diff --git a/README.md b/README.md index c7f9e73..78e858b 100644 --- a/README.md +++ b/README.md @@ -1,231 +1,80 @@ -# `mcp-remote` +# mcp-remote-deno -Connect an MCP Client that only supports local (stdio) servers to a Remote MCP Server, with auth support: +A Deno wrapper for the [mcp-use](https://github.com/geelen/mcp-remote) proxy server that connects to remote MCP (Model Context Protocol) servers. -**Note: this is a working proof-of-concept** but should be considered **experimental**. +## Features -## Why is this necessary? +- Runs natively in Deno, utilizing NPM compatibility +- Provides a clean CLI interface +- Supports custom HTTP headers +- TypeScript type definitions included -So far, the majority of MCP servers in the wild are installed locally, using the stdio transport. This has some benefits: both the client and the server can implicitly trust each other as the user has granted them both permission to run. Adding secrets like API keys can be done using environment variables and never leave your machine. And building on `npx` and `uvx` has allowed users to avoid explicit install steps, too. +## Prerequisites -But there's a reason most software that _could_ be moved to the web _did_ get moved to the web: it's so much easier to find and fix bugs & iterate on new features when you can push updates to all your users with a single deploy. +- [Deno](https://deno.com/) 1.37.0 or higher -With the latest MCP [Authorization specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization), we now have a secure way of sharing our MCP servers with the world _without_ running code on user's laptops. Or at least, you would, if all the popular MCP _clients_ supported it yet. Most are stdio-only, and those that _do_ support HTTP+SSE don't yet support the OAuth flows required. +## Installation -That's where `mcp-remote` comes in. As soon as your chosen MCP client supports remote, authorized servers, you can remove it. Until that time, drop in this one liner and dress for the MCP clients you want! +No installation is needed! You can run the CLI directly using Deno: + +```bash +# Run from GitHub (replace {VERSION} with the latest version or main) +deno run --allow-net --allow-env --allow-read https://raw.githubusercontent.com/yourusername/mcp-deno/{VERSION}/cli.ts [callback-port] + +# Or clone the repository and run locally +git clone https://github.com/yourusername/mcp-deno.git +cd mcp-deno +deno task start [callback-port] +``` ## Usage -All the most popular MCP clients (Claude Desktop, Cursor & Windsurf) use the following config format: +```bash +# Basic usage with default callback port (3334) +deno task start https://your-mcp-server.com -```json -{ - "mcpServers": { - "remote-example": { - "command": "npx", - "args": [ - "mcp-remote", - "https://remote.mcp.server/sse" - ] - } - } -} +# Specify a custom callback port +deno task start https://your-mcp-server.com 8080 + +# Include custom HTTP headers +deno task start https://your-mcp-server.com --header "Authorization: Bearer token" --header "X-Custom: Value" ``` -### Custom Headers +## API -To bypass authentication, or to emit custom headers on all requests to your remote server, pass `--header` CLI arguments: +You can also use the library programmatically in your Deno projects: -```json -{ - "mcpServers": { - "remote-example": { - "command": "npx", - "args": [ - "mcp-remote", - "https://remote.mcp.server/sse", - "--header", - "Authorization: Bearer ${AUTH_TOKEN}" - ] - }, - "env": { - "AUTH_TOKEN": "..." - } - } -} +```typescript +import { startProxy, runProxy } from "https://raw.githubusercontent.com/yourusername/mcp-deno/{VERSION}/mod.ts"; + +// Using the wrapped function +await startProxy("https://your-mcp-server.com", 3334, { + "Authorization": "Bearer token" +}); + +// Or using the direct import from mcp-use +await runProxy("https://your-mcp-server.com", 3334, { + "Authorization": "Bearer token" +}); ``` -**Note:** Cursor has a bug where spaces inside `args` aren't escaped when it invokes `npx`, which ends up mangling these values. You can work around it using: +## Development -```jsonc -{ - // rest of config... - "args": [ - "mcp-remote", - "https://remote.mcp.server/sse", - "--header", - "Authorization:${AUTH_HEADER}" // note no spaces around ':' - ] -}, -"env": { - "AUTH_HEADER": "Bearer " // spaces OK in env vars -} +```bash +# Run in development mode with auto-reload +deno task dev https://your-mcp-server.com + +# Check types +deno check mod.ts cli.ts + +# Format