touchstone-mcp-tools 1.0.0 → 1.0.1

package/build/handlers/wolves-handler.js

@@ -22,7 +22,8 @@ export class WolvesHandler {
     }
     // Tool 3: list_assignment_units
     async listAssignmentUnits(params) {
-        const result = await this.api.listAssignmentUnits(params.filter);
+        const filter = params.filter ?? "IsArchived eq false";
+        const result = await this.api.listAssignmentUnits(filter);
         return {
             data: result,
             message: `Found ${result.value.length} assignment unit(s)`,

package/build/servers/wolves-server.js

@@ -79,7 +79,22 @@ function wrapSuccess(result) {
     };
 }
 function wrapError(error) {
-    const message = error instanceof Error ? error.message : String(error);
+    let message;
+    let statusCode;
+    let detail;
+    if (error && typeof error === "object" && "response" in error) {
+        // Axios error — extract API response details
+        const axiosError = error;
+        statusCode = axiosError.response?.status;
+        detail = axiosError.response?.data;
+        const apiDetail = detail?.detail || detail?.message || detail?.error || detail?.title;
+        message = apiDetail
+            ? `API error ${statusCode}: ${typeof apiDetail === "string" ? apiDetail : JSON.stringify(apiDetail)}`
+            : `Request failed with status code ${statusCode}`;
+    }
+    else {
+        message = error instanceof Error ? error.message : String(error);
+    }
     return {
         content: [
             {
@@ -87,6 +102,8 @@ function wrapError(error) {
                 text: JSON.stringify({
                     success: false,
                     error: message,
+                    ...(statusCode ? { statusCode } : {}),
+                    ...(detail ? { detail } : {}),
                 }, null, 2),
             },
         ],

package/build/utils/token-manager.d.ts

@@ -1,9 +1,13 @@
 export declare class TokenManager {
-    private credential;
-    private cachedToken;
-    private static readonly SCOPE;
-    private static readonly BUFFER_MS;
+    private cachedTokens;
+    private tokenFilePath;
     constructor();
     getToken(): Promise<string>;
-    private isTokenValid;
+    private isAccessTokenValid;
+    private refreshAccessToken;
+    private interactiveLogin;
+    private waitForAuthCode;
+    private saveTokens;
+    private loadCachedTokens;
+    private openBrowser;
 }

