === 'undefined' || trimmed === 'null')
-        return undefined;
-    if (/^\$\{[^}]*\}$/.test(trimmed))
-        return undefined;
-    return trimmed;
-}
 const BASE_URL = 'https://ofw.ourfamilywizard.com';
 const OFW_PROTOCOL_HEADERS = {
     'ofw-client': 'WebApplication',
@@ -48,6 +31,19 @@ function parseContentDispositionFilename(cd) {
     const m = /filename="?([^";]+)"?/i.exec(cd);
     return m ? m[1] : null;
 }
+// Set OFW_DEBUG_LOG=1 (or true/yes/on) to log every OFW request/response to
+// stderr. Authorization is redacted. Bodies are logged in full — set this
+// only when debugging, never in normal use.
+function debugLogEnabled() {
+    const v = process.env.OFW_DEBUG_LOG;
+    return v === '1' || v === 'true' || v === 'yes' || v === 'on';
+}
+function redactHeaders(h) {
+    const out = { ...h };
+    if (out.Authorization)
+        out.Authorization = `Bearer ${out.Authorization.slice(7, 17)}…`;
+    return out;
+}
 export class OFWClient {
     token = null;
     tokenExpiry = null;
@@ -55,6 +51,9 @@ export class OFWClient {
         await this.ensureAuthenticated();
         const response = await this.fetchWithRetry(method, path, body, 'application/json', false);
         const text = await response.text();
+        if (debugLogEnabled()) {
+            console.error(`[ofw-debug] response body: ${text || '<empty>'}`);
+        }
         return (text ? JSON.parse(text) : null);
     }
     /** Like `request`, but returns the raw bytes plus Content-Type/-Disposition metadata. */
@@ -79,11 +78,25 @@ export class OFWClient {
         };
         if (body !== undefined && !isFormData)
             headers['Content-Type'] = 'application/json';
-        const response = await fetch(`${BASE_URL}${path}`, {
+        const url = `${BASE_URL}${path}`;
+        if (debugLogEnabled()) {
+            const bodyPreview = body === undefined
+                ? '<none>'
+                : isFormData
+                    ? `<FormData entries=${Array.from(body.keys()).join(',')}>`
+                    : JSON.stringify(body);
+            console.error(`[ofw-debug] → ${method} ${url}${isRetry ? ' (retry)' : ''}`);
+            console.error(`[ofw-debug]   headers: ${JSON.stringify(redactHeaders(headers))}`);
+            console.error(`[ofw-debug]   body: ${bodyPreview}`);
+        }
+        const response = await fetch(url, {
             method,
             headers,
             ...(body !== undefined ? { body: isFormData ? body : JSON.stringify(body) } : {}),
         });
+        if (debugLogEnabled()) {
+            console.error(`[ofw-debug] ← ${response.status} ${response.statusText}`);
+        }
         if (response.status === 401 && !isRetry) {
             this.token = null;
             this.tokenExpiry = null;
@@ -107,48 +120,18 @@ export class OFWClient {
             return;
         await this.login();
     }
+    // Auth resolution is delegated to `./auth.ts`. This client doesn't care
+    // whether the token came from a password POST or from a one-shot
+    // fetchproxy session-snapshot — it just consumes the result.
+    //
+    // If `expiresAt` is missing (the fetchproxy path on a tab whose
+    // browser didn't persist tokenExpiry), we fall back to the same 6h
+    // estimate the password path uses. The 401-replay path covers us if
+    // the estimate is wrong.
     async login() {
-        const username = readVar('OFW_USERNAME');
-        const password = readVar('OFW_PASSWORD');
-        if (!username || !password) {
-            throw new Error('OFW_USERNAME and OFW_PASSWORD must be set');
-        }
-        // Spring Security requires a SESSION cookie before accepting the login POST.
-        // GET /ofw/login.form with redirect:manual to capture the Set-Cookie from the 303 response.
-        const initResponse = await fetch(`${BASE_URL}/ofw/login.form`, {
-            headers: { ...OFW_PROTOCOL_HEADERS },
-            redirect: 'manual',
-        });
-        // Extract just the SESSION=value part (strip attributes like Path, Secure, etc.)
-        const setCookie = initResponse.headers.get('set-cookie') ?? '';
-        const sessionCookie = setCookie.split(';')[0];
-        const response = await fetch(`${BASE_URL}/ofw/login`, {
-            method: 'POST',
-            headers: {
-                ...OFW_PROTOCOL_HEADERS,
-                Accept: 'application/json',
-                'Content-Type': 'application/x-www-form-urlencoded',
-                ...(sessionCookie ? { Cookie: sessionCookie } : {}),
-            },
-            body: new URLSearchParams({
-                submit: 'Sign In',
-                _eventId: 'submit',
-                username,
-                password,
-            }).toString(),
-        });
-        if (!response.ok) {
-            throw new Error(`OFW login failed: ${response.status} ${response.statusText}`);
-        }
-        const contentType = response.headers.get('content-type') ?? '';
-        if (!contentType.includes('application/json')) {
-            const body = await response.text();
-            throw new Error(`OFW login returned unexpected response (${contentType}): ${body.substring(0, 200)}`);
-        }
-        const data = (await response.json());
-        this.token = data.auth;
-        // Token expiry not returned by login endpoint; use 6h as a safe default
-        this.tokenExpiry = new Date(Date.now() + 6 * 60 * 60 * 1000);
+        const { token, expiresAt } = await resolveAuth();
+        this.token = token;
+        this.tokenExpiry = expiresAt ?? new Date(Date.now() + 6 * 60 * 60 * 1000);
     }
     isTokenExpiredSoon() {
         if (!this.token || !this.tokenExpiry)

