omnikey-cli 1.0.42 → 1.0.43

package/backend-dist/agent/mcpRuntime.js

@@ -5,12 +5,20 @@
 // exposes their tools to the agent as `AITool` entries. The agent's tool
 // dispatcher routes any tool call whose name starts with `MCP_TOOL_PREFIX`
 // back here so it is forwarded to the originating MCP server.
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MCP_TOOL_PREFIX = void 0;
+exports.resolveLoginShell = resolveLoginShell;
+exports.wrapWithLoginShell = wrapWithLoginShell;
+exports.buildStdioChildEnv = buildStdioChildEnv;
 exports.getMcpToolsForSubscription = getMcpToolsForSubscription;
 exports.executeMcpTool = executeMcpTool;
 exports.invalidateMcpRuntimeForServer = invalidateMcpRuntimeForServer;
 exports.shutdownAllMcpClients = shutdownAllMcpClients;
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
 const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
 const stdio_js_1 = require("@modelcontextprotocol/sdk/client/stdio.js");
 const sse_js_1 = require("@modelcontextprotocol/sdk/client/sse.js");
@@ -20,6 +28,130 @@ const mcpServer_1 = require("../models/mcpServer");
 exports.MCP_TOOL_PREFIX = 'mcp_';
 const MAX_TOOL_NAME_LEN = 64;
 const CONNECT_TIMEOUT_MS = 15000;
+const STDIO_STDERR_MAX_BYTES = 16 * 1024;
+const STDIO_STDERR_DRAIN_MS = 2000;
+// Ordered candidate list for resolving the user's login shell on Unix/macOS,
+// mirroring the resolvedLoginShell() logic in the macOS terminal launch path.
+// The SHELL environment variable is checked first at call-time (not here).
+const UNIX_SHELL_CANDIDATES = [
+    // zsh — default on macOS Catalina+
+    '/bin/zsh',
+    '/usr/bin/zsh',
+    '/usr/local/bin/zsh', // Homebrew (Intel)
+    '/opt/homebrew/bin/zsh', // Homebrew (Apple Silicon)
+    // bash — default on older macOS / most Linux distros
+    '/bin/bash',
+    '/usr/bin/bash',
+    '/usr/local/bin/bash',
+    '/opt/homebrew/bin/bash',
+    // fish — popular third-party shell
+    '/usr/local/bin/fish',
+    '/opt/homebrew/bin/fish',
+    '/usr/bin/fish',
+    // ksh — KornShell, common on Linux
+    '/bin/ksh',
+    '/usr/bin/ksh',
+    '/usr/local/bin/ksh',
+    // tcsh — legacy, still present on some macOS/BSD systems
+    '/bin/tcsh',
+    '/usr/bin/tcsh',
+    // sh — POSIX fallback, always present
+    '/bin/sh',
+    '/usr/bin/sh',
+];
+// Ordered candidate list for Windows shells. COMSPEC is checked first at call-time.
+const WINDOWS_SHELL_CANDIDATES = [
+    // PowerShell Core (7+) — preferred for modern Windows
+    'C:\\Program Files\\PowerShell\\7\\pwsh.exe',
+    'C:\\Program Files\\PowerShell\\6\\pwsh.exe',
+    // Windows PowerShell — built-in on all Windows versions
+    'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
+    // cmd.exe — last resort
+    'C:\\Windows\\System32\\cmd.exe',
+    'C:\\Windows\\cmd.exe',
+];
+// Homebrew / system binary directories to prepend on Unix when the daemon's
+// inherited PATH is bare (e.g. launched by launchctl). This is a belt-and-
+// suspenders fallback; running through a login shell already handles this.
+const UNIX_EXTRA_PATH_ENTRIES = [
+    '/opt/homebrew/bin',
+    '/opt/homebrew/sbin',
+    '/usr/local/bin',
+    '/usr/local/sbin',
+];
+// Common Windows binary directories to prepend when PATHEXT / system dirs are
+// missing from the inherited PATH.
+const WINDOWS_EXTRA_PATH_ENTRIES = [
+    'C:\\Windows\\System32',
+    'C:\\Windows',
+    'C:\\Windows\\System32\\Wbem',
+    'C:\\Windows\\System32\\WindowsPowerShell\\v1.0',
+    // Scoop (user-level package manager)
+    `${process.env.USERPROFILE ?? 'C:\\Users\\Default'}\\scoop\\shims`,
+    // Node.js user-level installer
+    `${process.env.APPDATA ?? 'C:\\Users\\Default\\AppData\\Roaming'}\\npm`,
+];
+function isExecutable(filePath) {
+    try {
+        (0, fs_1.accessSync)(filePath, fs_1.constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Resolve the login shell to use when wrapping stdio MCP child processes.
+ * On Unix/macOS mirrors the resolvedLoginShell() logic from the macOS terminal
+ * launch path: check $SHELL first, then walk a fixed candidate list.
+ * On Windows: check %COMSPEC%, then prefer PowerShell Core > Windows PowerShell > cmd.
+ */
+function resolveLoginShell() {
+    if (process.platform === 'win32') {
+        const comspec = process.env.COMSPEC ?? '';
+        if (comspec && (0, fs_1.existsSync)(comspec))
+            return comspec;
+        for (const candidate of WINDOWS_SHELL_CANDIDATES) {
+            if ((0, fs_1.existsSync)(candidate))
+                return candidate;
+        }
+        return 'cmd.exe';
+    }
+    const envShell = process.env.SHELL ?? '';
+    const candidates = envShell ? [envShell, ...UNIX_SHELL_CANDIDATES] : [...UNIX_SHELL_CANDIDATES];
