sanook-cli 0.4.0 → 0.5.1

package/dist/mcp.js

@@ -1,16 +1,19 @@
 import { spawn } from 'node:child_process';
 import { readFile } from 'node:fs/promises';
-import { homedir } from 'node:os';
-import { join } from 'node:path';
 import { readFileSync } from 'node:fs';
 import { dynamicTool, jsonSchema } from 'ai';
+import { appHomePath, appProjectPath, BRAND } from './brand.js';
+import { hasUntrustedProjectConfig, projectConfigPathIfTrusted, projectRoot } from './trust.js';
 // version จาก package.json (single source of truth) — กัน drift เหมือน bin.ts/banner
 const VERSION = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
-// MCP client (stdio JSON-RPC) เขียนเอง zero-dep — ต่อ MCP server (filesystem/github/postgres/ฯลฯ)
-// ทำให้ Sanook extensible เหมือน Claude Code/Codex. config: ~/.sanook/mcp.json + project .sanook/mcp.json
-// { "mcpServers": { "fs": { "command": "npx", "args": ["-y","@modelcontextprotocol/server-filesystem","/path"] } } }
-const PROTOCOL_VERSION = '2024-11-05';
+// MCP client เขียนเอง zero-dep — ต่อ MCP server (filesystem/github/postgres/ฯลฯ)
+// 2 transport: stdio (command) + Streamable-HTTP (url) → ต่อทั้ง local และ remote/hosted MCP ได้
+// config: ~/.sanook/mcp.json + project .sanook/mcp.json
+//   stdio:  { "fs":  { "command": "npx", "args": ["-y","@modelcontextprotocol/server-filesystem","/path"] } }
+//   remote: { "gh":  { "url": "https://api.example.com/mcp", "headers": { "Authorization": "Bearer …" } } }
+export const PROTOCOL_VERSION = '2024-11-05'; // shared by the MCP client (here) and server (mcp-server.ts)
 const MAX_BUF = 16 * 1024 * 1024; // กัน server ส่ง byte ยาวไม่มี newline → memory โต unbounded
+const REQUEST_TIMEOUT = 20_000;
 // env ปลอดภัยที่ส่งให้ MCP child (ไม่มี secret) — server ที่ต้อง token ให้ตั้งใน cfg.env เอง
 const SAFE_ENV_KEYS = ['PATH', 'HOME', 'TMPDIR', 'TEMP', 'LANG', 'LC_ALL', 'USER', 'SHELL', 'TERM', 'NODE_PATH', 'NVM_DIR', 'APPDATA'];
 function safeEnv() {
@@ -22,8 +25,12 @@ function safeEnv() {
     }
     return out;
 }
-/** MCP stdio client — JSON-RPC 2.0, newline-delimited messages */
-class McpClient {
+export function isValidMcpServerName(name) {
+    return (/^[a-zA-Z0-9][a-zA-Z0-9_-]{0,63}$/.test(name) &&
+        !['__proto__', 'prototype', 'constructor'].includes(name));
+}
+/** stdio transport — JSON-RPC 2.0, newline-delimited ผ่าน child process stdin/stdout */
+class StdioTransport {
     proc;
     buf = '';
     nextId = 1;
@@ -34,6 +41,9 @@ class McpClient {
             // minimal env เท่านั้น (PATH/HOME/locale) + cfg.env ที่ user ตั้งเอง — ไม่ส่ง secret
             // (ANTHROPIC_API_KEY/TELEGRAM_BOT_TOKEN/ฯลฯ) ให้ทุก MCP server (supply chain = npx -y <pkg>)
             env: { ...safeEnv(), ...cfg.env },
+            // Windows: `npx`/`npm`/JS bins เป็น .cmd shim → spawn ตรงๆ = ENOENT. shell=true ให้ผ่าน PATHEXT.
