terra-mcp-google 0.1.11

package/README.md

@@ -0,0 +1,57 @@
+# terra-mcp — Google Drive + Sheets MCP server
+
+Read/write access to your **Google Drive** and **Sheets**. OAuth + PKCE login — only the public
+client ID ships in npm, consent happens in browser, token is cached and auto-refreshed.
+
+## Quick start
+
+```bash
+npm install -g terra-mcp-google
+terra-mcp auth login          # browser consent, caches token
+terra-mcp client codex        # print safe (read-only) MCP config
+```
+
+## CLI
+
+| Command | Does |
+| --- | --- |
+| `auth login` / `logout` / `status` | sign in / out / show account, scopes, expiry |
+| `setup` | check config dir + auth, print MCP config for all clients |
+| `client [codex\|claude\|copilot\|kiro\|all]` | print MCP config with **mutating tools disabled** (`--include-dangerous` keeps them) |
+| *(no command)* | start the stdio server |
+
+## Tools
+
+**Auth** — sign-in/out are CLI-only (`terra-mcp auth login`/`logout`).
+
+| Tool | Does |
+| --- | --- |
+| `google_auth_status` | show signed-in account, granted scopes, token expiry |
+
+**Drive**
+
+| Tool | Does |
+| --- | --- |
+| `drive_list_files` | list / search files (Drive `q` query, pagination) |
+| `drive_get_file` | get file metadata by ID |
+| `drive_download_file` | download or export content (Google-native files → csv/txt/pdf/…) |
+| `drive_create_folder` | create a folder |
+| `drive_upload_file` | upload inline text or a local file |
+| `drive_update_file` | rename, move, or replace content |
+| `drive_copy_file` | duplicate a file |
+| `drive_delete_file` | trash (default) or permanently delete |
+
+**Sheets**
+
+| Tool | Does |
+| --- | --- |
+| `sheets_create_spreadsheet` | create a spreadsheet |
+| `sheets_get_spreadsheet` | list tabs and their dimensions |
+| `sheets_read_range` | read one A1 range, or many at once (pass an array of ranges) |
+| `sheets_write_range` | overwrite values in one A1 range, or many at once (pass `data`) |
+| `sheets_append_rows` | append rows after the last row of a table |
+| `sheets_clear_range` | clear values in a range |
+| `sheets_add_sheet` / `sheets_delete_sheet` | add / remove a tab |
+| `sheets_format_cells` | format a cell range (colors, bold, font size, alignment) |
+| `sheets_set_data_validation` | set a dropdown (list) rule on a range |
+| `sheets_batch_update` | escape hatch: raw `spreadsheets.batchUpdate` requests (merge, borders, sort, …) |

