securenow 7.3.0 → 7.5.0

package/mcp/catalog.js

@@ -0,0 +1,770 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const TEXT = 'text/plain';
+const JSON_MIME = 'application/json';
+const MARKDOWN = 'text/markdown';
+
+function string(description) {
+  return { type: 'string', description };
+}
+
+function number(description, extra = {}) {
+  return { type: 'number', description, ...extra };
+}
+
+function boolean(description) {
+  return { type: 'boolean', description };
+}
+
+function arrayOfStrings(description) {
+  return { type: 'array', items: { type: 'string' }, description };
+}
+
+function objectSchema(properties, required = []) {
+  return {
+    type: 'object',
+    additionalProperties: false,
+    properties,
+    required,
+  };
+}
+
+function jsonText(value) {
+  return JSON.stringify(value, null, 2);
+}
+
+function maskSecret(value) {
+  if (!value) return null;
+  const text = String(value);
+  if (text.length <= 12) return '***';
+  return `${text.slice(0, 8)}...${text.slice(-4)}`;
+}
+
+function normalizeAppKeys(value) {
+  if (Array.isArray(value)) return value.filter(Boolean).join(',');
+  return value;
+}
+
+function sanitizeArgs(args = {}) {
+  const clone = { ...args };
+  for (const key of Object.keys(clone)) {
+    if (/token|apiKey|api_key|authorization|password|secret/i.test(key)) {
+      clone[key] = maskSecret(clone[key]);
+    }
+  }
+  return clone;
+}
+
+const confirmSchema = {
+  confirm: boolean('Required for write actions. Must be true.'),
+  reason: string('Short human-readable reason for the write action.'),
+};
+
+const appKeysInput = {
+  appKeys: {
+    oneOf: [
+      { type: 'string' },
+      { type: 'array', items: { type: 'string' } },
+    ],
+    description: 'Application key or comma-separated/list of application keys.',
+  },
+};
+
+const pagingInput = {
+  limit: number('Maximum results to return.', { minimum: 1, maximum: 500 }),
+  page: number('Page number.', { minimum: 1 }),
+};
+
+const timeRangeInput = {
+  from: string('Start time as ISO 8601, optional.'),
+  to: string('End time as ISO 8601, optional.'),
+};
+
+const TOOLS = [
+  {
+    name: 'securenow_auth_status',
+    title: 'SecureNow Auth Status',
+    description: 'Show local SecureNow credential source, selected app, and masked firewall key.',
+    scope: null,
+    localOnly: true,
+    readOnly: true,
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_apps_list',
+    title: 'List Applications',
+    description: 'List SecureNow applications for the authenticated user.',
+    scope: 'applications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/applications',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_apps_create',
+    title: 'Create Application',
+    description: 'Create a SecureNow application. Write action; requires confirmation.',
+    scope: 'applications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/applications',
+    bodyFields: ['name', 'hosts', 'instanceId'],
+    inputSchema: objectSchema({
+      name: string('Application name.'),
+      hosts: arrayOfStrings('Optional hostnames/domains for this application.'),
+      instanceId: string('Optional ClickHouse instance id.'),
+      ...confirmSchema,
+    }, ['name', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_apps_info',
+    title: 'Get Application By Key',
+    description: 'Get details for an application by app key.',
+    scope: 'applications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/applications/key/:key',
+    pathParams: ['key'],
+    inputSchema: objectSchema({
+      key: string('Application key UUID.'),
+    }, ['key']),
+  },
+  {
+    name: 'securenow_firewall_apps',
+    title: 'List Firewall Apps',
+    description: 'List applications with firewall toggle and SecureNow IPDB threshold state.',
+    scope: 'applications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/firewall/apps',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_firewall_status',
+    title: 'Firewall Status',
+    description: 'Show firewall blocklist/allowlist status for the authenticated account.',
+    scope: 'firewall:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/firewall/status',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_firewall_enable',
+    title: 'Enable App Firewall',
+    description: 'Turn the per-app firewall ON. Write action; requires confirmation.',
+    scope: 'applications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PATCH',
+    endpoint: '/firewall/app/:appKey',
+    pathParams: ['appKey'],
+    fixedBody: { enabled: true },
+    inputSchema: objectSchema({
+      appKey: string('Application key UUID.'),
+      ...confirmSchema,
