toolcraft 0.0.23 → 0.0.24

package/node_modules/mcp-oauth/dist/client/loopback-authorization.js

@@ -17,8 +17,14 @@ export async function createLoopbackAuthorizationSession(options = {}) {
     };
 }
 async function startServer(server) {
-    return new Promise((resolve) => {
+    return new Promise((resolve, reject) => {
+        const handleError = (error) => {
+            server.off("error", handleError);
+            reject(error);
+        };
+        server.once("error", handleError);
         server.listen(0, "127.0.0.1", () => {
+            server.off("error", handleError);
             const address = server.address();
             resolve(address.port);
         });
@@ -41,20 +47,34 @@ function waitForAuthorizationCode(server, authorizationUrl, options, callbackPat
                 res.end("Not found");
                 return;
             }
-            const error = url.searchParams.get("error");
-            if (error !== null) {
-                const description = url.searchParams.get("error_description") ?? error;
+            const callbackParameters = {
+                code: url.searchParams.get("code"),
+                error: url.searchParams.get("error"),
+                errorDescription: url.searchParams.get("error_description"),
+                state: url.searchParams.get("state"),
+                iss: url.searchParams.get("iss"),
+            };
+            try {
+                validateAuthorizationCallbackBinding(callbackParameters, expectedAuthorization);
+            }
+            catch (error) {
+                res.writeHead(400);
+                res.end(error instanceof Error ? error.message : "Invalid OAuth callback");
+                if (callbackParameters.error === null) {
+                    settle(() => reject(error instanceof Error ? error : new Error(String(error))));
+                }
+                return;
+            }
+            const authorizationError = callbackParameters.error;
+            if (authorizationError !== null) {
+                const description = callbackParameters.errorDescription ?? authorizationError;
                 res.writeHead(400);
                 res.end(`Authorization failed: ${description}`);
-                settle(() => reject(new Error(`OAuth authorization failed: ${error} — ${description}`)));
+                settle(() => reject(createAuthorizationError(authorizationError, description)));
                 return;
             }
             try {
-                const code = validateAuthorizationCallbackParameters({
-                    code: url.searchParams.get("code"),
-                    state: url.searchParams.get("state"),
-                    iss: url.searchParams.get("iss"),
-                }, expectedAuthorization);
+                const code = validateAuthorizationCallbackParameters(callbackParameters, expectedAuthorization);
                 res.writeHead(200, { "Content-Type": "text/html" });
                 res.end(buildSuccessPage(options.landingPage));
                 settle(() => resolve(code));
@@ -73,13 +93,20 @@ function waitForAuthorizationCode(server, authorizationUrl, options, callbackPat
                     return;
                 }
                 try {
+                    validateAuthorizationCallbackBinding(callbackParameters, expectedAuthorization);
+                    if (callbackParameters.error !== null) {
+                        const description = callbackParameters.errorDescription ?? callbackParameters.error;
+                        throw createAuthorizationError(callbackParameters.error, description);
+                    }
                     const code = validateAuthorizationCallbackParameters(callbackParameters, expectedAuthorization);
                     settle(() => resolve(code));
                 }
                 catch (error) {
                     settle(() => reject(error instanceof Error ? error : new Error(String(error))));
                 }
-            }).catch(() => undefined);
+            }).catch((error) => {
+                settle(() => reject(error instanceof Error ? error : new Error(String(error))));
+            });
         }
         if (options.openBrowser !== undefined) {
             options.openBrowser(authorizationUrl).catch((error) => {
@@ -100,6 +127,8 @@ function extractCallbackParametersFromInput(input) {
         const url = new URL(trimmed);
         return {
             code: url.searchParams.get("code"),
+            error: url.searchParams.get("error"),
+            errorDescription: url.searchParams.get("error_description"),
             state: url.searchParams.get("state"),
             iss: url.searchParams.get("iss"),
         };
@@ -107,6 +136,8 @@ function extractCallbackParametersFromInput(input) {
     catch {
         return {
             code: trimmed,
+            error: null,
+            errorDescription: null,
             state: null,
             iss: null,
         };
@@ -123,9 +154,13 @@ function readExpectedAuthorizationCallback(authorizationUrl) {
     };
 }
 function validateAuthorizationCallbackParameters(callback, expected) {
+    validateAuthorizationCallbackBinding(callback, expected);
     if (callback.code === null || callback.code.length === 0) {
         throw new Error("OAuth callback missing authorization code");
     }
+    return callback.code;
+}
+function validateAuthorizationCallbackBinding(callback, expected) {
     if (expected.state !== null) {
         if (callback.state === null || callback.state.length === 0) {
             throw new Error("OAuth callback missing state");
@@ -145,7 +180,9 @@ function validateAuthorizationCallbackParameters(callback, expected) {
         && callback.iss !== expected.issuer) {
         throw new Error("OAuth callback issuer mismatch");
     }
-    return callback.code;
+}
+function createAuthorizationError(error, description) {
+    return new Error(`OAuth authorization failed: ${error} — ${description}`);
 }
 function escapeHtml(text) {
     return text