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,94 @@
+#!/usr/bin/env node
+import { Command, Option } from "commander";
+import { clearToken, getAuthStatus, runLoginFlow } from "./google/auth.js";
+import { SERVER_VERSION, TOKEN_PATH } from "./config/constants.js";
+import { startServer } from "./index.js";
+import { configReport, parseClient, runSetup } from "./setup/setup.js";
+const CLIENT_CHOICES = ["codex", "claude", "copilot", "kiro", "all"];
+async function login() {
+    console.error("Starting Google sign-in... a browser window will open.\n");
+    const result = await runLoginFlow({
+        openBrowser: true,
+        onUrl: (url) => {
+            console.error(`If the browser didn't open, visit:\n${url}\n`);
+        },
+    });
+    console.error(`\nSigned in${result.email ? ` as ${result.email}` : ""}.`);
+    console.error(`Token saved to ${TOKEN_PATH}`);
+    console.error(`Granted scopes: ${result.scopes.join(", ")}`);
+}
+async function logout() {
+    const removed = await clearToken();
+    console.error(removed ? `Signed out — cached token deleted (${TOKEN_PATH}).` : "No cached token to remove.");
+}
+async function status() {
+    const result = await getAuthStatus();
+    if (!result.authenticated) {
+        console.error("Not signed in. Run `terra-mcp auth login` to sign in.");
+        return;
+    }
+    console.error(`Signed in${result.email ? ` as ${result.email}` : ""}.`);
+    if (result.scopes?.length)
+        console.error(`Granted scopes: ${result.scopes.join(", ")}`);
+    if (result.expiryDate)
+        console.error(`Access token expires: ${new Date(result.expiryDate).toISOString()}`);
+}
+function buildProgram() {
+    const program = new Command();
+    program
+        .name("terra-mcp")
+        .description("Kozocom Google Drive & Sheets MCP server")
+        .version(SERVER_VERSION);
+    // Default action (`terra-mcp` with no subcommand) starts the server.
+    program
+        .command("start", { isDefault: true })
+        .alias("server")
+        .description("Start the MCP server over stdio")
+        .action(async () => {
+        await startServer();
+    });
+    // `auth` group: manage the cached Google OAuth credentials.
+    const auth = program.command("auth").description("Manage Google sign-in (login / logout / status)");
+    auth
+        .command("login")
+        .description("Sign in to Google and cache the OAuth token")
+        .action(async () => {
+        await login();
+    });
+    auth
+        .command("logout")
+        .description("Delete the cached Google OAuth token")
+        .action(async () => {
+        await logout();
+    });
+    auth
+        .command("status")
+        .description("Show the signed-in account, scopes, and token expiry")
+        .action(async () => {
+        await status();
+    });
+    program
+        .command("setup")
+        .description("Check setup and print MCP config (sign in with `auth login`)")
+        .addOption(new Option("-c, --client <client>", "MCP client to configure").choices(CLIENT_CHOICES))
+        .option("-y, --yes", "Accept defaults without prompting")
+        .action(async (opts) => {
+        await runSetup({ client: opts.client, yes: opts.yes });
+    });
+    program
+        .command("client [agent]")
+        .description("Print MCP config for a coding agent with dangerous tools disabled")
+        .option("--include-dangerous", "Keep destructive tools enabled (not recommended)", false)
+        .action((agent, opts) => {
+        const client = parseClient(agent) ?? "all";
+        console.log(configReport({ client, safeMode: !opts.includeDangerous }));
+    });
+    return program;
+}
+buildProgram()
+    .parseAsync(process.argv)
+    .catch((error) => {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAmB,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAExF,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAU,CAAC;AAE9E,KAAK,UAAU,KAAK;IAClB,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC1E,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;QAChC,WAAW,EAAE,IAAI;QACjB,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;YACb,OAAO,CAAC,KAAK,CAAC,uCAAuC,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC;KACF,CAAC,CAAC;IACH,OAAO,CAAC,KAAK,CAAC,cAAc,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC1E,OAAO,CAAC,KAAK,CAAC,kBAAkB,UAAU,EAAE,CAAC,CAAC;IAC9C,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,MAAM;IACnB,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;IACnC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,sCAAsC,UAAU,IAAI,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC;AAC/G,CAAC;AAED,KAAK,UAAU,MAAM;IACnB,MAAM,MAAM,GAAG,MAAM,aAAa,EAAE,CAAC;IACrC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IACD,OAAO,CAAC,KAAK,CAAC,YAAY,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACxE,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM;QAAE,OAAO,CAAC,KAAK,CAAC,mBAAmB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxF,IAAI,MAAM,CAAC,UAAU;QAAE,OAAO,CAAC,KAAK,CAAC,yBAAyB,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;AAC7G,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAE9B,OAAO;SACJ,IAAI,CAAC,WAAW,CAAC;SACjB,WAAW,CAAC,0CAA0C,CAAC;SACvD,OAAO,CAAC,cAAc,CAAC,CAAC;IAE3B,qEAAqE;IACrE,OAAO;SACJ,OAAO,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;SACrC,KAAK,CAAC,QAAQ,CAAC;SACf,WAAW,CAAC,iCAAiC,CAAC;SAC9C,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,WAAW,EAAE,CAAC;IACtB,CAAC,CAAC,CAAC;IAEL,4DAA4D;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,WAAW,CAAC,iDAAiD,CAAC,CAAC;IACpG,IAAI;SACD,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,6CAA6C,CAAC;SAC1D,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,KAAK,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;IACL,IAAI;SACD,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,sCAAsC,CAAC;SACnD,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,MAAM,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IACL,IAAI;SACD,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,MAAM,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,8DAA8D,CAAC;SAC3E,SAAS,CACR,IAAI,MAAM,CAAC,uBAAuB,EAAE,yBAAyB,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CACvF;SACA,MAAM,CAAC,WAAW,EAAE,mCAAmC,CAAC;SACxD,MAAM,CAAC,KAAK,EAAE,IAA4C,EAAE,EAAE;QAC7D,MAAM,QAAQ,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,mEAAmE,CAAC;SAChF,MAAM,CAAC,qBAAqB,EAAE,kDAAkD,EAAE,KAAK,CAAC;SACxF,MAAM,CAAC,CAAC,KAAyB,EAAE,IAAmC,EAAE,EAAE;QACzE,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEL,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,YAAY,EAAE;KACX,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC;KACxB,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACf,OAAO,CAAC,KAAK,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/config/constants.d.ts