package/dist/config.js

@@ -1,12 +1,22 @@
 import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
-function readUsername() {
-    const raw = process.env.OFW_USERNAME;
-    if (typeof raw !== 'string' || raw.trim().length === 0) {
-        throw new Error('OFW_USERNAME must be set to derive cache path');
-    }
-    return raw.trim();
+// Cache identity drives the per-user SQLite DB filename. Order of preference:
+//   1. OFW_CACHE_IDENTITY — explicit override for users who want to label the
+//      cache themselves (e.g. when authing via fetchproxy and OFW_USERNAME is
+//      not set).
+//   2. OFW_USERNAME — legacy path; existing users keep their existing DB.
+//   3. "_default" — fallback for fetchproxy-only setups where neither is set.
+//      Single-user installs are fine on this; multi-account users should set
+//      OFW_CACHE_IDENTITY explicitly so their caches don't collide.
+function readCacheIdentity() {
+    const explicit = process.env.OFW_CACHE_IDENTITY;
+    if (typeof explicit === 'string' && explicit.trim().length > 0)
+        return explicit.trim();
+    const username = process.env.OFW_USERNAME;
+    if (typeof username === 'string' && username.trim().length > 0)
+        return username.trim();
+    return '_default';
 }
 export function getCacheDir() {
     const override = process.env.OFW_CACHE_DIR;
@@ -15,8 +25,8 @@ export function getCacheDir() {
     return join(homedir(), '.cache', 'ofw-mcp');
 }
 export function getCacheDbPath() {
-    const username = readUsername();
-    const hash = createHash('sha256').update(username).digest('hex').slice(0, 16);
+    const identity = readCacheIdentity();
+    const hash = createHash('sha256').update(identity).digest('hex').slice(0, 16);
     return join(getCacheDir(), `${hash}.db`);
 }
 export function getAttachmentsDir() {

package/dist/index.js

@@ -17,7 +17,7 @@ import { registerMessageTools } from './tools/messages.js';
 import { registerCalendarTools } from './tools/calendar.js';
 import { registerExpenseTools } from './tools/expenses.js';
 import { registerJournalTools } from './tools/journal.js';
-const server = new McpServer({ name: 'ofw', version: '2.0.13' });
+const server = new McpServer({ name: 'ofw', version: '2.0.15' });
 registerUserTools(server, client);
 registerMessageTools(server, client);
 registerCalendarTools(server, client);

package/dist/sync.js

@@ -127,10 +127,10 @@ export async function syncDrafts(client, draftsFolderId) {
     for (const item of items) {
         seenIds.add(item.id);
         const modifiedAt = item.date?.dateTime ?? new Date().toISOString();
+        // OFW's list endpoint's `date.dateTime` is NOT a reliable modification
+        // timestamp for drafts — direct UI edits don't bump it — so we can't
+        // use it to skip the detail fetch. Always re-fetch; drafts are few.
         const existing = getDraft(item.id);
-        if (existing && existing.modifiedAt === modifiedAt) {
-            continue;
-        }
         const detail = await client.request('GET', `/pub/v3/messages/${item.id}`);
         const row = {
             id: item.id,
@@ -142,7 +142,12 @@ export async function syncDrafts(client, draftsFolderId) {
             listData: item,
         };
         upsertDraft(row);
-        synced++;
+        if (!existing
+            || existing.body !== row.body
+            || existing.subject !== row.subject
+            || existing.replyToId !== row.replyToId) {
+            synced++;
+        }
     }
     for (const id of listDraftIds()) {
         if (!seenIds.has(id))