code +deno fmt ``` -### Flags +## How It Works -* If `npx` is producing errors, consider adding `-y` as the first argument to auto-accept the installation of the `mcp-remote` package. +This project uses Deno's NPM compatibility feature to directly import and use the `mcp-use` package without the need for Node.js or a subprocess. It wraps the functionality in a Deno-friendly API with TypeScript type definitions. -```json - "command": "npx", - "args": [ - "-y" - "mcp-remote", - "https://remote.mcp.server/sse" - ] -``` +## License -* To force `npx` to always check for an updated version of `mcp-remote`, add the `@latest` flag: - -```json - "args": [ - "mcp-remote@latest", - "https://remote.mcp.server/sse" - ] -``` - -* To change which port `mcp-remote` listens for an OAuth redirect (by default `3334`), add an additional argument after the server URL. Note that whatever port you specify, if it is unavailable an open port will be chosen at random. - -```json - "args": [ - "mcp-remote", - "https://remote.mcp.server/sse", - "9696" - ] -``` - -* To allow HTTP connections in trusted private networks, add the `--allow-http` flag. Note: This should only be used in secure private networks where traffic cannot be intercepted. - -```json - "args": [ - "mcp-remote", - "http://internal-service.vpc/sse", - "--allow-http" - ] -``` - -### Claude Desktop - -[Official Docs](https://modelcontextprotocol.io/quickstart/user) - -In order to add an MCP server to Claude Desktop you need to edit the configuration file located at: - -* macOS: `~/Library/Application Support/Claude/claude_desktop_config.json` -* Windows: `%APPDATA%\Claude\claude_desktop_config.json` - -If it does not exist yet, [you may need to enable it under Settings > Developer](https://modelcontextprotocol.io/quickstart/user#2-add-the-filesystem-mcp-server). - -Restart Claude Desktop to pick up the changes in the configuration file. -Upon restarting, you should see a hammer icon in the bottom right corner -of the input box. - -### Cursor - -[Official Docs](https://docs.cursor.com/context/model-context-protocol). The configuration file is located at `~/.cursor/mcp.json`. - -As of version `0.48.0`, Cursor supports unauthed SSE servers directly. If your MCP server is using the official MCP OAuth authorization protocol, you still need to add a **"command"** server and call `mcp-remote`. - -### Windsurf - -[Official Docs](https://docs.codeium.com/windsurf/mcp). The configuration file is located at `~/.codeium/windsurf/mcp_config.json`. - -## Building Remote MCP Servers - -For instructions on building & deploying remote MCP servers, including acting as a valid OAuth client, see the following resources: - -* https://developers.cloudflare.com/agents/guides/remote-mcp-server/ - -In particular, see: - -* https://github.com/cloudflare/workers-oauth-provider for defining an MCP-comlpiant OAuth server in Cloudflare Workers -* https://github.com/cloudflare/agents/tree/main/examples/mcp for defining an `McpAgent` using the [`agents`](https://npmjs.com/package/agents) framework. - -For more information about testing these servers, see also: - -* https://developers.cloudflare.com/agents/guides/test-remote-mcp-server/ - -Know of more resources you'd like to share? Please add them to this Readme and send a PR! - -## Troubleshooting - -### Clear your `~/.mcp-auth` directory - -`mcp-remote` stores all the credential information inside `~/.mcp-auth` (or wherever your `MCP_REMOTE_CONFIG_DIR` points to). If you're having persistent issues, try running: - -```sh -rm -rf ~/.mcp-auth -``` - -Then restarting your MCP client. - -### Check your Node version - -Make sure that the version of Node you have installed is [18 or -higher](https://modelcontextprotocol.io/quickstart/server). Claude -Desktop will use your system version of Node, even if you have a newer -version installed elsewhere. - -### Restart Claude - -When modifying `claude_desktop_config.json` it can helpful to completely restart Claude - -### VPN Certs - -You may run into issues if you are behind a VPN, you can try setting the `NODE_EXTRA_CA_CERTS` -environment variable to point to the CA certificate file. If using `claude_desktop_config.json`, -this might look like: - -```json -{ - "mcpServers": { - "remote-example": { - "command": "npx", - "args": [ - "mcp-remote", - "https://remote.mcp.server/sse" - ], - "env": { - "NODE_EXTRA_CA_CERTS": "{your CA certificate file path}.pem" - } - } - } -} -``` - -### Check the logs - -* [Follow Claude Desktop logs in real-time](https://modelcontextprotocol.io/docs/tools/debugging#debugging-in-claude-desktop) -* MacOS / Linux:
`tail -n 20 -F ~/Library/Logs/Claude/mcp*.log` -* For bash on WSL:
`tail -n 20 -f "C:\Users\YourUsername\AppData\Local\Claude\Logs\mcp.log"` -* Powershell:
`Get-Content "C:\Users\YourUsername\AppData\Local\Claude\Logs\mcp.log" -Wait -Tail 20` - -## Debugging - -If you encounter the following error, returned by the `/callback` URL: - -``` -Authentication Error -Token exchange failed: HTTP 400 -``` - -You can run `rm -rf ~/.mcp-auth` to clear any locally stored state and tokens. - -### "Client" mode - -Run the following on the command line (not from an MCP server): - -```shell -npx -p mcp-remote@latest mcp-remote-client https://remote.mcp.server/sse -``` - -This will run through the entire authorization flow and attempt to list the tools & resources at the remote URL. Try this after running `rm -rf ~/.mcp-auth` to see if stale credentials are your problem, otherwise hopefully the issue will be more obvious in these logs than those in your MCP client. +MIT - See the [LICENSE](LICENSE) file for details. diff --git a/README.original.md b/README.original.md new file mode 100644 index 0000000..c7f9e73 --- /dev/null +++ b/README.original.md @@ -0,0 +1,231 @@ +# `mcp-remote` + +Connect an MCP Client that only supports local (stdio) servers to a Remote MCP Server, with auth support: + +**Note: this is a working proof-of-concept** but should be considered **experimental**. + +## Why is this necessary? + +So far, the majority of MCP servers in the wild are installed locally, using the stdio transport. This has some benefits: both the client and the server can implicitly trust each other as the user has granted them both permission to run. Adding secrets like API keys can be done using environment variables and never leave your machine. And building on `npx` and `uvx` has allowed users to avoid explicit install steps, too. + +But there's a reason most software that _could_ be moved to the web _did_ get moved to the web: it's so much easier to find and fix bugs & iterate on new features when you can push updates to all your users with a single deploy. + +With the latest MCP [Authorization specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization), we now have a secure way of sharing our MCP servers with the world _without_ running code on user's laptops. Or at least, you would, if all the popular MCP _clients_ supported it yet. Most are stdio-only, and those that _do_ support HTTP+SSE don't yet support the OAuth flows required. + +That's where `mcp-remote` comes in. As soon as your chosen MCP client supports remote, authorized servers, you can remove it. Until that time, drop in this one liner and dress for the MCP clients you want! + +## Usage + +All the most popular MCP clients (Claude Desktop, Cursor & Windsurf) use the following config format: + +```json +{ + "mcpServers": { + "remote-example": { + "command": "npx", + "args": [ + "mcp-remote", + "https://remote.mcp.server/sse" + ] + } + } +} +``` + +### Custom Headers + +To bypass authentication, or to emit custom headers on all requests to your remote server, pass `--header` CLI arguments: + +```json +{ + "mcpServers": { + "remote-example": { + "command": "npx", + "args": [ + "mcp-remote", + "https://remote.mcp.server/sse", + "--header", + "Authorization: Bearer ${AUTH_TOKEN}" + ] + }, + "env": { + "AUTH_TOKEN": "..." + } + } +} +``` + +**Note:** Cursor has a bug where spaces inside `args` aren't escaped when it invokes `npx`, which ends up mangling these values. You can work around it using: + +```jsonc +{ + // rest of config... + "args": [ + "mcp-remote", + "https://remote.mcp.server/sse", + "--header", + "Authorization:${AUTH_HEADER}" // note no spaces around ':' + ] +}, +"env": { + "AUTH_HEADER": "Bearer " // spaces OK in env vars +} +``` + +### Flags + +* If `npx` is producing errors, consider adding `-y` as the first argument to auto-accept the installation of the `mcp-remote` package. + +```json + "command": "npx", + "args": [ + "-y" + "mcp-remote", + "https://remote.mcp.server/sse" + ] +``` + +* To force `npx` to always check for an updated version of `mcp-remote`, add the `@latest` flag: + +```json + "args": [ + "mcp-remote@latest", + "https://remote.mcp.server/sse" + ] +``` + +* To change which port `mcp-remote` listens for an OAuth redirect (by default `3334`), add an additional argument after the server URL. Note that whatever port you specify, if