package/build/utils/token-manager.js

@@ -1,32 +1,189 @@
-import { DefaultAzureCredential } from "@azure/identity";
+import { createServer } from "http";
+import { randomBytes, createHash } from "crypto";
+import { exec } from "child_process";
+import { URL, URLSearchParams } from "url";
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+import { tmpdir, platform } from "os";
+// Mars app — the only app ID trusted by ExP API
+const MARS_CLIENT_ID = "4728d04c-aaa7-4d80-9a24-f6f7d45c1be3";
+const MICROSOFT_TENANT_ID = "72f988bf-86f1-41af-91ab-2d7cd011db47";
+const TOKEN_ENDPOINT = `https://login.microsoftonline.com/${MICROSOFT_TENANT_ID}/oauth2/v2.0/token`;
+const AUTHORIZE_ENDPOINT = `https://login.microsoftonline.com/${MICROSOFT_TENANT_ID}/oauth2/v2.0/authorize`;
+const REDIRECT_URI = "http://localhost:4000/auth";
+const SCOPE = "openid profile User.Read";
+// Refresh token 5 minutes before access token expiry
+const BUFFER_MS = 5 * 60 * 1000;
+const LOGIN_TIMEOUT_MS = 120_000;
 export class TokenManager {
-    credential;
-    cachedToken = null;
-    // TouchStone API validates against Microsoft Graph
-    static SCOPE = "https://graph.microsoft.com/.default";
-    // Refresh token 5 minutes before expiry
-    static BUFFER_MS = 5 * 60 * 1000;
+    cachedTokens = null;
+    tokenFilePath;
     constructor() {
-        this.credential = new DefaultAzureCredential();
+        const cacheDir = join(tmpdir(), "touchstone-mcp");
+        if (!existsSync(cacheDir)) {
+            mkdirSync(cacheDir, { recursive: true });
+        }
+        this.tokenFilePath = join(cacheDir, "token-cache.json");
+        this.loadCachedTokens();
     }
     async getToken() {
-        if (this.isTokenValid()) {
-            return this.cachedToken.token;
+        // 1. Check cached access token
+        if (this.isAccessTokenValid()) {
+            return this.cachedTokens.access_token;
+        }
+        // 2. Try refresh token
+        if (this.cachedTokens?.refresh_token) {
+            try {
+                await this.refreshAccessToken();
+                return this.cachedTokens.access_token;
+            }
+            catch {
+                // Refresh failed (expired or revoked), fall through to interactive login
+                console.error("Refresh token expired, interactive login required.");
+            }
+        }
+        // 3. Interactive browser login
+        await this.interactiveLogin();
+        return this.cachedTokens.access_token;
+    }
+    // ---- Private: Token lifecycle ----
+    isAccessTokenValid() {
+        if (!this.cachedTokens?.access_token)
+            return false;
+        return Date.now() < this.cachedTokens.expires_at - BUFFER_MS;
+    }
+    async refreshAccessToken() {
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Origin": REDIRECT_URI.replace("/auth", ""),
+            },
+            body: new URLSearchParams({
+                client_id: MARS_CLIENT_ID,
+                scope: SCOPE,
+                refresh_token: this.cachedTokens.refresh_token,
+                grant_type: "refresh_token",
+            }),
+        });
+        const data = await resp.json();
+        if (!data.access_token) {
+            throw new Error(data.error_description || "Token refresh failed");
+        }
+        this.saveTokens(data);
+    }
+    async interactiveLogin() {
+        // PKCE
+        const codeVerifier = randomBytes(32).toString("base64url");
+        const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+        const authParams = new URLSearchParams({
+            client_id: MARS_CLIENT_ID,
+            response_type: "code",
+            redirect_uri: REDIRECT_URI,
+            scope: SCOPE,
+            response_mode: "query",
+            prompt: "select_account",
+            code_challenge: codeChallenge,
+            code_challenge_method: "S256",
+        });
+        const authUrl = `${AUTHORIZE_ENDPOINT}?${authParams}`;
+        // Wait for auth code via local HTTP server
+        const code = await this.waitForAuthCode(authUrl);
+        // Exchange code for tokens
+        const resp = await fetch(TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Origin": REDIRECT_URI.replace("/auth", ""),
+            },
+            body: new URLSearchParams({
+                client_id: MARS_CLIENT_ID,