@@ -0,0 +1,43 @@
+/** Server identity reported to MCP clients. */
+export declare const SERVER_NAME = "kozocom-google-mcp-server";
+export declare const SERVER_VERSION = "0.1.0";
+/** Full read/write Drive scope — gates the `drive_*` tools. */
+export declare const DRIVE_SCOPE = "https://www.googleapis.com/auth/drive";
+/** Full read/write Sheets scope — gates the `sheets_*` tools. */
+export declare const SHEETS_SCOPE = "https://www.googleapis.com/auth/spreadsheets";
+/** Sign-in scopes, always requested. Let us show which account is signed in. */
+export declare const IDENTITY_SCOPES: string[];
+/**
+ * OAuth scopes requested at login. Full read/write for both Drive and Sheets.
+ * Google's granular consent screen lets the user grant only some of these; the
+ * server then registers only the tools whose scope was actually granted (see
+ * `selectGoogleTools`). Changing these requires re-running login (delete the
+ * cached token first).
+ */
+export declare const SCOPES: string[];
+/** Directory holding the optional OAuth client config and cached token. */
+export declare const CONFIG_DIR: string;
+/** Path to an optional downloaded Google OAuth client JSON. */
+export declare const CLIENT_SECRET_PATH: string;
+/** Path to the cached OAuth token (access + refresh). */
+export declare const TOKEN_PATH: string;
+/**
+ * OAuth token-exchange proxy. Google "Desktop" clients are confidential — the
+ * token endpoint requires `client_secret` even with PKCE. To keep the secret out
+ * of the published package, the CLI does the PKCE authorize step itself and posts
+ * the resulting `code` (and later, refresh tokens) to this Worker, which holds the
+ * secret and completes the exchange. See the `quang-mcp-auth-proxy` repo.
+ */
+export declare const TOKEN_PROXY_URL: string;
+/**
+ * Shared deterrent key sent to the proxy in `x-proxy-key`. This ships in the
+ * package, so it is NOT a secret — just a casual-abuse speed bump. The real
+ * protection is PKCE (binds each auth code to the CLI that started the flow).
+ */
+export declare const PROXY_SHARED_KEY: string;
+/** Maximum characters returned in a single tool response before truncation. */
+export declare const CHARACTER_LIMIT = 25000;
+/** Whether this process is running with dangerous tools disabled. */
+export declare const SAFE_MODE: boolean;
+/** Env var naming the only directory local_path/save_path may read/write. */
+export declare const LOCAL_FILE_ROOT_ENV = "TERRA_MCP_LOCAL_FILE_ROOT";

package/dist/config/constants.js

@@ -0,0 +1,54 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+/** Server identity reported to MCP clients. */
+export const SERVER_NAME = "kozocom-google-mcp-server";
+export const SERVER_VERSION = "0.1.0";
+/** Full read/write Drive scope — gates the `drive_*` tools. */
+export const DRIVE_SCOPE = "https://www.googleapis.com/auth/drive";
+/** Full read/write Sheets scope — gates the `sheets_*` tools. */
+export const SHEETS_SCOPE = "https://www.googleapis.com/auth/spreadsheets";
+/** Sign-in scopes, always requested. Let us show which account is signed in. */
+export const IDENTITY_SCOPES = ["https://www.googleapis.com/auth/userinfo.email", "openid"];
+/**
+ * OAuth scopes requested at login. Full read/write for both Drive and Sheets.
+ * Google's granular consent screen lets the user grant only some of these; the
+ * server then registers only the tools whose scope was actually granted (see
+ * `selectGoogleTools`). Changing these requires re-running login (delete the
+ * cached token first).
+ */
+export const SCOPES = [DRIVE_SCOPE, SHEETS_SCOPE, ...IDENTITY_SCOPES];
+/** Directory holding the optional OAuth client config and cached token. */
+export const CONFIG_DIR = process.env.TERRA_MCP_DIR ?? join(homedir(), ".terra-mcp");
+/** Path to an optional downloaded Google OAuth client JSON. */
+export const CLIENT_SECRET_PATH = process.env.GOOGLE_OAUTH_CREDENTIALS ?? join(CONFIG_DIR, "client_secret.json");
+/** Path to the cached OAuth token (access + refresh). */
+export const TOKEN_PATH = process.env.GOOGLE_OAUTH_TOKEN ?? join(CONFIG_DIR, "token.json");
+/**
+ * OAuth token-exchange proxy. Google "Desktop" clients are confidential — the
+ * token endpoint requires `client_secret` even with PKCE. To keep the secret out
+ * of the published package, the CLI does the PKCE authorize step itself and posts
+ * the resulting `code` (and later, refresh tokens) to this Worker, which holds the
+ * secret and completes the exchange. See the `quang-mcp-auth-proxy` repo.
+ */
+export const TOKEN_PROXY_URL = process.env.TERRA_MCP_TOKEN_PROXY_URL ??
+    "https://quang-mcp-auth-proxy.getting-started-worker.workers.dev/token";
+/**
+ * Shared deterrent key sent to the proxy in `x-proxy-key`. This ships in the
+ * package, so it is NOT a secret — just a casual-abuse speed bump. The real
+ * protection is PKCE (binds each auth code to the CLI that started the flow).
+ */
+export const PROXY_SHARED_KEY = process.env.TERRA_MCP_PROXY_KEY ??
+    "f80350f60e2c7950b72f3041c673d1194d45efa38217237ecc7bf87530f093d5";
+/** Maximum characters returned in a single tool response before truncation. */
+export const CHARACTER_LIMIT = 25000;
+/**
+ * Env var that, when set to "1", runs the server in safe mode: irreversible,
+ * destructive tools (delete/clear) are not registered. The `config` CLI command
+ * emits this in the generated MCP config so AI clients can't destroy data.
+ */
+const SAFE_MODE_ENV = "TERRA_MCP_SAFE_MODE";
+/** Whether this process is running with dangerous tools disabled. */
+export const SAFE_MODE = process.env[SAFE_MODE_ENV] === "1";
+/** Env var naming the only directory local_path/save_path may read/write. */
+export const LOCAL_FILE_ROOT_ENV = "TERRA_MCP_LOCAL_FILE_ROOT";
+//# sourceMappingURL=constants.js.map

