ossput 0.0.1

package/dist/upload-pipeline.js

@@ -0,0 +1,96 @@
+import { readFile } from "node:fs/promises";
+import { MAX_FILE_BYTES } from "./types.js";
+import { createOssClient, publicObjectUrl } from "./oss-client.js";
+import { buildObjectKey } from "./key-builder.js";
+import { inferContentType, validateExtension, validateLocalFile, validateSubdir, } from "./validators.js";
+const UPLOAD_TIMEOUT_MS = 600_000;
+async function signPutUrl(config, objectKey, contentType) {
+    const client = createOssClient(config);
+    return client.asyncSignatureUrl(objectKey, {
+        method: "PUT",
+        expires: config.presignExpiresSec,
+        "Content-Type": contentType,
+    });
+}
+export async function prepareUpload(config, filename, contentType, subdir, overwrite = false) {
+    validateExtension(filename, config);
+    const normalizedSubdir = validateSubdir(subdir);
+    const objectKey = buildObjectKey(config.prefix, normalizedSubdir, filename, overwrite);
+    const uploadUrl = await signPutUrl(config, objectKey, contentType);
+    const expiresAt = new Date(Date.now() + config.presignExpiresSec * 1000).toISOString();
+    return {
+        bucket: config.bucket,
+        objectKey,
+        uploadUrl,
+        method: "PUT",
+        headers: { "Content-Type": contentType },
+        expiresAt,
+        maxSizeBytes: MAX_FILE_BYTES,
+    };
+}
+function formatUploadHttpError(status, body) {
+    const snippet = body.trim().slice(0, 300);
+    const detail = snippet ? `: ${snippet}` : "";
+    return `OSS upload failed (HTTP ${status})${detail}`;
+}
+/** Presigned PUT via Node fetch (no external curl). */
+export async function putPresignedFile(uploadUrl, filePath, contentType) {
+    if (typeof globalThis.fetch !== "function") {
+        throw new Error("当前 Node 运行时无 fetch，请使用 Node.js 18 或更高版本");
+    }
+    const body = await readFile(filePath);
+    const response = await fetch(uploadUrl, {
+        method: "PUT",
+        headers: { "Content-Type": contentType },
+        body,
+        signal: AbortSignal.timeout(UPLOAD_TIMEOUT_MS),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(formatUploadHttpError(response.status, text));
+    }
+}
+export async function confirmUpload(config, objectKey, expectedSizeBytes) {
+    const client = createOssClient(config);
+    try {
+        const head = await client.head(objectKey);
+        const headers = head.res.headers;
+        const size = Number(headers["content-length"] ?? 0);
+        if (expectedSizeBytes != null && size !== expectedSizeBytes) {
+            throw new Error(`size mismatch: expected ${expectedSizeBytes}, got ${size}`);
+        }
+        const etag = headers.etag != null ? String(headers.etag) : undefined;
+        const lastModified = headers["last-modified"] != null
+            ? String(headers["last-modified"])
+            : undefined;
+        return {
+            exists: true,
+            size,
+            etag,
+            objectUrl: publicObjectUrl(config, objectKey),
+            lastModified,
+        };
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === "NoSuchKey" || e.status === 404) {
+            return {
+                exists: false,
+                size: 0,
+                objectUrl: publicObjectUrl(config, objectKey),
+            };
+        }
+        throw err;
+    }
+}
+export async function uploadFile(config, localPath, subdir, contentType) {
+    const { absolutePath, size, filename } = await validateLocalFile(localPath);
+    const ct = contentType?.trim() || inferContentType(filename);
+    const prepared = await prepareUpload(config, filename, ct, subdir, false);
+    await putPresignedFile(prepared.uploadUrl, absolutePath, ct);
+    const confirmed = await confirmUpload(config, prepared.objectKey, size);
+    if (!confirmed.exists) {
+        throw new Error("upload completed but object not found on OSS");
+    }
+    return { objectKey: prepared.objectKey, ...confirmed };
+}

package/dist/validators.d.ts

@@ -0,0 +1,10 @@
+import type { AppConfig } from "./types.js";
+export declare function getExtension(filename: string): string;
+export declare function inferContentType(filename: string): string;
+export declare function validateSubdir(subdir?: string): string;
+export declare function validateExtension(filename: string, config: AppConfig): void;
+export declare function validateLocalFile(localPath: string): Promise<{
+    absolutePath: string;
+    size: number;
+    filename: string;
+}>;

