npm - snow-flow - Versions diffs - 11.0.0 → 11.0.2 - Mend

snow-flow 11.0.0 → 11.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/Dockerfile.mcp-http +52 -0
package/bin/index.js.map +1 -1
package/bin/worker.js.map +1 -1
package/package.json +1 -1
package/src/servicenow/servicenow-mcp-unified/transports/http-entry.ts +89 -0
package/src/servicenow/servicenow-mcp-unified/transports/http-resolver.ts +89 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
-  "version": "11.0.0",
+  "version": "11.0.2",
   "name": "snow-flow",
   "description": "Snow-Flow - ServiceNow Multi-Agent Development Framework powered by AI",
   "license": "Elastic-2.0",

package/src/servicenow/servicenow-mcp-unified/transports/http-entry.ts ADDED Viewed

@@ -0,0 +1,89 @@
+#!/usr/bin/env bun
+/**
+ * MCP HTTP Server — Bun entry point
+ * ----------------------------------------------------------------------
+ * Starts the Hono-based MCP server on a fixed port and wires up an HTTP
+ * callback-based `ContextResolver` (see http-resolver.ts) so that tenant
+ * credential resolution lives in the deployment that owns the tenant DB
+ * (e.g. snow-flow-enterprise's portal backend), not in this image.
+ *
+ * Env vars (all required at runtime):
+ *   MCP_RESOLVER_URL      — full URL of the downstream resolver endpoint
+ *   MCP_INTERNAL_TOKEN    — shared secret sent on `X-Internal-Auth`
+ *   MCP_HTTP_PORT         — listen port (default 8082)
+ *
+ * Intended runtime: Bun. The image is built from `Dockerfile.mcp-http`
+ * and published as `ghcr.io/groeimetai/snow-flow-mcp-http`. Callers that
+ * need to self-host can also run it via `bun run http-entry.ts`.
+ */
+import { toolRegistry } from "../shared/tool-registry.js"
+import { createHttpApp } from "./http.js"
+import { createHttpResolver } from "./http-resolver.js"
+import { mcpDebug, mcpWarn } from "../../shared/mcp-debug.js"
+async function main(): Promise<void> {
+  const resolverUrl = process.env.MCP_RESOLVER_URL
+  const internalToken = process.env.MCP_INTERNAL_TOKEN
+  const port = Number(process.env.MCP_HTTP_PORT ?? 8082)
+  if (!resolverUrl || !internalToken) {
+    throw new Error(
+      "mcp-http entry requires MCP_RESOLVER_URL and MCP_INTERNAL_TOKEN env vars. " +
+        "See transports/http-resolver.ts for the contract the endpoint must implement.",
+    )
+  }
+  mcpDebug("[mcp-http] discovering tools…")
+  const discovery = await toolRegistry.initialize()
+  mcpDebug(
+    `[mcp-http] tool discovery done: ${discovery.toolsRegistered} registered, ` +
+      `${discovery.toolsFailed} failed across ${discovery.domains.length} domains`,
+  )
+  if (discovery.toolsFailed > 0) {
+    for (const err of discovery.errors) {
+      mcpWarn(`[mcp-http] tool load failed: ${err.filePath} — ${err.error}`)
+    }
+  }
+  const app = createHttpApp({
+    resolveContext: createHttpResolver({ url: resolverUrl, internalToken }),
+  })
+  // Bun's native server. Runs on Node too via `@hono/node-server`, but the
+  // published image is Bun-based so we use the built-in server here.
+  const server = (globalThis as any).Bun?.serve?.({ fetch: app.fetch, port })
+  if (!server) {
+    throw new Error(
+      "Bun.serve is not available. This entry point is intended for the Bun runtime " +
+        "shipped with Dockerfile.mcp-http.",
+    )
+  }
+  mcpDebug(`[mcp-http] listening on :${port}`)
+  mcpDebug(`[mcp-http] resolver endpoint: ${resolverUrl}`)
+  const shutdown = async (signal: string) => {
+    mcpDebug(`[mcp-http] received ${signal}, stopping…`)
+    try {
+      await server.stop?.(true)
+    } catch {
+      // ignore
+    }
+    process.exit(0)
+  }
+  process.on("SIGINT", () => {
+    shutdown("SIGINT").catch(() => process.exit(1))
+  })
+  process.on("SIGTERM", () => {
+    shutdown("SIGTERM").catch(() => process.exit(1))
+  })
+}
+main().catch((err: unknown) => {
+  const msg = err instanceof Error ? err.message : String(err)
+  // eslint-disable-next-line no-console
+  console.error(`[mcp-http] fatal: ${msg}`)
+  process.exit(1)
+})