package/dist/config/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/config/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,+CAA+C;AAC/C,MAAM,CAAC,MAAM,WAAW,GAAG,2BAA2B,CAAC;AACvD,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC;AAEtC,+DAA+D;AAC/D,MAAM,CAAC,MAAM,WAAW,GAAG,uCAAuC,CAAC;AACnE,iEAAiE;AACjE,MAAM,CAAC,MAAM,YAAY,GAAG,8CAA8C,CAAC;AAE3E,gFAAgF;AAChF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,gDAAgD,EAAE,QAAQ,CAAC,CAAC;AAE5F;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,WAAW,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,CAAC;AAEtE,2EAA2E;AAC3E,MAAM,CAAC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,YAAY,CAAC,CAAC;AAErF,+DAA+D;AAC/D,MAAM,CAAC,MAAM,kBAAkB,GAC7B,OAAO,CAAC,GAAG,CAAC,wBAAwB,IAAI,IAAI,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC;AAEjF,yDAAyD;AACzD,MAAM,CAAC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;AAE3F;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,eAAe,GAC1B,OAAO,CAAC,GAAG,CAAC,yBAAyB;IACrC,uEAAuE,CAAC;AAE1E;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAC3B,OAAO,CAAC,GAAG,CAAC,mBAAmB;IAC/B,kEAAkE,CAAC;AAErE,+EAA+E;AAC/E,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,CAAC;AAErC;;;;GAIG;AACH,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAE5C,qEAAqE;AACrE,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,GAAG,CAAC;AAE5D,6EAA6E;AAC7E,MAAM,CAAC,MAAM,mBAAmB,GAAG,2BAA2B,CAAC"}

package/dist/core/local-file.d.ts

@@ -0,0 +1,3 @@
+export declare function isPathInsideRoot(path: string, root: string): boolean;
+export declare function safeReadPath(path: string): Promise<string>;
+export declare function safeWritePath(path: string): Promise<string>;