+    }, ['appKey', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_firewall_disable',
+    title: 'Disable App Firewall',
+    description: 'Turn the per-app firewall OFF. Write action; requires confirmation.',
+    scope: 'applications:write',
+    readOnly: false,
+    destructive: true,
+    confirm: true,
+    method: 'PATCH',
+    endpoint: '/firewall/app/:appKey',
+    pathParams: ['appKey'],
+    fixedBody: { enabled: false },
+    inputSchema: objectSchema({
+      appKey: string('Application key UUID.'),
+      ...confirmSchema,
+    }, ['appKey', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_firewall_set_threshold',
+    title: 'Set SecureNow IPDB Threshold',
+    description: 'Set the per-app SecureNow IPDB confidence threshold. Write action; requires confirmation.',
+    scope: 'applications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PATCH',
+    endpoint: '/firewall/app/:appKey',
+    pathParams: ['appKey'],
+    bodyFields: ['confidenceMinimum'],
+    inputSchema: objectSchema({
+      appKey: string('Application key UUID.'),
+      confidenceMinimum: number('Minimum SecureNow IPDB abuse confidence score.', { minimum: 0, maximum: 100 }),
+      ...confirmSchema,
+    }, ['appKey', 'confidenceMinimum', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_firewall_test_ip',
+    title: 'Test Firewall IP Decision',
+    description: 'Check whether an IP would be blocked by the firewall.',
+    scope: 'firewall:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/firewall/check/:ip',
+    pathParams: ['ip'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address to test.'),
+    }, ['ip']),
+  },
+  {
+    name: 'securenow_traces_list',
+    title: 'List Traces',
+    description: 'List recent traces for one or more applications.',
+    scope: 'traces:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/traces',
+    queryFields: ['appKeys', 'from', 'to', 'limit'],
+    normalize: { appKeys: normalizeAppKeys },
+    inputSchema: objectSchema({
+      ...appKeysInput,
+      ...timeRangeInput,
+      limit: number('Maximum traces to return.', { minimum: 1, maximum: 200 }),
+    }, ['appKeys']),
+  },
+  {
+    name: 'securenow_traces_show',
+    title: 'Show Trace',
+    description: 'Show spans for a trace id scoped to one or more app keys.',
+    scope: 'traces:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/traces/:traceId',
+    pathParams: ['traceId'],
+    queryFields: ['appKeys'],
+    normalize: { appKeys: normalizeAppKeys },
+    inputSchema: objectSchema({
+      traceId: string('Trace id.'),
+      ...appKeysInput,
+    }, ['traceId', 'appKeys']),
+  },
+  {
+    name: 'securenow_logs_list',
+    title: 'List Logs',
+    description: 'List recent logs for one or more applications.',
+    scope: 'logs:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/logs',
+    queryFields: ['appKeys', 'from', 'to', 'severity', 'limit'],
+    normalize: { appKeys: normalizeAppKeys },
+    inputSchema: objectSchema({
+      ...appKeysInput,
+      ...timeRangeInput,
+      severity: string('Optional severity filter.'),
+      limit: number('Maximum logs to return.', { minimum: 1, maximum: 500 }),
+    }, ['appKeys']),
+  },
+  {
+    name: 'securenow_logs_for_trace',
+    title: 'Logs For Trace',
+    description: 'Show logs correlated to a trace id.',
+    scope: 'logs:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/logs/trace/:traceId',
+    pathParams: ['traceId'],
+    queryFields: ['appKeys'],
+    normalize: { appKeys: normalizeAppKeys },
+    inputSchema: objectSchema({
+      traceId: string('Trace id.'),
+      ...appKeysInput,
+    }, ['traceId', 'appKeys']),
+  },
+  {
+    name: 'securenow_notifications_list',
+    title: 'List Notifications',
+    description: 'List security notifications.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications',
+    queryFields: ['limit', 'page'],
+    inputSchema: objectSchema({ ...pagingInput }),
+  },
+  {
+    name: 'securenow_notifications_unread',
+    title: 'Unread Notification Count',
+    description: 'Return unread notification count.',
+    scope: 'notifications:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/notifications/unread-count',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_notifications_read',
+    title: 'Mark Notification Read',
+    description: 'Mark a notification as read. Write action; requires confirmation.',
+    scope: 'notifications:write',
+    readOnly: false,
+    confirm: true,
+    method: 'PUT',
+    endpoint: '/notifications/:id/read',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Notification id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_ip_lookup',
