mcp2cli 2.5.0__tar.gz → 2.6.1__tar.gz

{mcp2cli-2.5.0 → mcp2cli-2.6.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp2cli
-Version: 2.5.0
+Version: 2.6.1
 Summary: Turn any MCP server or OpenAPI spec into a CLI
 Author: Stephan Fitzpatrick
 Author-email: Stephan Fitzpatrick <stephan@knowsuchagency.com>

{mcp2cli-2.5.0 → mcp2cli-2.6.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "mcp2cli"
-version = "2.5.0"
+version = "2.6.1"
 description = "Turn any MCP server or OpenAPI spec into a CLI"
 readme = "README.md"
 license = "MIT"

{mcp2cli-2.5.0 → mcp2cli-2.6.1}/src/mcp2cli/__init__.py

@@ -2,7 +2,7 @@
 
 from __future__ import annotations
 
-__version__ = "2.4.0"
+__version__ = "2.6.0"
 
 import argparse
 import copy
@@ -352,9 +352,25 @@ def _handle_http_error(resp) -> None:
 # ---------------------------------------------------------------------------
 
 
-def cache_key_for(source: str) -> str:
-    return hashlib.sha256(source.encode()).hexdigest()[:16]
+def cache_key_for(config: dict) -> str:
+    """
+    Generate cache key from tool configuration dict.
+
+    Hashes all config fields that affect MCP server behavior to ensure
+    unique caching for tools with the same URL but different configurations.
+    """
+    # Exclude fields that don't affect which tools are returned
+    cache_config = {
+        k: v for k, v in config.items()
+        if k not in ('cache_ttl', 'description', 'include', 'exclude', 'methods')
+    }
+    # Ensure auth_headers are sorted for stable hashing
+    if 'auth_headers' in cache_config and cache_config['auth_headers']:
+        cache_config['auth_headers'] = sorted(cache_config['auth_headers'])
 
+    return hashlib.sha256(
+        json.dumps(cache_config, sort_keys=True).encode()
+    ).hexdigest()[:16]
 
 def load_cached(key: str, ttl: int) -> dict | None:
     path = CACHE_DIR / f"{key}.json"
@@ -465,23 +481,37 @@ def build_oauth_provider(
     *,
     client_id: str | None = None,
     client_secret: str | None = None,
+    client_name: str = "mcp2cli",
     scope: str | None = None,
     redirect_uri: str | None = None,
+    flow: str = "auto",
 ) -> "httpx.Auth":
     """Build an OAuth provider for HTTP connections.
 
-    - client_id + client_secret  → client credentials flow (machine-to-machine).
-    - client_id only             → authorization code + PKCE, pre-configured client
-                                   (no dynamic client registration).
-    - neither                    → authorization code + PKCE with dynamic client
-                                   registration.
+    The ``flow`` parameter controls which grant type is used:
+
+    - ``"auto"`` (default): client_id + client_secret → client credentials;
+      client_id only → authorization code + PKCE (public client);
+      neither → authorization code + PKCE with dynamic client registration.
+    - ``"authorization_code"``: always use authorization code + PKCE.
+      When a client_secret is also provided the token-endpoint request
+      authenticates as a confidential client (``client_secret_post``).
+      This is required by servers like Slack that issue confidential OAuth
+      clients but only support the authorization-code grant.
+    - ``"client_credentials"``: always use client credentials (requires both
+      client_id and client_secret).
 
     redirect_uri controls the full callback URL (scheme, host, port, path).
     When None, defaults to http://127.0.0.1:<random-free-port>/callback.
     """
     storage = FileTokenStorage(server_url)
 
-    if client_id and client_secret:
+    use_client_credentials = (
+        flow == "client_credentials"
+        or (flow == "auto" and client_id and client_secret)
+    )
+
+    if use_client_credentials:
         from mcp.client.auth.extensions.client_credentials import (
             ClientCredentialsOAuthProvider,
         )
@@ -530,6 +560,7 @@ def build_oauth_provider(
         redirect_uri = f"http://127.0.0.1:{port}/callback"
 
     client_metadata = OAuthClientMetadata(
+        client_name=client_name,
         redirect_uris=[redirect_uri],
         grant_types=["authorization_code", "refresh_token"],
         response_types=["code"],
@@ -540,10 +571,18 @@ def build_oauth_provider(
         # Pre-seed storage with the caller-supplied client_id so the OAuth
         # provider skips dynamic client registration entirely.  The write is
         # synchronous (plain file I/O) so no async context is needed here.
+        #
+        # When a client_secret is provided (confidential client, e.g. Slack),
+        # include it and use client_secret_post so the token-endpoint request
+        # sends the secret in the POST body.
+        if client_secret:
+            auth_method = "client_secret_post"
+        else:
+            auth_method = "none"
         pre_client_info = OAuthClientInformationFull(
             client_id=client_id,
-            client_secret=None,
-            token_endpoint_auth_method="none",
+            client_secret=client_secret,
+            token_endpoint_auth_method=auth_method,
             redirect_uris=[redirect_uri],
             grant_types=["authorization_code", "refresh_token"],
             response_types=["code"],
@@ -642,7 +681,10 @@ def load_openapi_spec(
     is_url = source.startswith("http://") or source.startswith("https://")
 