package/dist/core/local-file.js

@@ -0,0 +1,50 @@
+import { realpath } from "node:fs/promises";
+import { basename, dirname, isAbsolute, join, relative, resolve } from "node:path";
+import { LOCAL_FILE_ROOT_ENV } from "../config/constants.js";
+const disabledMessage = `Local file access is disabled. Set ${LOCAL_FILE_ROOT_ENV} to a directory, ` +
+    "then keep local_path/save_path inside it.";
+export function isPathInsideRoot(path, root) {
+    const rel = relative(root, path);
+    return rel === "" || (!!rel && !rel.startsWith("..") && !isAbsolute(rel));
+}
+async function localFileRoot() {
+    const root = process.env[LOCAL_FILE_ROOT_ENV];
+    if (!root)
+        throw new Error(disabledMessage);
+    return realpath(root);
+}
+function candidatePath(root, path) {
+    return isAbsolute(path) ? resolve(path) : resolve(join(root, path));
+}
+function assertInside(path, root) {
+    if (!isPathInsideRoot(path, root)) {
+        throw new Error(`Local file path is outside ${LOCAL_FILE_ROOT_ENV}: ${path}`);
+    }
+}
+function isNotFound(error) {
+    return !!error && typeof error === "object" && error.code === "ENOENT";
+}
+export async function safeReadPath(path) {
+    const root = await localFileRoot();
+    const resolved = await realpath(candidatePath(root, path));
+    assertInside(resolved, root);
+    return resolved;
+}
+export async function safeWritePath(path) {
+    const root = await localFileRoot();
+    const candidate = candidatePath(root, path);
+    try {
+        const existing = await realpath(candidate);
+        assertInside(existing, root);
+        return existing;
+    }
+    catch (error) {
+        if (!isNotFound(error))
+            throw error;
+    }
+    const parent = await realpath(dirname(candidate));
+    const resolved = resolve(parent, basename(candidate));
+    assertInside(resolved, root);
+    return resolved;
+}
+//# sourceMappingURL=local-file.js.map

package/dist/core/local-file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-file.js","sourceRoot":"","sources":["../../src/core/local-file.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACnF,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAE7D,MAAM,eAAe,GACnB,sCAAsC,mBAAmB,mBAAmB;IAC5E,2CAA2C,CAAC;AAE9C,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,IAAY;IACzD,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACjC,OAAO,GAAG,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAC9C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IAC5C,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,IAAY;IAC9C,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,8BAA8B,mBAAmB,KAAK,IAAI,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,OAAO,CAAC,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,CAAC;AACpG,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAY;IAC7C,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IAC3D,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC7B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY;IAC9C,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;IACnC,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC3C,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC7B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,MAAM,KAAK,CAAC;IACtC,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC7B,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/core/result.d.ts

@@ -0,0 +1,44 @@
+import { z } from "zod";
+/** Output format shared by all read tools. */
+declare const ResponseFormat: {
+    readonly MARKDOWN: "markdown";
+    readonly JSON: "json";
+};
+export type ResponseFormatValue = (typeof ResponseFormat)[keyof typeof ResponseFormat];
+/** Reusable Zod field: `response_format` defaulting to markdown. */
+export declare const responseFormatSchema: z.ZodDefault<z.ZodEnum<{
+    markdown: "markdown";
+    json: "json";
+}>>;
+/** Thrown when a tool needs Google credentials but none are valid/cached. */
+export declare class NotAuthenticatedError extends Error {
+    constructor(message?: string);
+}
+/** Standard MCP tool result shape (index signature satisfies the SDK's CallToolResult). */
+export interface ToolResult {
+    [key: string]: unknown;
+    content: {
+        type: "text";
+        text: string;
+    }[];
+    structuredContent?: Record<string, unknown>;
+    isError?: boolean;
+}
+/** Build a plain text/structured success result, truncating oversized text. */
+export declare function toolResult(text: string, structured?: Record<string, unknown>): ToolResult;
+/** Build an error result with an actionable message. */
+export declare function errorResult(message: string): ToolResult;
+/**
+ * Pick the text representation for a read tool's response: pretty-printed JSON
+ * when `format` is "json", otherwise the lazily-built markdown. The markdown
+ * thunk is only invoked when needed.
+ */
+export declare function formatResponse(format: ResponseFormatValue, json: unknown, markdown: () => string): string;
+/** Truncate a string to CHARACTER_LIMIT with a clear marker. */
+export declare function truncate(text: string, limit?: number): string;
+/**
+ * Map any thrown error into a clear, actionable message for the agent.
+ * Recognizes auth failures, common HTTP statuses, and Zod validation errors.
+ */
+export declare function handleGoogleError(error: unknown): string;
+export {};