package/src/servicenow/servicenow-mcp-unified/transports/http-resolver.ts ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * Generic HTTP-callback context resolver.
+ *
+ * Called by the mcp-http container for every inbound MCP request. Instead
+ * of resolving the tenant + credentials locally (which would require the
+ * OS image to know about the portal DB schema + KMS), this helper forwards
+ * the inbound Bearer JWT to a caller-configured endpoint that performs the
+ * real resolution. The endpoint is expected to return a JSON body shaped
+ * exactly like `RequestContext`.
+ *
+ * Design intent
+ * -------------
+ * The OS repo ships the MCP infrastructure but knows nothing about how
+ * tenants are identified or where their ServiceNow credentials live. A
+ * downstream deployment (e.g. snow-flow-enterprise) runs this image as the
+ * `mcp-http` container, points `MCP_RESOLVER_URL` at its own HTTP endpoint,
+ * and hands out a shared-secret token so only the mcp-http container can
+ * call that endpoint.
+ *
+ * Env vars consumed by `createHttpResolver()`:
+ *   MCP_RESOLVER_URL      — full URL of the downstream resolver endpoint
+ *   MCP_INTERNAL_TOKEN    — shared secret the endpoint verifies on the
+ *                           `X-Internal-Auth` header. Keeps the endpoint
+ *                           closed to anyone else on the docker network.
+ */
+import { ContextResolver } from "../handlers/types.js"
+export interface HttpResolverOptions {
+  /**
+   * Full URL of the resolver endpoint. Example:
+   *   http://portal:3000/api/internal/mcp-resolve
+   */
+  url: string
+  /**
+   * Shared secret set in `X-Internal-Auth` on every call. Must match the
+   * value configured on the resolver endpoint side.
+   */
+  internalToken: string
+  /**
+   * Per-call timeout in ms. Defaults to 5000.
+   */
+  timeoutMs?: number
+}
+/**
+ * Build a `ContextResolver` that forwards each inbound request to
+ * `opts.url`. The returned function is the exact type `createHttpApp`
+ * expects for its `resolveContext` dependency.
+ */
+export const createHttpResolver = (opts: HttpResolverOptions): ContextResolver => {
+  const timeoutMs = opts.timeoutMs ?? 5000
+  return async (request: any) => {
+    const headers = (request as any)?.headers ?? {}
+    // Forward the caller's Bearer token verbatim — the resolver endpoint
+    // is the thing that knows how to verify it.
+    const authorization =
+      headers.authorization ?? headers.Authorization ?? headers.AUTHORIZATION ?? ""
+    const controller = new AbortController()
+    const timer = setTimeout(() => controller.abort(), timeoutMs)
+    try {
+      const response = await fetch(opts.url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-Internal-Auth": opts.internalToken,
+        },
+        body: JSON.stringify({ authorization }),
+        signal: controller.signal,
+      })
+      if (!response.ok) {
+        const body = await response.text().catch(() => "")
+        throw new Error(
+          `mcp-resolver endpoint returned ${response.status}: ${body.slice(0, 200)}`,
+        )
+      }
+      return (await response.json()) as Awaited<ReturnType<ContextResolver>>
+    } finally {
+      clearTimeout(timer)
+    }
+  }
+}