+    for (const candidate of candidates) {
+        if (candidate && (0, fs_1.existsSync)(candidate) && isExecutable(candidate))
+            return candidate;
+    }
+    return '/bin/sh';
+}
+/** Single-quote a Unix shell argument, safely escaping embedded single quotes. */
+function shellEscapeUnix(arg) {
+    return `'${arg.replace(/'/g, `'\\''`)}'`;
+}
+/**
+ * Wrap `command args` so it is executed through the resolved login shell.
+ *
+ * On Unix: `shell -l -c 'command args...'`
+ *   `-l` sources the login profile (.zprofile, .bash_profile, etc.) so the
+ *   child inherits the same PATH as an interactive terminal session.
+ *
+ * On Windows (powershell / pwsh): `shell -NoProfile -Command "command args..."`
+ * On Windows (cmd):               `shell /c "command args..."`
+ */
+function wrapWithLoginShell(shell, command, args) {
+    if (process.platform === 'win32') {
+        const shellName = path_1.default.basename(shell).toLowerCase();
+        const cmdStr = [command, ...args].join(' ');
+        if (shellName === 'pwsh.exe' || shellName === 'powershell.exe') {
+            return { command: shell, args: ['-NoProfile', '-Command', cmdStr] };
+        }
+        // cmd.exe — /c runs the rest of the line as a command
+        return { command: shell, args: ['/c', cmdStr] };
+    }
+    const fullCmd = [command, ...args].map(shellEscapeUnix).join(' ');
+    return { command: shell, args: ['-l', '-c', fullCmd] };
+}
 const clients = new Map(); // by MCPServer.id
 function slug(s) {
     return s
@@ -38,7 +170,54 @@ function isStdioAllowed() {
     // outbound HTTP/SSE transports are permitted.
     return config_1.config.isSelfHosted === true || config_1.config.isLocal === true;
 }
+/**
+ * Build the environment for a spawned stdio MCP child process.
+ *
+ * Starts from the parent `process.env`, then prepends the standard
+ * Homebrew / `/usr/local` binary directories (Unix) or common Windows system
+ * directories to PATH, preserving the existing PATH after them and never
+ * duplicating entries already present. This is a belt-and-suspenders measure
+ * on top of the login-shell wrapping: the shell's `-l` flag sources the login
+ * profile, but augmenting PATH here also helps when the shell is not found.
+ * User-supplied `serverEnv` is overlaid last so an explicit PATH wins.
+ * The result is a strict `Record<string, string>` with any `undefined`
+ * values stripped out (process.env can legally contain those).
+ */
+function buildStdioChildEnv(serverEnv) {
+    const base = {};
+    for (const [k, v] of Object.entries(process.env)) {
+        if (typeof v === 'string')
+            base[k] = v;
+    }
+    if (process.platform === 'win32') {
+        // On Windows, PATH lookup is case-insensitive; normalize to the 'Path' key
+        // that Node uses, then prepend common system directories.
+        const pathKey = Object.keys(base).find((k) => k.toLowerCase() === 'path') ?? 'Path';
+        const currentPath = base[pathKey] ?? '';
+        const existing = currentPath.split(';').filter((p) => p.length > 0);
+        const existingSet = new Set(existing.map((p) => p.toLowerCase()));
+        const toPrepend = WINDOWS_EXTRA_PATH_ENTRIES.filter((p) => !existingSet.has(p.toLowerCase()));
+        base[pathKey] = [...toPrepend, ...existing].join(';');
+    }
+    else {
+        const currentPath = base.PATH ?? '';
+        const existing = currentPath.split(':').filter((p) => p.length > 0);
+        const existingSet = new Set(existing);
+        const toPrepend = UNIX_EXTRA_PATH_ENTRIES.filter((p) => !existingSet.has(p));
+        base.PATH = [...toPrepend, ...existing].join(':');
+    }
+    if (serverEnv) {
+        for (const [k, v] of Object.entries(serverEnv)) {
+            if (typeof v === 'string')
+                base[k] = v;
+        }
+    }
+    return base;
+}
 async function connectOne(server, log) {
+    // Hoisted so the catch block can drain transport.stderr for diagnostics.
+    let stdioTransport;
+    let stderrBuffer = '';
     try {
         if (server.transport === 'stdio' && !isStdioAllowed()) {
             throw new Error('stdio MCP transport is disabled in this deployment.');
@@ -47,14 +226,39 @@ async function connectOne(server, log) {
         if (server.transport === 'stdio') {
             if (!server.command)
                 throw new Error('command is required for stdio transport');
-            const transport = new stdio_js_1.StdioClientTransport({
+            const childEnv = buildStdioChildEnv(server.env);
+            // Wrap through the login shell so the child process inherits the same