package/dist/core/result.js

@@ -0,0 +1,104 @@
+import { z } from "zod";
+import { CHARACTER_LIMIT } from "../config/constants.js";
+/** Output format shared by all read tools. */
+const ResponseFormat = {
+    MARKDOWN: "markdown",
+    JSON: "json",
+};
+/** Reusable Zod field: `response_format` defaulting to markdown. */
+export const responseFormatSchema = z
+    .enum(["markdown", "json"])
+    .default("markdown")
+    .describe("Output format: 'markdown' for human-readable or 'json' for machine-readable");
+/** Thrown when a tool needs Google credentials but none are valid/cached. */
+export class NotAuthenticatedError extends Error {
+    constructor(message = "Not authenticated with Google.") {
+        super(message);
+        this.name = "NotAuthenticatedError";
+    }
+}
+/** Build a plain text/structured success result, truncating oversized text. */
+export function toolResult(text, structured) {
+    return {
+        content: [{ type: "text", text: truncate(text) }],
+        ...(structured ? { structuredContent: structured } : {}),
+    };
+}
+/** Build an error result with an actionable message. */
+export function errorResult(message) {
+    return { content: [{ type: "text", text: message }], isError: true };
+}
+/**
+ * Pick the text representation for a read tool's response: pretty-printed JSON
+ * when `format` is "json", otherwise the lazily-built markdown. The markdown
+ * thunk is only invoked when needed.
+ */
+export function formatResponse(format, json, markdown) {
+    return format === ResponseFormat.JSON ? JSON.stringify(json, null, 2) : markdown();
+}
+/** Truncate a string to CHARACTER_LIMIT with a clear marker. */
+export function truncate(text, limit = CHARACTER_LIMIT) {
+    if (text.length <= limit)
+        return text;
+    return (text.slice(0, limit) +
+        `\n\n…[truncated ${text.length - limit} of ${text.length} characters. ` +
+        `Narrow your query, add filters, or use pagination to see more.]`);
+}
+/** Extract an HTTP status code from a googleapis/gaxios error, if any. */
+function statusOf(error) {
+    if (error && typeof error === "object") {
+        const e = error;
+        const raw = e.response?.status ?? e.status ?? e.code;
+        if (typeof raw === "number")
+            return raw;
+        if (typeof raw === "string" && /^\d+$/.test(raw))
+            return Number(raw);
+    }
+    return undefined;
+}
+/** Best-effort human-readable message from an Error or a gaxios-like object. */
+function messageOf(error) {
+    if (error instanceof Error)
+        return error.message;
+    if (error && typeof error === "object") {
+        const m = error.message;
+        if (typeof m === "string")
+            return m;
+    }
+    return String(error);
+}
+/**
+ * Map any thrown error into a clear, actionable message for the agent.
+ * Recognizes auth failures, common HTTP statuses, and Zod validation errors.
+ */
+export function handleGoogleError(error) {
+    if (error instanceof NotAuthenticatedError) {
+        return `Error: ${error.message} Run \`terra-mcp auth login\` in a terminal to sign in, then retry.`;
+    }
+    if (error instanceof z.ZodError) {
+        const issues = error.issues.map((i) => `${i.path.join(".") || "(root)"}: ${i.message}`).join("; ");
+        return `Error: Invalid input — ${issues}`;
+    }
+    const status = statusOf(error);
+    const detail = messageOf(error);
+    switch (status) {
+        case 400:
+            return `Error: Bad request — ${detail}. Check IDs, ranges (e.g. 'Sheet1!A1:C10'), and parameters.`;
+        case 401:
+            return "Error: Authentication expired or revoked. Run `terra-mcp auth login` to sign in again.";
+        case 403:
+            return `Error: Permission denied — ${detail}. You may not have access to this file, or the required API/scope is not enabled.`;
+        case 404:
+            return (`Error: Not found — ${detail}. This means either the file/spreadsheet ID does not exist, ` +
+                `or it exists but you lack access (Google returns 404 instead of 403 to avoid revealing it). ` +
+                `Verify the ID and that your account can open it.`);
+        case 429:
+            return "Error: Rate limit exceeded. Wait a moment and retry, or reduce the request frequency.";
+        case 500:
+        case 503:
+            return "Error: Google API is temporarily unavailable. Please retry shortly.";
+        default:
+            return `Error: ${detail}`;
+    }
+}
+//# sourceMappingURL=result.js.map