     if is_url:
-        key = cache_key or cache_key_for(source)
+        key = cache_key or cache_key_for({
+            'source': source,
+            'auth_headers': auth_headers,
+        })
         if not refresh:
             cached = load_cached(key, ttl)
             if cached is not None:
@@ -1024,7 +1066,10 @@ def load_graphql_schema(
     oauth_provider: "httpx.Auth | None" = None,
 ) -> dict:
     """POST introspection query to a GraphQL endpoint, with caching."""
-    key = cache_key or cache_key_for(f"graphql:{url}")
+    key = cache_key or cache_key_for({
+        'source': f"graphql:{url}",
+        'auth_headers': auth_headers,
+    })
     if not refresh:
         cached = load_cached(key, ttl)
         if cached is not None:
@@ -1438,10 +1483,14 @@ def _baked_to_argv(config: dict) -> list[str]:
         argv += ["--oauth-client-id", config["oauth_client_id"]]
     if config.get("oauth_client_secret"):
         argv += ["--oauth-client-secret", config["oauth_client_secret"]]
+    if config.get("oauth_client_name") and config["oauth_client_name"] != "mcp2cli":
+        argv += ["--oauth-client-name", config["oauth_client_name"]]
     if config.get("oauth_scope"):
         argv += ["--oauth-scope", config["oauth_scope"]]
     if config.get("oauth_redirect_uri"):
         argv += ["--oauth-redirect-uri", config["oauth_redirect_uri"]]
+    if config.get("oauth_flow") and config["oauth_flow"] != "auto":
+        argv += ["--oauth-flow", config["oauth_flow"]]
     return argv
 
 
@@ -1488,8 +1537,20 @@ def _bake_create(argv: list[str]) -> None:
     p.add_argument("--oauth", action="store_true")
     p.add_argument("--oauth-client-id", default=None)
     p.add_argument("--oauth-client-secret", default=None)
+    p.add_argument("--oauth-client-name", default="mcp2cli")
     p.add_argument("--oauth-scope", default=None)
     p.add_argument("--oauth-redirect-uri", default=None, metavar="URI")
+    p.add_argument(
+        "--oauth-flow",
+        choices=["auto", "authorization_code", "client_credentials"],
+        default="auto",
+        help=(
+            "OAuth flow to use. 'auto' (default) picks client_credentials when both "
+            "client-id and client-secret are provided, otherwise authorization_code. "
+            "Use 'authorization_code' to force the auth code + PKCE flow even with a "
+            "client secret (required for confidential-client servers like Slack)."
+        ),
+    )
     p.add_argument("--include", default="", help="Comma-separated include globs")
     p.add_argument("--exclude", default="", help="Comma-separated exclude globs")
     p.add_argument("--methods", default="", help="Comma-separated HTTP methods")
@@ -1542,8 +1603,10 @@ def _bake_create(argv: list[str]) -> None:
         "oauth": args.oauth,
         "oauth_client_id": args.oauth_client_id,
         "oauth_client_secret": args.oauth_client_secret,
+        "oauth_client_name": args.oauth_client_name,
         "oauth_scope": args.oauth_scope,
         "oauth_redirect_uri": args.oauth_redirect_uri,
+        "oauth_flow": args.oauth_flow,
         "include": [x.strip() for x in args.include.split(",") if x.strip()],
         "exclude": [x.strip() for x in args.exclude.split(",") if x.strip()],
         "methods": [x.strip().upper() for x in args.methods.split(",") if x.strip()],
@@ -2775,7 +2838,16 @@ def handle_mcp(
     head: int | None = None,
     verbose: bool = False,
 ):
-    key = cache_key_override or cache_key_for(source)
+    # Build a config dict for cache key generation (future-proof)
+    config_for_cache = {
+        'source': source,
+        'auth_headers': auth_headers,
+        'transport': transport,
+        'env_vars': env_vars,
+        'is_stdio': is_stdio,
+    }
+    
+    key = cache_key_override or cache_key_for(config_for_cache)
 
     # Resource/prompt operations skip the tool flow entirely
     if resource_action or prompt_action:
@@ -3095,6 +3167,12 @@ def _build_main_parser() -> argparse.ArgumentParser:
         default=None,
         help="OAuth client secret — supports env:VAR and file:/path prefixes",
     )
+    pre.add_argument(
+        "--oauth-client-name",
+        default="mcp2cli",
+        help="Client name sent during OAuth Dynamic Client Registration (default: mcp2cli). "
+             "Some servers require a specific client name for DCR to succeed.",
+    )
     pre.add_argument(
         "--oauth-scope",
         default=None,
@@ -3107,6 +3185,17 @@ def _build_main_parser() -> argparse.ArgumentParser:
         help="Full redirect URI for the OAuth callback (e.g. http://localhost:3334/oauth/callback). "
              "Overrides the default http://127.0.0.1:<random-port>/callback.",
     )
+    pre.add_argument(
+        "--oauth-flow",
+        choices=["auto", "authorization_code", "client_credentials"],
+        default="auto",
+        help=(
+            "OAuth flow to use. 'auto' (default) picks client_credentials when both "
+            "client-id and client-secret are provided, otherwise authorization_code. "
+            "Use 'authorization_code' to force the auth code + PKCE flow even with a "
+            "client secret (required for confidential-client servers like Slack)."
+        ),
+    )
     # Resource flags
     pre.add_argument(
         "--list-resources", action="store_true", help="List available resources"
@@ -3220,12 +3309,22 @@ def _setup_oauth(pre_args):
         if pre_args.oauth_client_secret
         else None
     )
+    flow = getattr(pre_args, "oauth_flow", "auto")
+    if flow == "client_credentials" and not (client_id and client_secret):
+        print(
+            "Error: --oauth-flow=client_credentials requires both "
+            "--oauth-client-id and --oauth-client-secret",
+            file=sys.stderr,
+        )
+        sys.exit(1)
     return build_oauth_provider(
         server_url,
         client_id=client_id,
         client_secret=client_secret,
+        client_name=getattr(pre_args, "oauth_client_name", "mcp2cli"),
         scope=pre_args.oauth_scope,
         redirect_uri=pre_args.oauth_redirect_uri,
+        flow=flow,
     )