+            // (config นี้ user เป็นเจ้าของ/trust แล้ว — bare-name resolution เท่านั้น)
+            shell: process.platform === 'win32',
             stdio: ['pipe', 'pipe', 'pipe'],
         });
         this.proc.stdout?.on('data', (d) => this.onData(d.toString()));
@@ -76,7 +86,7 @@ class McpClient {
             }
         }
     }
-    request(method, params, timeoutMs = 20_000) {
+    request(method, params, timeoutMs = REQUEST_TIMEOUT) {
         if (this.dead)
             return Promise.reject(new Error('mcp: server ตายแล้ว'));
         const id = this.nextId++;
@@ -101,20 +111,115 @@ class McpClient {
     notify(method, params) {
         this.proc.stdin?.write(`${JSON.stringify({ jsonrpc: '2.0', method, params })}\n`);
     }
+    close() {
+        try {
+            this.proc.kill();
+        }
+        catch {
+            /* ตายแล้ว */
+        }
+    }
+}
+/** Streamable-HTTP transport — POST JSON-RPC ต่อ request, รับ application/json หรือ text/event-stream */
+class HttpTransport {
+    url;
+    userHeaders;
+    nextId = 1;
+    sessionId;
+    constructor(url, userHeaders = {}) {
+        this.url = url;
+        this.userHeaders = userHeaders;
+    }
+    headers() {
+        return {
+            'content-type': 'application/json',
+            accept: 'application/json, text/event-stream',
+            ...(this.sessionId ? { 'mcp-session-id': this.sessionId } : {}),
+            ...this.userHeaders,
+        };
+    }
+    /** parse SSE body หา JSON-RPC response ที่ id ตรง (Streamable-HTTP คืน response ผ่าน event-stream ได้) */
+    parseSse(text, id) {
+        for (const block of text.split(/\n\n/)) {
+            const data = block
+                .split(/\n/)
+                .filter((l) => l.startsWith('data:'))
+                .map((l) => l.slice(5).trim())
+                .join('');
+            if (!data)
+                continue;
+            let msg;
+            try {
+                msg = JSON.parse(data);
+            }
+            catch {
+                continue; // block นี้ไม่ใช่ JSON สมบูรณ์ → ข้ามไป block ถัดไป (ไม่ abort ทั้ง stream)
+            }
+            // MCP protocol error / return อยู่นอก try → ไม่ถูกกลบโดย catch ของ JSON.parse
+            if (msg.id === id) {
+                if (msg.error)
+                    throw new Error(msg.error.message ?? 'mcp error');
+                return msg.result;
+            }
+        }
+        throw new Error('mcp http: ไม่พบ response ใน event-stream');
+    }
+    async request(method, params, timeoutMs = REQUEST_TIMEOUT) {
+        const id = this.nextId++;
+        const res = await fetch(this.url, {
+            method: 'POST',
+            headers: this.headers(),
+            body: JSON.stringify({ jsonrpc: '2.0', id, method, params }),
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+        const sid = res.headers.get('mcp-session-id');
+        if (sid)
+            this.sessionId = sid;
+        if (!res.ok)
+            throw new Error(`mcp http ${res.status} ${res.statusText}`);
+        const ctype = res.headers.get('content-type') ?? '';
+        if (ctype.includes('text/event-stream'))
+            return this.parseSse(await res.text(), id);
+        const json = (await res.json());
+        if (json.error)
+            throw new Error(json.error.message ?? 'mcp error');
+        return json.result;
+    }
+    notify(method, params) {
+        void fetch(this.url, {
+            method: 'POST',
+            headers: this.headers(),
+            body: JSON.stringify({ jsonrpc: '2.0', method, params }),
+            signal: AbortSignal.timeout(REQUEST_TIMEOUT),
+        }).catch(() => { });
+    }
+    close() {
+        if (!this.sessionId)
+            return;
+        // best-effort terminate session (spec: DELETE) — ไม่รอผล
+        void fetch(this.url, { method: 'DELETE', headers: this.headers() }).catch(() => { });
+    }
+}
+/** MCP client — เลือก transport จาก config (url = http, ไม่งั้น stdio) แล้ว handshake + เรียก tool */
+class McpClient {
+    transport;
+    constructor(cfg) {
+        this.transport = cfg.url ? new HttpTransport(cfg.url, cfg.headers) : new StdioTransport(cfg);
+    }
     async initialize() {
-        await this.request('initialize', {
+        await this.transport.request('initialize', {
             protocolVersion: PROTOCOL_VERSION,
             capabilities: {},
-            clientInfo: { name: 'sanook', version: VERSION },
+            clientInfo: { name: BRAND.mcpClientName, version: VERSION },
         });
-        this.notify('notifications/initialized');
+        this.transport.notify('notifications/initialized');
     }
     async listTools() {
-        const r = (await this.request('tools/list'));