package/dist/core/result.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"result.js","sourceRoot":"","sources":["../../src/core/result.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,8CAA8C;AAC9C,MAAM,cAAc,GAAG;IACrB,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;CACJ,CAAC;AAGX,oEAAoE;AACpE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC;KAClC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;KAC1B,OAAO,CAAC,UAAU,CAAC;KACnB,QAAQ,CAAC,6EAA6E,CAAC,CAAC;AAE3F,6EAA6E;AAC7E,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAO,GAAG,gCAAgC;QACpD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAUD,+EAA+E;AAC/E,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,UAAoC;IAC3E,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACzD,CAAC;AACJ,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACvE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAC5B,MAA2B,EAC3B,IAAa,EACb,QAAsB;IAEtB,OAAO,MAAM,KAAK,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;AACrF,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,KAAK,GAAG,eAAe;IAC5D,IAAI,IAAI,CAAC,MAAM,IAAI,KAAK;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,CACL,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC;QACpB,mBAAmB,IAAI,CAAC,MAAM,GAAG,KAAK,OAAO,IAAI,CAAC,MAAM,eAAe;QACvE,iEAAiE,CAClE,CAAC;AACJ,CAAC;AAED,0EAA0E;AAC1E,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,KAA8E,CAAC;QACzF,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,CAAC;QACrD,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,GAAG,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,gFAAgF;AAChF,SAAS,SAAS,CAAC,KAAc;IAC/B,IAAI,KAAK,YAAY,KAAK;QAAE,OAAO,KAAK,CAAC,OAAO,CAAC;IACjD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,CAAC,GAAI,KAA+B,CAAC,OAAO,CAAC;QACnD,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;QAC3C,OAAO,UAAU,KAAK,CAAC,OAAO,qEAAqE,CAAC;IACtG,CAAC;IACD,IAAI,KAAK,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;QAChC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnG,OAAO,0BAA0B,MAAM,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,GAAG;YACN,OAAO,wBAAwB,MAAM,6DAA6D,CAAC;QACrG,KAAK,GAAG;YACN,OAAO,wFAAwF,CAAC;QAClG,KAAK,GAAG;YACN,OAAO,8BAA8B,MAAM,mFAAmF,CAAC;QACjI,KAAK,GAAG;YACN,OAAO,CACL,sBAAsB,MAAM,8DAA8D;gBAC1F,8FAA8F;gBAC9F,kDAAkD,CACnD,CAAC;QACJ,KAAK,GAAG;YACN,OAAO,uFAAuF,CAAC;QACjG,KAAK,GAAG,CAAC;QACT,KAAK,GAAG;YACN,OAAO,qEAAqE,CAAC;QAC/E;YACE,OAAO,UAAU,MAAM,EAAE,CAAC;IAC9B,CAAC;AACH,CAAC"}

package/dist/core/tool.d.ts

@@ -0,0 +1,61 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { ToolAnnotations } from "@modelcontextprotocol/sdk/types.js";
+import type { z } from "zod";
+import type { drive_v3, sheets_v4 } from "googleapis";
+import { type ToolResult } from "./result.js";
+/**
+ * Args a handler receives: the parsed output of its Zod input shape, with
+ * defaults applied. Derived from the schema so the schema is the single source
+ * of truth — handlers never re-declare their argument types by hand.
+ */
+export type ArgsOf<Shape extends z.ZodRawShape> = z.infer<z.ZodObject<Shape>>;
+/**
+ * A self-registering tool. Defining a tool yields one of these; the registry
+ * just calls it with the server. Capturing registration in a closure (rather
+ * than an erased `{ definition, handler }` record) is what lets each tool stay
+ * fully type-checked against its own schema. The closure also carries the
+ * tool's `name` and `annotations` so registries can filter (e.g. drop
+ * dangerous tools in safe mode) without re-deriving them.
+ */
+export interface ToolRegistration {
+    (server: McpServer): void;
+    readonly toolName: string;
+    readonly annotations: ToolAnnotations;
+}
+/**
+ * Whether a tool only reads — never mutates Drive/Sheets or local auth state.
+ * Driven by the honest `readOnlyHint` annotation each tool sets. Safe-mode
+ * configs expose only these; every mutating tool (create/write/delete, plus
+ * login/logout) is treated as dangerous and disabled.
+ */
+export declare function isReadOnlyTool(registration: ToolRegistration): boolean;
+interface ToolSpec<Shape extends z.ZodRawShape> {
+    name: string;
+    title: string;
+    description: string;
+    inputSchema: Shape;
+    annotations: ToolAnnotations;
+}
+/**
+ * Define a tool that needs no Google client (e.g. auth tools). The handler owns
+ * its own error handling when it must shape errors specially; otherwise thrown
+ * errors are caught and returned via {@link handleGoogleError}.
+ */
+export declare function tool<Shape extends z.ZodRawShape>(spec: ToolSpec<Shape> & {
+    run: (args: ArgsOf<Shape>) => Promise<ToolResult>;
+}): ToolRegistration;
+/**
+ * Define a Drive tool. The authorized Drive client is fetched and injected per
+ * call; `NotAuthenticated`/API errors are mapped to actionable results. The
+ * pure `run` function is what unit tests call directly with a fake client.
+ */
+export declare function driveTool<Shape extends z.ZodRawShape>(spec: ToolSpec<Shape> & {
+    run: (drive: drive_v3.Drive, args: ArgsOf<Shape>) => Promise<ToolResult>;
+}): ToolRegistration;
+/** Define a Sheets tool. See {@link driveTool}; injects the Sheets client. */
+export declare function sheetsTool<Shape extends z.ZodRawShape>(spec: ToolSpec<Shape> & {
+    run: (sheets: sheets_v4.Sheets, args: ArgsOf<Shape>) => Promise<ToolResult>;
+}): ToolRegistration;
+/** Register every tool in the list with the server. */
+export declare function registerAll(server: McpServer, tools: readonly ToolRegistration[]): void;
+export {};