package/node_modules/mcp-oauth/dist/client/token-endpoint.js

@@ -75,13 +75,18 @@ async function requestTokens(input) {
         body: body.toString(),
     });
     const payload = await readOAuthJsonObjectResponse(response);
-    if (typeof payload.access_token !== "string" || payload.access_token.length === 0) {
+    if (typeof payload.access_token !== "string" || payload.access_token.trim().length === 0) {
         throw new Error("OAuth token response missing access_token");
     }
     const tokenType = normalizeBearerTokenType(payload.token_type);
     if (tokenType === null) {
         throw new Error("OAuth token response missing token_type=Bearer");
     }
+    if (typeof payload.expires_in === "number"
+        && Number.isFinite(payload.expires_in)
+        && payload.expires_in < 0) {
+        throw new Error("OAuth token response has invalid expires_in");
+    }
     return {
         accessToken: payload.access_token,
         refreshToken: typeof payload.refresh_token === "string" && payload.refresh_token.length > 0

package/node_modules/mcp-oauth/dist/server/jwks-token-verifier.js

@@ -242,7 +242,7 @@ export function createJwksTokenVerifier(options) {
                 const audience = normalizeVerifiedAudience(verified.payload.aud, expectedResource);
                 const accessToken = toVerifiedAccessToken(input.token, verified.payload, audience);
                 if (input.requiredScopes.length > 0
-                    && !accessToken.scopes.some((scope) => input.requiredScopes.includes(scope))) {
+                    && !input.requiredScopes.every((scope) => accessToken.scopes.includes(scope))) {
                     throw createTokenVerificationError({
                         error: "insufficient_scope",
                         errorDescription: "insufficient scope",

package/node_modules/mcp-oauth/package.json

@@ -1,6 +1,7 @@
 {
   "name": "mcp-oauth",
   "version": "0.0.1",
+  "private": true,
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/node_modules/tiny-mcp-client/.turbo/turbo-build.log

@@ -3,5 +3,5 @@ npm warn Unknown project config "package-manager-strict". This will stop working
 npm warn Unknown project config "prefer-workspace-packages". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
 
 > tiny-mcp-client@0.1.0 build
-> tsc
+> node ../../scripts/guard-package-dist.mjs && tsc
 

package/node_modules/tiny-mcp-client/dist/internal.d.ts

@@ -1,14 +1,14 @@
 import type { ChildProcessWithoutNullStreams, SpawnOptions } from "node:child_process";
 import type { Readable, Writable } from "node:stream";
 import type { JSONRPCMessage as SdkJsonRpcMessage } from "@modelcontextprotocol/sdk/types.js";
-import { type OAuthClientProviderOptions } from "../../mcp-oauth/dist/index.js";
+import { type OAuthClientProviderOptions } from "mcp-oauth";
 import type { Server as TinyStdioMcpServer } from "tiny-stdio-mcp-server";
 import type { OAuthDiscoveryCache } from "./oauth-discovery.js";
 export { OAuthMetadataDiscovery, discoverOAuthMetadata, parseBearerWwwAuthenticateHeader, resolveAuthorizationServerMetadataUrl, resolveProtectedResourceMetadataUrl, } from "./oauth-discovery.js";
-export { createAuthStoreSessionStore, createDefaultOAuthClientProvider, } from "../../mcp-oauth/dist/index.js";
+export { createAuthStoreSessionStore, createDefaultOAuthClientProvider, } from "mcp-oauth";
 export type { OAuthDiscoveryCache, } from "./oauth-discovery.js";
 export type { OAuthAuthorizationServerMetadata, OAuthDiscoveryResult, OAuthMetadataFetch, OAuthProtectedResourceMetadata, OAuthUnauthorizedChallenge } from "./oauth-discovery.js";
-export type { DefaultOAuthClientProviderOptions, OAuthClientProvider, OAuthClientProviderOptions, OAuthSessionStore, StoredOAuthSession, } from "../../mcp-oauth/dist/index.js";
+export type { DefaultOAuthClientProviderOptions, OAuthClientProvider, OAuthClientProviderOptions, OAuthSessionStore, StoredOAuthSession, } from "mcp-oauth";
 export type RequestId = number | string;
 export interface Implementation {
     name: string;
@@ -59,6 +59,7 @@ export interface InitializeResult {
 }
 export interface McpClientOptions {
     clientInfo: Implementation;
+    requestTimeoutMs?: number;
     capabilities?: ClientCapabilities;
     onToolsChanged?: () => void | Promise<void>;
     onResourcesChanged?: () => void | Promise<void>;
@@ -72,8 +73,11 @@ export interface McpClientOptions {
 export declare class McpClient {
     private currentState;
     private currentServerCapabilities;
+    private currentClientCapabilities;
     private currentServerInfo;
     private currentInstructions;
+    private readonly subscribedResourceUris;
+    private readonly activeProgressTokens;
     private readonly options;
     private transport;
     private messageLayer;
@@ -418,6 +422,7 @@ export declare class HttpTransport implements McpTransport {
     private readonly openSseReaders;
     constructor({ url, headers, fetch: fetchImpl, oauth, oauthDiscoveryCache, }: HttpTransportOptions);
     dispose(reason?: Error): void;
+    private closeWithSessionTermination;
     private abortInFlightFetches;
     private cancelOpenSseReaders;
     private fetchWithAbort;
@@ -428,7 +433,6 @@ export declare class HttpTransport implements McpTransport {
     private authorizeRequestHeaders;
     private captureSessionId;
     private maybeOpenGetSseStream;
-    private terminateSession;
     private sendSessionTerminationRequest;
     private consumeGetSseStream;
     private throwForPostHttpError;