package/dist/tools/messages.js

@@ -149,7 +149,7 @@ export function registerMessageTools(server, client) {
         return jsonResponse({ ...row, attachments });
     });
     server.registerTool('ofw_send_message', {
-        description: 'Send a message via OurFamilyWizard. If sending from a draft, pass draftId to delete the draft after sending. If replyToId is provided, the cache may rewrite it to the latest reply in the same thread (a note is included in the response when this happens). Attach files by passing their fileIds (from ofw_upload_attachment) in myFileIDs.',
+        description: 'Send a message via OurFamilyWizard. If sending from a draft, pass draftId to delete the draft after sending. If replyToId is provided, the cache may rewrite it to the latest reply in the same thread (a note is included in the response when this happens). Attach files by passing their fileIds (from ofw_upload_attachment) in myFileIDs. After sending, the tool re-fetches the message from OFW to populate the local cache and link attachments to the new message id.',
         annotations: { destructiveHint: true },
         inputSchema: {
             subject: z.string().describe('Message subject'),
@@ -173,6 +173,9 @@ export function registerMessageTools(server, client) {
             chainRootId = parent?.chainRootId ?? parent?.id ?? requestedReplyTo;
         }
         const myFileIDs = args.myFileIDs ?? [];
+        // OFW's POST /pub/v3/messages response is minimal — typically just
+        // `{entityId: <id>}` — so the cache write needs to fetch detail
+        // afterwards (same shape as ofw_save_draft).
         const data = await client.request('POST', '/pub/v3/messages', {
             subject: args.subject,
             body: args.body,
@@ -182,21 +185,26 @@ export function registerMessageTools(server, client) {
             includeOriginal: resolvedReplyTo !== null,
             replyToId: resolvedReplyTo,
         });
-        if (data && typeof data.id === 'number') {
-            const row = {
-                id: data.id,
+        const newId = typeof data?.id === 'number' ? data.id
+            : typeof data?.entityId === 'number' ? data.entityId
+                : null;
+        let persisted = null;
+        if (newId !== null) {
+            const detail = await client.request('GET', `/pub/v3/messages/${newId}`);
+            persisted = {
+                id: newId,
                 folder: 'sent',
-                subject: data.subject ?? args.subject,
-                fromUser: data.from?.name ?? '',
-                sentAt: data.date?.dateTime ?? new Date().toISOString(),
-                recipients: mapRecipients(data.recipients),
-                body: data.body ?? args.body,
+                subject: detail.subject ?? args.subject,
+                fromUser: detail.from?.name ?? '',
+                sentAt: detail.date?.dateTime ?? new Date().toISOString(),
+                recipients: mapRecipients(detail.recipients),
+                body: detail.body ?? args.body,
                 fetchedBodyAt: new Date().toISOString(),
                 replyToId: resolvedReplyTo,
                 chainRootId,
-                listData: data,
+                listData: detail,
             };
-            upsertMessage(row);
+            upsertMessage(persisted);
             // Link attached files to the new message in the attachments cache.
             // We may not have full metadata if the upload happened in a prior
             // session — fall back to what we know.
@@ -209,7 +217,7 @@ export function registerMessageTools(server, client) {
                     mimeType: existing?.mimeType ?? 'application/octet-stream',
                     sizeBytes: existing?.sizeBytes ?? null,
                     metadata: existing?.metadata ?? {},
-                    messageId: data.id,
+                    messageId: newId,
                 });
             }
         }
@@ -217,7 +225,8 @@ export function registerMessageTools(server, client) {
             await deleteOFWMessages(client, [args.draftId]);
             deleteDraft(args.draftId);
         }
-        const text = data ? JSON.stringify(data, null, 2) : 'Message sent successfully.';
+        const responseObj = persisted ?? data;
+        const text = responseObj ? JSON.stringify(responseObj, null, 2) : 'Message sent successfully.';
         return textResponse(rewriteNote ? `${rewriteNote}\n\n${text}` : text);
     });
     server.registerTool('ofw_list_drafts', {
@@ -237,7 +246,7 @@ export function registerMessageTools(server, client) {
         return jsonResponse(payload);
     });
     server.registerTool('ofw_save_draft', {
-        description: 'Save a message as a draft in OurFamilyWizard. Recipients are optional. To update an existing draft, provide its messageId. If replyToId is provided, the cache may rewrite it to the latest reply in the thread (note included in response). Attach files by passing their fileIds (from ofw_upload_attachment) in myFileIDs.',