package/dist/core/tool.js

@@ -0,0 +1,63 @@
+import { errorResult, handleGoogleError } from "./result.js";
+import { getGoogleClients } from "../google/client.js";
+/**
+ * Whether a tool only reads — never mutates Drive/Sheets or local auth state.
+ * Driven by the honest `readOnlyHint` annotation each tool sets. Safe-mode
+ * configs expose only these; every mutating tool (create/write/delete, plus
+ * login/logout) is treated as dangerous and disabled.
+ */
+export function isReadOnlyTool(registration) {
+    return registration.annotations.readOnlyHint === true;
+}
+/** Register a tool whose handler is `run`, mapping any thrown error to a result. */
+function register(spec, run) {
+    const { name, title, description, inputSchema, annotations } = spec;
+    const callback = async (args) => {
+        try {
+            return await run(args);
+        }
+        catch (error) {
+            return errorResult(handleGoogleError(error));
+        }
+    };
+    const registration = (server) => {
+        // The SDK's callback type is generic over its own zod-compat shapes and a
+        // wider CallToolResult content union than ToolResult. `callback` is fully
+        // checked against `Shape` above; this single cast bridges that boundary —
+        // the only erasure in the registration path.
+        server.registerTool(name, { title, description, inputSchema, annotations }, callback);
+    };
+    return Object.assign(registration, { toolName: name, annotations });
+}
+/**
+ * Define a tool that needs no Google client (e.g. auth tools). The handler owns
+ * its own error handling when it must shape errors specially; otherwise thrown
+ * errors are caught and returned via {@link handleGoogleError}.
+ */
+export function tool(spec) {
+    return register(spec, spec.run);
+}
+/**
+ * Define a Drive tool. The authorized Drive client is fetched and injected per
+ * call; `NotAuthenticated`/API errors are mapped to actionable results. The
+ * pure `run` function is what unit tests call directly with a fake client.
+ */
+export function driveTool(spec) {
+    return register(spec, async (args) => {
+        const { drive } = await getGoogleClients();
+        return spec.run(drive, args);
+    });
+}
+/** Define a Sheets tool. See {@link driveTool}; injects the Sheets client. */
+export function sheetsTool(spec) {
+    return register(spec, async (args) => {
+        const { sheets } = await getGoogleClients();
+        return spec.run(sheets, args);
+    });
+}
+/** Register every tool in the list with the server. */
+export function registerAll(server, tools) {
+    for (const registerTool of tools)
+        registerTool(server);
+}
+//# sourceMappingURL=tool.js.map

package/dist/core/tool.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.js","sourceRoot":"","sources":["../../src/core/tool.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAmB,MAAM,aAAa,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAuBvD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,YAA8B;IAC3D,OAAO,YAAY,CAAC,WAAW,CAAC,YAAY,KAAK,IAAI,CAAC;AACxD,CAAC;AAUD,oFAAoF;AACpF,SAAS,QAAQ,CACf,IAAqB,EACrB,GAAiD;IAEjD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;IACpE,MAAM,QAAQ,GAAG,KAAK,EAAE,IAAmB,EAAuB,EAAE;QAClE,IAAI,CAAC;YACH,OAAO,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,WAAW,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC,CAAC;IACF,MAAM,YAAY,GAAgC,CAAC,MAAM,EAAE,EAAE;QAC3D,0EAA0E;QAC1E,0EAA0E;QAC1E,0EAA0E;QAC1E,6CAA6C;QAC7C,MAAM,CAAC,YAAY,CACjB,IAAI,EACJ,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,EAChD,QAA0C,CAC3C,CAAC;IACJ,CAAC,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;AACtE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,IAAI,CAClB,IAA6E;IAE7E,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,SAAS,CACvB,IAEC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACnC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,UAAU,CACxB,IAEC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACnC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,gBAAgB,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,WAAW,CAAC,MAAiB,EAAE,KAAkC;IAC/E,KAAK,MAAM,YAAY,IAAI,KAAK;QAAE,YAAY,CAAC,MAAM,CAAC,CAAC;AACzD,CAAC"}