it is unavailable an open port will be chosen at random. + +```json + "args": [ + "mcp-remote", + "https://remote.mcp.server/sse", + "9696" + ] +``` + +* To allow HTTP connections in trusted private networks, add the `--allow-http` flag. Note: This should only be used in secure private networks where traffic cannot be intercepted. + +```json + "args": [ + "mcp-remote", + "http://internal-service.vpc/sse", + "--allow-http" + ] +``` + +### Claude Desktop + +[Official Docs](https://modelcontextprotocol.io/quickstart/user) + +In order to add an MCP server to Claude Desktop you need to edit the configuration file located at: + +* macOS: `~/Library/Application Support/Claude/claude_desktop_config.json` +* Windows: `%APPDATA%\Claude\claude_desktop_config.json` + +If it does not exist yet, [you may need to enable it under Settings > Developer](https://modelcontextprotocol.io/quickstart/user#2-add-the-filesystem-mcp-server). + +Restart Claude Desktop to pick up the changes in the configuration file. +Upon restarting, you should see a hammer icon in the bottom right corner +of the input box. + +### Cursor + +[Official Docs](https://docs.cursor.com/context/model-context-protocol). The configuration file is located at `~/.cursor/mcp.json`. + +As of version `0.48.0`, Cursor supports unauthed SSE servers directly. If your MCP server is using the official MCP OAuth authorization protocol, you still need to add a **"command"** server and call `mcp-remote`. + +### Windsurf + +[Official Docs](https://docs.codeium.com/windsurf/mcp). The configuration file is located at `~/.codeium/windsurf/mcp_config.json`. + +## Building Remote MCP Servers + +For instructions on building & deploying remote MCP servers, including acting as a valid OAuth client, see the following resources: + +* https://developers.cloudflare.com/agents/guides/remote-mcp-server/ + +In particular, see: + +* https://github.com/cloudflare/workers-oauth-provider for defining an MCP-comlpiant OAuth server in Cloudflare Workers +* https://github.com/cloudflare/agents/tree/main/examples/mcp for defining an `McpAgent` using the [`agents`](https://npmjs.com/package/agents) framework. + +For more information about testing these servers, see also: + +* https://developers.cloudflare.com/agents/guides/test-remote-mcp-server/ + +Know of more resources you'd like to share? Please add them to this Readme and send a PR! + +## Troubleshooting + +### Clear your `~/.mcp-auth` directory + +`mcp-remote` stores all the credential information inside `~/.mcp-auth` (or wherever your `MCP_REMOTE_CONFIG_DIR` points to). If you're having persistent issues, try running: + +```sh +rm -rf ~/.mcp-auth +``` + +Then restarting your MCP client. + +### Check your Node version + +Make sure that the version of Node you have installed is [18 or +higher](https://modelcontextprotocol.io/quickstart/server). Claude +Desktop will use your system version of Node, even if you have a newer +version installed elsewhere. + +### Restart Claude + +When modifying `claude_desktop_config.json` it can helpful to completely restart Claude + +### VPN Certs + +You may run into issues if you are behind a VPN, you can try setting the `NODE_EXTRA_CA_CERTS` +environment variable to point to the CA certificate file. If using `claude_desktop_config.json`, +this might look like: + +```json +{ + "mcpServers": { + "remote-example": { + "command": "npx", + "args": [ + "mcp-remote", + "https://remote.mcp.server/sse" + ], + "env": { + "NODE_EXTRA_CA_CERTS": "{your CA certificate file path}.pem" + } + } + } +} +``` + +### Check the logs + +* [Follow Claude Desktop logs in real-time](https://modelcontextprotocol.io/docs/tools/debugging#debugging-in-claude-desktop) +* MacOS / Linux:
`tail -n 20 -F ~/Library/Logs/Claude/mcp*.log` +* For bash on WSL:
`tail -n 20 -f "C:\Users\YourUsername\AppData\Local\Claude\Logs\mcp.log"` +* Powershell:
`Get-Content "C:\Users\YourUsername\AppData\Local\Claude\Logs\mcp.log" -Wait -Tail 20` + +## Debugging + +If you encounter the following error, returned by the `/callback` URL: + +``` +Authentication Error +Token exchange failed: HTTP 400 +``` + +You can run `rm -rf ~/.mcp-auth` to clear any locally stored state and tokens. + +### "Client" mode + +Run the following on the command line (not from an MCP server): + +```shell +npx -p mcp-remote@latest mcp-remote-client https://remote.mcp.server/sse +``` + +This will run through the entire authorization flow and attempt to list the tools & resources at the remote URL. Try this after running `rm -rf ~/.mcp-auth` to see if stale credentials are your problem, otherwise hopefully the issue will be more obvious in these logs than those in your MCP client. diff --git a/deno.json b/deno.json new file mode 100644 index 0000000..f0b6335 --- /dev/null +++ b/deno.json @@ -0,0 +1,28 @@ +{ + "name": "@legalforce/mcp-remote-deno", + "version": "1.0.0", + "description": "Deno wrapper for mcp-use proxy server", + "publish": { + "include": [ + "dist/", + "README.md", + "deno.json" + ] + }, + "tasks": { + "start": "deno run --allow-net --allow-env --allow-read --allow-run --allow-sys --allow-ffi src/proxy.ts", + "dev": "deno run --watch --allow-net --allow-env --allow-read --allow-run --allow-sys --allow-ffi src/proxy.ts" + }, + "imports": { + "std/": "https://deno.land/std@0.220.0/", + "node/": "https://deno.land/std@0.220.0/node/", + "@modelcontextprotocol/sdk/": "npm:@modelcontextprotocol/sdk/" + }, + "compilerOptions": { + "strict": true, + "lib": [ + "ES2022", + "DOM" + ] + } +} diff --git a/implmentation_plan.md b/implmentation_plan.md new file mode 100644 index 0000000..0f3d15d --- /dev/null +++ b/implmentation_plan.md @@ -0,0 +1,31 @@ +# Implmentation Plan + +Here is a plan to transform your Node.js CLI package into a Deno CLI project, focusing on reusing the existing TypeScript code in the `src/` directory: + +1. **Analyze Dependencies:** + - [x] Identify Node.js built-in modules used (e.g., `events`, `process`). + - [x] Identify external npm packages (e.g., `@modelcontextprotocol/sdk`). +2. **Configure `deno.json`:** + - [x] Update the `imports` section to map npm packages using `npm:` specifiers (e.g., `"@modelcontextprotocol/sdk/": "npm:@modelcontextprotocol/sdk/"`). + - [x] Ensure necessary Deno standard library modules are imported if needed (e.g., `std/node` for Node compatibility APIs if direct replacement isn't feasible). + - [x] Update the `tasks` section to use `deno run` with appropriate permissions (`--allow-net`, `--allow-read`, `--allow-env`, etc.) targeting `src/proxy.ts`. Remove `--watch` from the main start task unless desired. + - [x] Review `compilerOptions`. Deno uses these, but ensure they align with Deno's defaults or project needs. Remove `"types": ["node"]` as Deno handles Node types via `node:` specifiers. + - [x] Remove `"unstable": ["sloppy-imports"]` and plan to add explicit file extensions to imports. +3. **Adapt Code in `src/`:** + - [ ] **Imports:** + - [ ] Prefix all Node.js built-in module imports with `node:` (e.g., `import { EventEmitter } from 'node:events';`). + - [ ] Update imports for external npm packages to match the `npm:` specifiers defined in `deno.json` or directly use `npm:` specifiers in the import statement. + - [ ] Append the `.ts` (or `.js` if applicable) extension to all relative file imports within the `src/` directory (e.g., `import { ... } from './lib/utils.ts';`). + - [ ] **Node Globals/APIs:** + - [ ] Replace `process.argv` with `Deno.args`. Note that `Deno.args` does *not* include the script name, so adjustments to slicing (like `.slice(2)`) might be needed or removed. + - [ ] Replace `process.exit()` with `Deno.exit()`. + - [ ] Replace or refactor any other Node-specific APIs that don't have direct Deno equivalents or aren't polyfilled via the `node:` specifier (e.g., check compatibility of `StdioServerTransport` if it relies heavily on Node streams internally, although the `npm:` specifier should handle much of this). +4. **Cleanup Project Root:** + - [ ] Delete `pnpm-lock.yaml` and `node_modules` (if present). + - [ ] Decide whether to keep `package.json`. It's not used by Deno for dependencies but can be useful for metadata (name, version, description). If kept, ensure it doesn't cause confusion. + - [ ] Remove `tsconfig.json` if all necessary compiler options are migrated to `deno.json`. Linters/editors might still pick it up, so consider keeping it for tooling compatibility if needed, but `deno.json` takes precedence for Deno itself. +5. **Testing:** + - [ ] Run the main task using `deno task start `. + - [ ] Thoroughly test the CLI's functionality to ensure it behaves identically to the original Node.js version. Pay close attention to areas involving file system access, network requests, environment variables, and process management. + +This plan prioritizes modifying the existing TypeScript code minimally while adapting the project structure and configuration for Deno. We will start by modifying `deno.json` and `src/proxy.ts`.