+            // PATH as an interactive terminal session (sources .zprofile, .bash_profile,
+            // etc.). This is equivalent to how macOS Terminal launches a new window.
+            const loginShell = resolveLoginShell();
+            const { command: wrappedCmd, args: wrappedArgs } = wrapWithLoginShell(loginShell, server.command, server.args ?? []);
+            log.info('Spawning stdio MCP server', {
+                mcpServerId: server.id,
+                mcpServerName: server.name,
                 command: server.command,
                 args: server.args ?? [],
-                // Pass-through the user-provided env in addition to a safe default set.
-                env: { ...process.env, ...(server.env ?? {}) },
+                loginShell,
+                wrappedCommand: wrappedCmd,
+                wrappedArgs,
+                path: childEnv.PATH,
+            });
+            stdioTransport = new stdio_js_1.StdioClientTransport({
+                command: wrappedCmd,
+                args: wrappedArgs,
+                env: childEnv,
                 stderr: 'pipe',
             });
-            await withTimeout(client.connect(transport), CONNECT_TIMEOUT_MS, 'MCP stdio connect');
+            // Attach the stderr listener eagerly: the child can fail (e.g. `env: node:
+            // No such file or directory`) and close the stream before our catch block
+            // runs, so we have to start buffering before we await client.connect().
+            stdioTransport.stderr?.on('data', (chunk) => {
+                if (stderrBuffer.length >= STDIO_STDERR_MAX_BYTES)
+                    return;
+                const text = typeof chunk === 'string' ? chunk : chunk.toString('utf8');
+                const remaining = STDIO_STDERR_MAX_BYTES - stderrBuffer.length;
+                stderrBuffer += text.length > remaining ? text.slice(0, remaining) : text;
+            });
+            await withTimeout(client.connect(stdioTransport), CONNECT_TIMEOUT_MS, 'MCP stdio connect');
         }
         else if (server.transport === 'http') {
             if (!server.url)
@@ -89,16 +293,47 @@ async function connectOne(server, log) {
     }
     catch (err) {
         const message = err instanceof Error ? err.message : String(err);
+        let childStderr;
+        if (server.transport === 'stdio' && stdioTransport) {
+            childStderr = await drainStdioStderr(stdioTransport, () => stderrBuffer);
+        }
         log.warn('Failed to connect to MCP server', {
             mcpServerId: server.id,
             mcpServerName: server.name,
             transport: server.transport,
             error: message,
+            ...(childStderr !== undefined ? { childStderr } : {}),
         });
         await mcpServer_1.MCPServer.update({ lastError: message }, { where: { id: server.id } }).catch(() => undefined);
         return null;
     }
 }
+/**
+ * Return the buffered stderr from a failed stdio transport. Waits up to
+ * STDIO_STDERR_DRAIN_MS for the stream to emit any final chunks (the child
+ * process may still be flushing its stderr when we land in the catch block).
+ */
+async function drainStdioStderr(transport, read) {
+    const stderr = transport.stderr;
+    if (!stderr)
+        return read().trim();
+    await new Promise((resolve) => {
+        let settled = false;
+        const finish = () => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            stderr.removeListener('end', finish);
+            stderr.removeListener('close', finish);
+            resolve();
+        };
+        const timer = setTimeout(finish, STDIO_STDERR_DRAIN_MS);
+        stderr.once('end', finish);
+        stderr.once('close', finish);
+    });
+    return read().trim();
+}
 async function getOrConnect(server, log) {
     const cached = clients.get(server.id);
     if (cached)

package/backend-dist/index.js

@@ -77,8 +77,8 @@ app.get('/macos/appcast', (req, res) => {
     const appcastUrl = `${baseUrl}/macos/appcast`;
     // These should match the values embedded into the macOS app
     // Info.plist in macOS/build_release_dmg.sh.
-    const bundleVersion = '31';
-    const shortVersion = '1.0.30';
+    const bundleVersion = '33';
+    const shortVersion = '1.0.32';
     const xml = `<?xml version="1.0" encoding="utf-8"?>
 <rss version="2.0"
      xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle"

package/package.json

@@ -4,7 +4,7 @@
     "access": "public",
     "registry": "https://registry.npmjs.org/"
   },
-  "version": "1.0.42",
+  "version": "1.0.43",
   "description": "CLI for onboarding users to Omnikey AI and configuring OPENAI_API_KEY. Use Yarn for install/build.",
   "engines": {
     "node": ">=14.0.0",