+    title: 'IP Intelligence Lookup',
+    description: 'Look up SecureNow IP intelligence for an IP address.',
+    scope: 'ip_intel:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/ip/:ip',
+    pathParams: ['ip'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address.'),
+    }, ['ip']),
+  },
+  {
+    name: 'securenow_ip_traces',
+    title: 'IP Traces',
+    description: 'Fetch traces associated with an IP address.',
+    scope: 'ip_intel:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/ip/:ip/traces',
+    pathParams: ['ip'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address.'),
+    }, ['ip']),
+  },
+  {
+    name: 'securenow_forensics_query',
+    title: 'Run Forensics Query',
+    description: 'Run a natural-language forensic query. Write scope because it creates an async query job.',
+    scope: 'forensics:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/forensics/query',
+    bodyFields: ['query', 'applicationId', 'instanceId'],
+    inputSchema: objectSchema({
+      query: string('Natural-language forensic query.'),
+      applicationId: string('Optional application database id.'),
+      instanceId: string('Optional ClickHouse instance id.'),
+      ...confirmSchema,
+    }, ['query', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_forensics_library',
+    title: 'Forensics Query Library',
+    description: 'List saved forensics queries.',
+    scope: 'forensics:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/forensics/query-library',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_analytics_summary',
+    title: 'Analytics Summary',
+    description: 'Fetch response analytics summary.',
+    scope: 'analytics:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/analytics/summary',
+    queryFields: ['instanceId'],
+    inputSchema: objectSchema({
+      instanceId: string('Optional ClickHouse instance id.'),
+    }),
+  },
+  {
+    name: 'securenow_blocklist_list',
+    title: 'List Blocklist',
+    description: 'List blocked IPs.',
+    scope: 'blocklist:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/blocklist',
+    queryFields: ['page', 'limit'],
+    inputSchema: objectSchema({ ...pagingInput }),
+  },
+  {
+    name: 'securenow_blocklist_add',
+    title: 'Add Blocked IP',
+    description: 'Add an IP/CIDR to the blocklist. Write action; requires confirmation.',
+    scope: 'blocklist:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/blocklist',
+    bodyFields: ['ip', 'reason', 'expiresAt', 'metadata'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address or CIDR.'),
+      reason: string('Reason for blocking.'),
+      expiresAt: string('Optional expiry time as ISO 8601.'),
+      metadata: { type: 'object', additionalProperties: true, description: 'Optional metadata.' },
+      ...confirmSchema,
+    }, ['ip', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_blocklist_remove',
+    title: 'Remove Blocked IP',
+    description: 'Remove a blocklist entry. Write action; requires confirmation.',
+    scope: 'blocklist:write',
+    readOnly: false,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/blocklist/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Blocklist entry id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_blocklist_stats',
+    title: 'Blocklist Stats',
+    description: 'Return blocklist statistics.',
+    scope: 'blocklist:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/blocklist/stats',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_allowlist_list',
+    title: 'List Allowlist',
+    description: 'List allowed IPs.',
+    scope: 'allowlist:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/allowlist',
+    queryFields: ['page', 'limit'],
+    inputSchema: objectSchema({ ...pagingInput }),
+  },
+  {
+    name: 'securenow_allowlist_add',
+    title: 'Add Allowed IP',
+    description: 'Add an IP/CIDR to the allowlist. Write action; requires confirmation.',
+    scope: 'allowlist:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/allowlist',
+    bodyFields: ['ip', 'label', 'reason', 'expiresAt', 'applicationsAll', 'applicationKeys'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address or CIDR.'),
+      label: string('Human-readable label.'),
+      reason: string('Reason for allowing.'),
+      expiresAt: string('Optional expiry time as ISO 8601.'),
+      applicationsAll: boolean('Apply to all applications.'),
+      applicationKeys: arrayOfStrings('Application keys to scope this allowlist entry to.'),
+      ...confirmSchema,
+    }, ['ip', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_allowlist_remove',