+        description: 'Save a message as a draft in OurFamilyWizard. Recipients are optional. To update an existing draft, provide its messageId. If replyToId is provided, the cache may rewrite it to the latest reply in the thread (note included in response). Attach files by passing their fileIds (from ofw_upload_attachment) in myFileIDs. After saving, the tool re-fetches the draft from OFW to populate the local cache and verify what was actually persisted; if OFW silently no-ops an update (a known issue with repeated updates to the same draft), the response includes a WARNING note with a workaround.',
         annotations: { readOnlyHint: false },
         inputSchema: {
             subject: z.string().describe('Message subject'),
@@ -269,21 +278,42 @@ export function registerMessageTools(server, client) {
         };
         if (args.messageId !== undefined)
             payload.messageId = args.messageId;
+        // OFW's POST /pub/v3/messages response for drafts is minimal — typically
+        // just `{entityId: <id>}` — and worse, it returns the same success shape
+        // even when the server silently no-ops on a subsequent update to the
+        // same draft. Don't trust the POST response: extract the id from it,
+        // then GET the detail endpoint to repopulate the cache from
+        // authoritative server state.
         const data = await client.request('POST', '/pub/v3/messages', payload);
-        if (data && typeof data.id === 'number') {
-            const draft = {
-                id: data.id,
-                subject: data.subject ?? args.subject,
-                body: data.body ?? args.body,
-                recipients: mapRecipients(data.recipients),
-                replyToId: data.replyToId ?? resolvedReplyTo,
-                modifiedAt: data.date?.dateTime ?? new Date().toISOString(),
-                listData: data,
+        const newId = typeof data?.id === 'number' ? data.id
+            : typeof data?.entityId === 'number' ? data.entityId
+                : null;
+        let persisted = null;
+        let noOpWarning = null;
+        if (newId !== null) {
+            const detail = await client.request('GET', `/pub/v3/messages/${newId}`);
+            persisted = {
+                id: newId,
+                subject: detail.subject ?? args.subject,
+                body: detail.body ?? '',
+                recipients: mapRecipients(detail.recipients),
+                replyToId: detail.replyToId ?? resolvedReplyTo,
+                modifiedAt: detail.date?.dateTime ?? new Date().toISOString(),
+                listData: detail,
             };
-            upsertDraft(draft);
+            upsertDraft(persisted);
+            // If this was an update (messageId provided) and OFW's reported body
+            // doesn't match what we asked it to save, the server silently
+            // dropped the change. Warn the caller so the model can take the
+            // create-then-delete fallback.
+            if (args.messageId !== undefined && persisted.body !== args.body) {
+                noOpWarning = 'WARNING: OFW reported success but the draft body it returned does not match the requested update. The OFW POST /pub/v3/messages endpoint can silently no-op on subsequent updates to the same draft. Workaround: delete this draft (ofw_delete_draft) and create a new one (ofw_save_draft without messageId).';
+            }
         }
-        const text = data ? JSON.stringify(data, null, 2) : 'Draft saved.';
-        return textResponse(rewriteNote ? `${rewriteNote}\n\n${text}` : text);
+        const responseObj = persisted ?? data;
+        const text = responseObj ? JSON.stringify(responseObj, null, 2) : 'Draft saved.';
+        const notes = [rewriteNote, noOpWarning].filter((n) => n !== null).join('\n\n');
+        return textResponse(notes ? `${notes}\n\n${text}` : text);
     });
     server.registerTool('ofw_delete_draft', {
         description: 'Delete a draft message from OurFamilyWizard. Also removes the draft from the local cache.',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ofw-mcp",
-  "version": "2.0.13",
+  "version": "2.0.15",
   "mcpName": "io.github.chrischall/ofw-mcp",
   "description": "OurFamilyWizard MCP server for Claude — developed and maintained by AI (Claude Code)",
   "author": "Claude Code (AI) <https://www.anthropic.com/claude>",
@@ -21,12 +21,13 @@
   ],
   "scripts": {
     "build": "tsc && npm run bundle",
-    "bundle": "esbuild src/index.ts --bundle --platform=node --format=esm --external:dotenv --outfile=dist/bundle.js",
+    "bundle": "esbuild src/index.ts --bundle --platform=node --format=esm --external:dotenv --banner:js='import { createRequire as __createRequire } from \"module\"; const require = __createRequire(import.meta.url);' --outfile=dist/bundle.js",
     "dev": "node --env-file=.env dist/index.js",
     "test": "vitest run",
     "test:watch": "vitest"
   },
   "dependencies": {
+    "@fetchproxy/bootstrap": "^0.4.2",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "dotenv": "^17.4.0",
     "zod": "^4.4.2"

package/server.json

@@ -6,12 +6,12 @@
     "url": "https://github.com/chrischall/ofw-mcp",
     "source": "github"
   },
-  "version": "2.0.13",
+  "version": "2.0.15",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "ofw-mcp",
-      "version": "2.0.13",
+      "version": "2.0.15",
       "transport": {
         "type": "stdio"
       },