package/dist/validators.js

@@ -0,0 +1,77 @@
+import { basename, resolve, normalize } from "node:path";
+import { stat } from "node:fs/promises";
+import { MAX_FILE_BYTES } from "./types.js";
+const DENIED_SUBDIRS = ["release", "prod", "production"];
+export function getExtension(filename) {
+    const base = basename(filename);
+    const dot = base.lastIndexOf(".");
+    if (dot <= 0)
+        return "";
+    return base.slice(dot + 1).toLowerCase();
+}
+export function inferContentType(filename) {
+    const ext = getExtension(filename);
+    const map = {
+        png: "image/png",
+        jpg: "image/jpeg",
+        jpeg: "image/jpeg",
+        gif: "image/gif",
+        webp: "image/webp",
+        pdf: "application/pdf",
+        doc: "application/msword",
+        docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+        xls: "application/vnd.ms-excel",
+        xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        ppt: "application/vnd.ms-powerpoint",
+        pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+        mp4: "video/mp4",
+        mov: "video/quicktime",
+        zip: "application/zip",
+    };
+    return map[ext] ?? "application/octet-stream";
+}
+export function validateSubdir(subdir) {
+    if (!subdir?.trim())
+        return "";
+    const s = subdir.trim().replace(/^\/+|\/+$/g, "");
+    if (!s)
+        return "";
+    if (s.includes(".."))
+        throw new Error("subdir must not contain '..'");
+    if (!/^[a-zA-Z0-9_\-/]+$/.test(s)) {
+        throw new Error("subdir may only contain letters, numbers, _, -, and /");
+    }
+    for (const denied of DENIED_SUBDIRS) {
+        if (s === denied || s.startsWith(`${denied}/`)) {
+            throw new Error(`subdir '${denied}' is not allowed`);
+        }
+    }
+    return s.endsWith("/") ? s : `${s}/`;
+}
+export function validateExtension(filename, config) {
+    const ext = getExtension(filename);
+    if (!ext)
+        throw new Error("file must have an extension");
+    const allowed = config.allowedExtensions.map((e) => e.toLowerCase());
+    if (!allowed.includes(ext)) {
+        throw new Error(`extension '.${ext}' not allowed. Allowed: ${allowed.join(", ")}`);
+    }
+}
+export async function validateLocalFile(localPath) {
+    const absolutePath = resolve(normalize(localPath));
+    const st = await stat(absolutePath);
+    if (!st.isFile())
+        throw new Error(`not a file: ${absolutePath}`);
+    if (st.size > MAX_FILE_BYTES) {
+        throw new Error(`file exceeds ${MAX_FILE_BYTES} bytes (100MB limit)`);
+    }
+    const filename = basename(absolutePath);
+    const lower = filename.toLowerCase();
+    if (lower === ".env" ||
+        lower.endsWith(".pem") ||
+        lower.endsWith(".key") ||
+        lower.includes("id_rsa")) {
+        throw new Error("refusing to upload sensitive-looking files");
+    }
+    return { absolutePath, size: st.size, filename };
+}

package/docs/ram-policy.example.json

@@ -0,0 +1,31 @@
+{
+  "Version": "1",
+  "Statement": [
+    {
+      "Sid": "OssputListAndRead",
+      "Effect": "Allow",
+      "Action": [
+        "oss:ListObjects",
+        "oss:GetObject",
+        "oss:HeadObject"
+      ],
+      "Resource": [
+        "acs:oss:*:*:your-bucket",
+        "acs:oss:*:*:your-bucket/your-prefix/*"
+      ]
+    },
+    {
+      "Sid": "OssputWrite",
+      "Effect": "Allow",
+      "Action": ["oss:PutObject"],
+      "Resource": ["acs:oss:*:*:your-bucket/your-prefix/*"]
+    },
+    {
+      "Sid": "OssputDeleteOptional",
+      "Effect": "Allow",
+      "Action": ["oss:DeleteObject"],
+      "Resource": ["acs:oss:*:*:your-bucket/your-prefix/*"],
+      "Comment": "仅当 profile 开启 allowDelete 且确需 delete_object 时授予"
+    }
+  ]
+}

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "ossput",
+  "version": "0.0.1",
+  "description": "MCP server for Aliyun OSS presigned direct upload (Node fetch) — setup via CLI, upload via Agent or `ossput put`",
+  "type": "module",
+  "main": "./dist/index.js",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/devoink/ossput.git"
+  },
+  "bugs": {
+    "url": "https://github.com/devoink/ossput/issues"
+  },
+  "homepage": "https://github.com/devoink/ossput#readme",
+  "bin": {
+    "ossput": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "AGENTS.md",
+    "CHANGELOG.md",
+    ".cursor/skills/ossput",
+    "config.index.example.json",
+    "profiles.example",
+    ".ossput.json.example",
+    "docs"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "npm run build && node scripts/run-tests.mjs",
+    "prepublishOnly": "npm run build && npm test",
+    "start": "node dist/index.js",
+    "dev": "tsc --watch"
+  },
+  "keywords": [
+    "mcp",
+    "cursor",
+    "aliyun",
+    "oss",
+    "upload",
+    "ossput",
+    "model-context-protocol"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "@inquirer/prompts": "^7.4.0",
+    "@modelcontextprotocol/sdk": "^1.12.1",
+    "ali-oss": "^6.22.0",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@types/ali-oss": "^6.16.11",
+    "@types/node": "^22.13.10",
+    "typescript": "^5.8.2"
+  }
+}

package/profiles.example/default.json

@@ -0,0 +1,21 @@
+{
+  "region": "oss-cn-hangzhou",
+  "bucket": "your-bucket",
+  "prefix": "/",
+  "accessKeyId": "LTAI...",
+  "accessKeySecret": "...",
+  "presignExpiresSec": 900,
+  "allowedExtensions": [
+    "png",
+    "jpg",
+    "jpeg",
+    "gif",
+    "webp",
+    "pdf",
+    "mp4",
+    "zip"
+  ],
+  "endpoint": null,
+  "publicBaseUrl": "https://cdn.example.com",
+  "allowDelete": false
+}