+    title: 'Remove Allowed IP',
+    description: 'Remove an allowlist entry. Write action; requires confirmation.',
+    scope: 'allowlist:write',
+    readOnly: false,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/allowlist/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Allowlist entry id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_trusted_list',
+    title: 'List Trusted IPs',
+    description: 'List trusted IPs.',
+    scope: 'trusted_ips:read',
+    readOnly: true,
+    method: 'GET',
+    endpoint: '/trusted-ips',
+    inputSchema: objectSchema({}),
+  },
+  {
+    name: 'securenow_trusted_add',
+    title: 'Add Trusted IP',
+    description: 'Add a trusted IP/CIDR. Write action; requires confirmation.',
+    scope: 'trusted_ips:write',
+    readOnly: false,
+    confirm: true,
+    method: 'POST',
+    endpoint: '/trusted-ips',
+    bodyFields: ['ip', 'label', 'note', 'applicationsAll', 'applicationKeys'],
+    inputSchema: objectSchema({
+      ip: string('IPv4 address or CIDR.'),
+      label: string('Human-readable label.'),
+      note: string('Optional note.'),
+      applicationsAll: boolean('Apply to all applications.'),
+      applicationKeys: arrayOfStrings('Application keys to scope this trusted IP to.'),
+      ...confirmSchema,
+    }, ['ip', 'confirm', 'reason']),
+  },
+  {
+    name: 'securenow_trusted_remove',
+    title: 'Remove Trusted IP',
+    description: 'Remove a trusted IP entry. Write action; requires confirmation.',
+    scope: 'trusted_ips:write',
+    readOnly: false,
+    confirm: true,
+    method: 'DELETE',
+    endpoint: '/trusted-ips/:id',
+    pathParams: ['id'],
+    inputSchema: objectSchema({
+      id: string('Trusted IP entry id.'),
+      ...confirmSchema,
+    }, ['id', 'confirm', 'reason']),
+  },
+];
+
+const RESOURCES = [
+  {
+    uri: 'securenow://docs/skill-api',
+    name: 'skill-api',
+    title: 'SecureNow SDK Skill',
+    description: 'Installed SDK skill instructions from SKILL-API.md.',
+    mimeType: MARKDOWN,
+    file: '../SKILL-API.md',
+  },
+  {
+    uri: 'securenow://docs/skill-cli',
+    name: 'skill-cli',
+    title: 'SecureNow CLI Skill',
+    description: 'Installed CLI skill instructions from SKILL-CLI.md.',
+    mimeType: MARKDOWN,
+    file: '../SKILL-CLI.md',
+  },
+  {
+    uri: 'securenow://docs/npm-readme',
+    name: 'npm-readme',
+    title: 'SecureNow npm README',
+    description: 'Installed npm README.',
+    mimeType: MARKDOWN,
+    file: '../NPM_README.md',
+  },
+  {
+    uri: 'securenow://project/config',
+    name: 'project-config',
+    title: 'SecureNow Project Config',
+    description: 'Resolved local SecureNow config and masked credentials.',
+    mimeType: JSON_MIME,
+    dynamic: 'projectConfig',
+  },
+  {
+    uri: 'securenow://tools/catalog',
+    name: 'tools-catalog',
+    title: 'SecureNow MCP Tool Catalog',
+    description: 'MCP tool names, scopes, and write/read classification.',
+    mimeType: JSON_MIME,
+    dynamic: 'toolsCatalog',
+  },
+];
+
+const PROMPTS = [
+  {
+    name: 'secure_project_setup',
+    title: 'Secure Project Setup',
+    description: 'Generic framework setup prompt for SecureNow tracing, logs, body capture, multipart, and firewall defaults.',
+    arguments: [
+      { name: 'projectRoot', description: 'Project root to configure.', required: false },
+    ],
+  },
+  {
+    name: 'verify_firewall_default_on',
+    title: 'Verify Default-On Firewall',
+    description: 'Verify SecureNow CLI login, app firewall toggle, credentials, and SDK defaults.',
+    arguments: [
+      { name: 'appKey', description: 'Optional SecureNow app key.', required: false },
+    ],
+  },
+  {
+    name: 'investigate_ip',
+    title: 'Investigate IP',
+    description: 'Investigate an IP with SecureNow IP intelligence, traces, logs, and remediation options.',
+    arguments: [
+      { name: 'ip', description: 'IP address to investigate.', required: true },
+      { name: 'appKeys', description: 'Optional comma-separated app keys.', required: false },
+    ],
+  },
+];
+
+function promptMessages(name, args = {}) {
+  if (name === 'secure_project_setup') {
+    return [
+      {
+        role: 'user',
+        content: {
+          type: 'text',
+          text: [
+            'Set up SecureNow end-to-end for this JavaScript/TypeScript project.',
+            args.projectRoot ? `Project root: ${args.projectRoot}` : null,
+            'Install or upgrade to securenow@7.5.0 or newer first.',
+            'Run npx securenow whoami. If not logged in, run npx securenow login and stop until the browser flow completes.',