+                scope: SCOPE,
+                code,
+                redirect_uri: REDIRECT_URI,
+                grant_type: "authorization_code",
+                code_verifier: codeVerifier,
+            }),
+        });
+        const data = await resp.json();
+        if (!data.access_token) {
+            throw new Error(`Interactive login failed: ${data.error_description || JSON.stringify(data)}`);
         }
+        this.saveTokens(data);
+        console.error("TouchStone login successful.");
+    }
+    waitForAuthCode(authUrl) {
+        return new Promise((resolve, reject) => {
+            const server = createServer((req, res) => {
+                const url = new URL(req.url || "/", "http://localhost:4000");
+                const authCode = url.searchParams.get("code");
+                const error = url.searchParams.get("error_description");
+                if (authCode) {
+                    res.writeHead(200, { "Content-Type": "text/html" });
+                    res.end("Login successful. You can close this window.");
+                    server.close();
+                    resolve(authCode);
+                }
+                else if (error) {
+                    res.writeHead(400, { "Content-Type": "text/html" });
+                    res.end(`Login failed: ${error}`);
+                    server.close();
+                    reject(new Error(error));
+                }
+                else {
+                    res.writeHead(200);
+                    res.end("");
+                }
+            });
+            server.listen(4000, () => {
+                console.error("Opening browser for TouchStone login...");
+                console.error("If browser does not open, visit: " + authUrl);
+                this.openBrowser(authUrl);
+            });
+            setTimeout(() => {
+                server.close();
+                reject(new Error("Login timed out after 2 minutes. Please try again."));
+            }, LOGIN_TIMEOUT_MS);
+        });
+    }
+    // ---- Private: Token persistence ----
+    saveTokens(data) {
+        this.cachedTokens = {
+            access_token: data.access_token,
+            refresh_token: data.refresh_token,
+            expires_at: Date.now() + (data.expires_in || 3600) * 1000,
+        };
         try {
-            this.cachedToken = await this.credential.getToken(TokenManager.SCOPE);
-            return this.cachedToken.token;
+            writeFileSync(this.tokenFilePath, JSON.stringify(this.cachedTokens), { mode: 0o600 });
         }
-        catch (error) {
-            throw new Error("Azure authentication failed. Please ensure you are logged in by running `az login`. " +
-                `Details: ${error instanceof Error ? error.message : String(error)}`);
+        catch {
+            // Non-fatal: tokens still work in memory
         }
     }
-    isTokenValid() {
-        if (!this.cachedToken)
-            return false;
-        const now = Date.now();
-        const expiresAt = this.cachedToken.expiresOnTimestamp - TokenManager.BUFFER_MS;
-        return now < expiresAt;
+    loadCachedTokens() {
+        try {
+            if (existsSync(this.tokenFilePath)) {
+                const data = JSON.parse(readFileSync(this.tokenFilePath, "utf8"));
+                if (data.access_token && data.refresh_token) {
+                    this.cachedTokens = data;
+                }
+            }
+        }
+        catch {
+            // Corrupted cache file, ignore
+        }
+    }
+    // ---- Private: Cross-platform browser open ----
+    openBrowser(url) {
+        const os = platform();
+        const cmd = os === "win32"
+            ? `cmd.exe /c start "" "${url}"`
+            : os === "darwin"
+                ? `open "${url}"`
+                : `xdg-open "${url}"`;
+        exec(cmd, (err) => {
+            if (err)
+                console.error("Could not open browser automatically.");
+        });
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "touchstone-mcp-tools",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "MCP tools for TouchStone Experimentation platform",
   "type": "module",
   "main": "build/index.js",
@@ -20,7 +20,6 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.26.0",
-    "@azure/identity": "^4.6.0",
     "axios": "^1.7.0"
   },
   "devDependencies": {