+        const r = (await this.transport.request('tools/list'));
         return r?.tools ?? [];
     }
     async callTool(name, args) {
-        const r = (await this.request('tools/call', { name, arguments: args ?? {} }));
+        const r = (await this.transport.request('tools/call', { name, arguments: args ?? {} }));
         const text = (r?.content ?? [])
             .filter((c) => c.type === 'text')
             .map((c) => c.text ?? '')
@@ -122,25 +227,71 @@ class McpClient {
         return r?.isError ? `MCP error: ${text}` : text || '(no output)';
     }
     close() {
-        try {
-            this.proc.kill();
-        }
-        catch {
-            /* ตายแล้ว */
-        }
+        this.transport.close();
     }
 }
-async function loadMcpConfig() {
+function stringRecord(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return undefined;
+    const out = {};
+    for (const [k, v] of Object.entries(value)) {
+        if (typeof k === 'string' && typeof v === 'string')
+            out[k] = v;
+    }
+    return Object.keys(out).length ? out : undefined;
+}
+function sanitizeMcpServerConfig(raw) {
+    if (!raw || typeof raw !== 'object' || Array.isArray(raw))
+        return null;
+    const r = raw;
+    const cfg = {};
+    if (typeof r.command === 'string' && r.command)
+        cfg.command = r.command;
+    if (Array.isArray(r.args) && r.args.every((a) => typeof a === 'string'))
+        cfg.args = r.args;
+    if (typeof r.url === 'string' && r.url)
+        cfg.url = r.url;
+    const env = stringRecord(r.env);
+    if (env)
+        cfg.env = env;
+    const headers = stringRecord(r.headers);
+    if (headers)
+        cfg.headers = headers;
+    return cfg.command || cfg.url ? cfg : null;
+}
+async function readMcpFile(path, merged) {
+    const cfg = JSON.parse(await readFile(path, 'utf8'));
+    if (!cfg.mcpServers || typeof cfg.mcpServers !== 'object')
+        return;
+    for (const [name, raw] of Object.entries(cfg.mcpServers)) {
+        if (!isValidMcpServerName(name))
+            continue;
+        const server = sanitizeMcpServerConfig(raw);
+        if (server)
+            merged[name] = server;
+    }
+}
+export async function loadMcpConfig(onLog, cwd = process.cwd()) {
     const merged = {};
-    for (const p of [join(homedir(), '.sanook', 'mcp.json'), join(process.cwd(), '.sanook', 'mcp.json')]) {
+    try {
+        await readMcpFile(appHomePath('mcp.json'), merged);
+    }
+    catch {
+        /* ไม่มี global config = ข้าม */
+    }
+    const root = await projectRoot(cwd);
+    const projectPath = await projectConfigPathIfTrusted('mcp.json', root);
+    if (projectPath) {
         try {
-            const cfg = JSON.parse(await readFile(p, 'utf8'));
-            Object.assign(merged, cfg.mcpServers ?? {});
+            await readMcpFile(projectPath, merged);
         }
-        catch {
-            /* ไม่มี config = ข้าม */
+        catch (e) {
+            onLog?.(`project MCP config อ่านไม่ได้: ${e.message}`);
         }
     }
+    else if (await hasUntrustedProjectConfig('mcp.json', root)) {
+        onLog?.(`project MCP config ถูกข้าม (ยังไม่ trust): ${appProjectPath(root, 'mcp.json')}`);
+    }
     return merged;
 }
 let cachePromise = null;
@@ -151,16 +302,20 @@ export function getMcpTools(onLog) {
     return cachePromise;
 }
 async function buildMcpTools(onLog) {
-    const config = await loadMcpConfig();
+    const config = await loadMcpConfig(onLog);
     if (!Object.keys(config).length)
         return {};
     const tools = {};
     const clients = [];
     activeClients = clients; // ref เดียวกัน → closeMcp kill client ที่ spawn ระหว่าง build ได้ด้วย
     for (const [serverName, cfg] of Object.entries(config)) {
+        if (!cfg.url && !cfg.command) {
+            onLog?.(`MCP "${serverName}" ข้าม: ต้องมี "command" (stdio) หรือ "url" (remote)`);
+            continue;
+        }
         try {
             const client = new McpClient(cfg);
-            clients.push(client); // push ทันที (constructor spawn แล้ว) ก่อน await → ไม่ leak ถ้า build ค้าง
+            clients.push(client); // push ทันที (อาจ spawn แล้ว) ก่อน await → ไม่ leak ถ้า build ค้าง
             await client.initialize();
             const defs = await client.listTools();
             for (const def of defs) {
@@ -175,7 +330,7 @@ async function buildMcpTools(onLog) {
                     execute: async (args) => client.callTool(def.name, args),
                 });
             }
-            onLog?.(`MCP "${serverName}": ${defs.length} tools`);
+            onLog?.(`MCP "${serverName}" (${cfg.url ? 'http' : 'stdio'}): ${defs.length} tools`);
         }
         catch (e) {
             onLog?.(`MCP "${serverName}" ต่อไม่ได้: ${e.message}`);