+            'After login, verify whoami succeeds and that .securenow/credentials.json contains the selected app and firewall API key.',
+            'Use the least invasive integration for the detected framework.',
+            'Keep tracing, logs, POST body capture, multipart metadata capture, and the per-app firewall enabled by default.',
+            'Verify with build/test plus npx securenow firewall apps/status and npx securenow env/doctor when available.',
+          ].filter(Boolean).join('\n'),
+        },
+      },
+    ];
+  }
+
+  if (name === 'verify_firewall_default_on') {
+    return [
+      {
+        role: 'user',
+        content: {
+          type: 'text',
+          text: [
+            'Verify SecureNow default-on protection for this project.',
+            args.appKey ? `App key: ${args.appKey}` : null,
+            'Check npx securenow whoami, npx securenow api-key show, npx securenow firewall apps, and npx securenow firewall status.',
+            'Confirm traces, logs, SECURENOW_CAPTURE_BODY, SECURENOW_CAPTURE_MULTIPART, and firewall are enabled by default unless explicitly set to 0.',
+            'Do not print full tokens or API keys.',
+          ].filter(Boolean).join('\n'),
+        },
+      },
+    ];
+  }
+
+  if (name === 'investigate_ip') {
+    return [
+      {
+        role: 'user',
+        content: {
+          type: 'text',
+          text: [
+            `Investigate IP ${args.ip || '<ip>'} with SecureNow.`,
+            args.appKeys ? `Scope to app keys: ${args.appKeys}` : null,
+            'Use IP intelligence first, then related traces/logs, then recommend remediation.',
+            'Only block, allow, or trust the IP after explicit user confirmation.',
+          ].filter(Boolean).join('\n'),
+        },
+      },
+    ];
+  }
+
+  throw new Error(`Unknown prompt: ${name}`);
+}
+
+function getTool(name) {
+  return TOOLS.find((tool) => tool.name === name) || null;
+}
+
+function mcpToolDefinition(tool) {
+  return {
+    name: tool.name,
+    title: tool.title,
+    description: tool.description,
+    inputSchema: tool.inputSchema || objectSchema({}),
+    annotations: {
+      readOnlyHint: !!tool.readOnly,
+      destructiveHint: !!tool.destructive,
+      idempotentHint: !!tool.readOnly,
+  },
+};
+}
+
+function listTools() {
+  return TOOLS.map(mcpToolDefinition);
+}
+
+function listResources() {
+  return RESOURCES.map(({ file, dynamic, ...resource }) => resource);
+}
+
+function listPrompts() {
+  return PROMPTS;
+}
+
+function assertConfirmed(tool, args = {}) {
+  if (!tool.confirm) return;
+  if (args.confirm !== true) {
+    throw new Error(`${tool.name} is a write action. Pass confirm:true and a reason to proceed.`);
+  }
+  if (!args.reason || !String(args.reason).trim()) {
+    throw new Error(`${tool.name} requires a non-empty reason.`);
+  }
+}
+
+function buildApiRequest(tool, rawArgs = {}) {
+  const args = { ...rawArgs };
+  let endpoint = tool.endpoint;
+
+  for (const key of tool.pathParams || []) {
+    if (args[key] == null || args[key] === '') throw new Error(`Missing required argument: ${key}`);
+    endpoint = endpoint.replace(`:${key}`, encodeURIComponent(String(args[key])));
+  }
+
+  const query = {};
+  for (const key of tool.queryFields || []) {
+    let value = args[key];
+    if (tool.normalize && typeof tool.normalize[key] === 'function') {
+      value = tool.normalize[key](value);
+    }
+    if (value != null && value !== '') query[key] = value;
+  }
+
+  const body = { ...(tool.fixedBody || {}) };
+  for (const key of tool.bodyFields || []) {
+    let value = args[key];
+    if (tool.normalize && typeof tool.normalize[key] === 'function') {
+      value = tool.normalize[key](value);
+    }
+    if (value != null && value !== '') body[key] = value;
+  }
+
+  return {
+    method: tool.method,
+    endpoint,
+    query,
+    body: Object.keys(body).length > 0 ? body : null,
+  };
+}
+
+function readStaticResource(resource) {
+  const filepath = path.resolve(__dirname, resource.file);
+  return fs.readFileSync(filepath, 'utf8');
+}
+
+function resourceContent(resource, dynamicHandlers = {}) {
+  if (resource.file) return readStaticResource(resource);
+  if (resource.dynamic && dynamicHandlers[resource.dynamic]) {
+    return dynamicHandlers[resource.dynamic]();
+  }
+  throw new Error(`Resource is not readable: ${resource.uri}`);
+}
+
+module.exports = {
+  TOOLS,
+  RESOURCES,
+  PROMPTS,
+  TEXT,
+  JSON_MIME,
+  MARKDOWN,
+  getTool,
+  mcpToolDefinition,
+  listTools,
+  listResources,
+  listPrompts,
+  promptMessages,
+  assertConfirmed,
+  buildApiRequest,
+  resourceContent,
+  jsonText,
+  maskSecret,
+  sanitizeArgs,
+};