package/README.md

@@ -1,199 +0,0 @@
-# wolves-mcp-tools
-
-MCP (Model Context Protocol) server for the [Wolves Experimentation](https://wolves.microsoft.com) platform. Enables AI coding agents (Claude Code, Copilot CLI, Codex CLI) to create and manage A/B experiments through natural language interaction.
-
-## Prerequisites
-
-- **Node.js** >= 18.0.0
-- **Azure CLI** — You must be logged in via `az login` for authentication. The server uses `DefaultAzureCredential` to acquire tokens scoped to `https://graph.microsoft.com/.default`.
-
-## Installation
-
-```bash
-# Install from npm
-npm install wolves-mcp-tools
-
-# Or run directly via npx (no install needed)
-npx -y wolves-mcp-tools
-```
-
-## MCP Configuration
-
-Add the following to your `.mcp.json` to register the server with your AI coding agent:
-
-```json
-{
-  "mcpServers": {
-    "wolves-tools": {
-      "type": "stdio",
-      "command": "npx",
-      "args": ["-y", "wolves-mcp-tools"],
-      "description": "Wolves MCP tools for experiment management"
-    }
-  }
-}
-```
-
-## Available Tools
-
-| Tool | Description |
-|------|-------------|
-| `create_experiment` | Create a new A/B experiment in Wolves. Checks for duplicate names before creation. |
-| `update_experiment` | Update an existing experiment. Fetches current state and merges changes to prevent data loss. |
-| `list_experiments` | List all experiments with optional client-side filtering by status and result limiting. |
-| `get_experiment` | Get detailed information about a specific experiment by its UUID. |
-| `list_metrics` | List available metrics, optionally filtered by type (`count`, `sum`, `ratio`, `conversion`) or status. |
-| `list_api_keys` | List API keys, optionally filtered by experiment ID. |
-| `update_api_keys` | Update an API key's name, active status, or experiment/gate permissions. |
-
-### create_experiment
-
-Creates a new A/B experiment with the specified groups and configuration.
-
-**Parameters:**
-
-| Parameter | Type | Required | Default | Description |
-|-----------|------|----------|---------|-------------|
-| `name` | string | Yes | — | Experiment name |
-| `groups` | array | Yes | — | Experiment groups (variants). First group defaults to control. |
-| `hypothesis` | string | No | — | Experiment hypothesis |
-| `allocationPercentage` | number | No | 100 | Overall traffic allocation (0-100) |
-| `targetDurationDays` | number | No | 14 | Target experiment duration in days |
-| `type` | string | No | `"ab"` | Experiment type |
-| `idType` | string | No | `"session_id"` | ID type for assignment |
-
-Each group requires `name` (string) and `size` (number, 0-100). Optional fields: `isControl` (boolean), `parameters` (array of `{name, type, value}`).
-
-### update_experiment
-
-Updates an existing experiment's configuration. Only provided fields are updated.
-
-**Parameters:**
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `experiment_id` | string (UUID) | Yes | The experiment to update |
-| `name` | string | No | New experiment name |
-| `hypothesis` | string | No | New hypothesis |
-| `allocationPercentage` | number | No | New traffic allocation (0-100) |
-| `groups` | array | No | Updated groups (replaces all existing) |
-| `targetDurationDays` | number | No | New target duration in days |
-| `type` | string | No | Experiment type |
-| `idType` | string | No | ID type for assignment |
-| `targetingCriteria` | string | No | Targeting criteria expression |
-| `analysisType` | string | No | Analysis type |
-| `defaultConfidenceInterval` | number | No | Default confidence interval |
-
-### list_experiments
-
-Lists all experiments with optional filtering.
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `status` | string | No | Filter by: `"setup"`, `"in_progress"`, or `"completed"` |
-| `limit` | number | No | Maximum number of results to return |
-
-### get_experiment
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `experiment_id` | string (UUID) | Yes | The experiment to retrieve |
-
-### list_metrics
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `type` | string | No | Filter by: `"count"`, `"sum"`, `"ratio"`, or `"conversion"` |
-| `status` | string | No | Filter by metric status |
-
-### list_api_keys
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `experiment_id` | string | No | Filter keys by experiment ID |
-
-### update_api_keys
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `key_id` | string (UUID) | Yes | The API key to update |
-| `name` | string | No | New name for the API key |
-| `is_active` | boolean | No | Whether the key is active |
-| `experiment_ids` | string[] | No | Experiment IDs this key has access to (replaces existing) |
-| `gate_ids` | string[] | No | Gate IDs this key has access to (replaces existing) |
-
-## Development
-
-### Setup
-
-```bash
-cd mcp-tools
-npm install
-```
-
-### Build
-
-```bash
-npm run build
-```
-
-This compiles TypeScript from `src/` to `build/` using `tsc`.
-
-### Run
-
-```bash
-# Run compiled build
-npm start
-
-# Run in development mode (ts-node, no build needed)
-npm run dev
-```
-
-### Test
-
-```bash
-# Run all tests
-npm test
-
-# Run tests with coverage report
-npm run test:coverage
-```
-
-### Publish to npm
-
-The package is configured for publishing to the public npm registry.
-
-```bash
-# 1. Login to npm (one-time)
-npm login
-
-# 2. Publish (automatically runs build via prepublishOnly)
-npm publish
-```
-
-The `files` field in `package.json` ensures only the `build/` directory is included in the published package. No source code, tests, or documentation are shipped.
-
-## Architecture
-
-```
-mcp-tools/src/
-+-- index.ts                    # Barrel exports
-+-- servers/
-|   +-- wolves-server.ts        # MCP server wiring + CLI entry point
-+-- handlers/
-|   +-- wolves-handler.ts       # Business logic (7 tool methods)
-+-- utils/
-|   +-- token-manager.ts        # DefaultAzureCredential + token caching
-|   +-- wolves-api.ts           # Axios HTTP client for Wolves REST API
-+-- schemas/
-    +-- wolves-tools.json       # MCP tool definitions (JSON Schema)
-```
-
-- **Server** — Registers MCP tools and routes calls to handler methods via stdio transport.
-- **Handler** — Implements business logic including duplicate name checking, fetch-then-merge updates, and client-side filtering.
-- **API Client** — Axios-based HTTP client with automatic Bearer token injection.
-- **Token Manager** — Acquires and caches Azure AD tokens using `DefaultAzureCredential`, auto-refreshing 5 minutes before expiry.
-
-## License
-
-MIT