@hapticpaper/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    133:         tokenProvider: transportType === 'http' ? undefined : async () => {
    134:             // 1. Check for API key (CI/headless mode)
>>> 135:             const apiKey = process.env.HAPTIC_API_KEY;
    136:             if (apiKey) {
    137:                 return apiKey;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    130:     // Initialize Client with auto-auth tokenProvider
    131:     const client = new HapticPaperClient({
>>> 132:         baseUrl: process.env.API_URL || 'https://hh.hapticpaper.com/api/v1',
    133:         tokenProvider: transportType === 'http' ? undefined : async () => {
    134:             // 1. Check for API key (CI/headless mode)

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    119:             clientId: 'mcp-client',
    120:             authorizationUrl: process.env.AUTH_URL || 'https://hh.hapticpaper.com/oauth/authorize',
>>> 121:             tokenUrl: process.env.TOKEN_URL || 'https://hh.hapticpaper.com/api/v1/oauth/token',
    122:             redirectUri: 'http://127.0.0.1/callback',
    123:             scopes: [...ALL_TOOL_SCOPES]

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    194:         const scopesSupported = ['tasks:read', 'tasks:write', 'workers:read', 'account:read', 'account:write'];
    195:         const getConfiguredPublicOrigin = () => {
>>> 196:             const configured = process.env.MCP_PUBLIC_URL;
    197:             if (!configured)
    198:                 return undefined;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    53:  */
    54: export function logToolSuccess(toolName, action, details) {
>>> 55:     if (process.env.NODE_ENV !== 'production') {
    56:         console.log(`[${toolName}] Success:`, { action, ...details });
    57:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    190:         const mcpOrigin = resourceServerUrl.origin;
    191:         // Backend OAuth endpoints
>>> 192:         const backendBaseUrl = process.env.BACKEND_PUBLIC_URL || process.env.API_URL?.replace(/\/api\/v1\/?$/, '') || 'http://localhost:3000';
    193:         const backendOAuthBase = `${backendBaseUrl}/api/v1/oauth`;
    194:         const scopesSupported = ['tasks:read', 'tasks:write', 'workers:read', 'account:read', 'account:write'];

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    184:         // Use standard Express API to enable trust proxy for Cloud Run
    185:         app.set('trust proxy', 1);
>>> 186:         const configuredResourceUrl = process.env.RESOURCE_SERVER_URL;
    187:         const resourceServerUrl = new URL(configuredResourceUrl || `http://${host}:${port}/mcp`);
    188:         // MCP spec: authorization base URL is the MCP server origin (path stripped)

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    180:         const app = createMcpExpressApp({
    181:             host,
>>> 182:             allowedHosts: process.env.MCP_ALLOWED_HOSTS?.split(',').map((s) => s.trim()).filter(Boolean),
    183:         });
    184:         // Use standard Express API to enable trust proxy for Cloud Run

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    367:         });
    368:         const transports = {};
>>> 369:         const allowUnauthenticatedDiscovery = String(process.env.MCP_ALLOW_UNAUTHENTICATED_DISCOVERY || '').toLowerCase() === 'true';
    370:         const discoveryMethods = ['tools/list', 'resources/list', 'prompts/list'];
    371:         // Allowlist for JSON-RPC notifications that are safe to accept unauthenticated.

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    295:             token_endpoint_auth_methods_supported: ['client_secret_post', 'client_secret_basic', 'none'],
    296:         };
>>> 297:         const authMetadataDisabled = String(process.env.MCP_AUTH_METADATA_DISABLED || '').toLowerCase() === 'true';
    298:         const canAdvertiseAuthMetadata = issuer.startsWith('https://') && resourceServerUrl.protocol === 'https:';
    299:         const shouldAdvertiseAuthMetadata = !authMetadataDisabled && canAdvertiseAuthMetadata;

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    177:         console.error('[MCP] MCP_TRANSPORT=http: interactive OAuth is disabled; clients must send Authorization: Bearer <token>');
    178:         const host = process.env.HOST || '127.0.0.1';
>>> 179:         const port = Number(process.env.PORT || 3001);
    180:         const app = createMcpExpressApp({
    181:             host,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    118:         const auth = new MCPOAuthHandler({
    119:             clientId: 'mcp-client',
>>> 120:             authorizationUrl: process.env.AUTH_URL || 'https://hh.hapticpaper.com/oauth/authorize',
    121:             tokenUrl: process.env.TOKEN_URL || 'https://hh.hapticpaper.com/api/v1/oauth/token',
    122:             redirectUri: 'http://127.0.0.1/callback',

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    176:     if (transportType === 'http') {
    177:         console.error('[MCP] MCP_TRANSPORT=http: interactive OAuth is disabled; clients must send Authorization: Bearer <token>');
>>> 178:         const host = process.env.HOST || '127.0.0.1';
    179:         const port = Number(process.env.PORT || 3001);
    180:         const app = createMcpExpressApp({

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    112:         return server;
    113:     }
>>> 114:     const transportType = process.env.MCP_TRANSPORT || 'stdio';
    115:     // Helper to run interactive OAuth flow
    116:     const runOAuthFlow = async () => {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    37:             const originalRequest = error.config;
    38:             // Log errors for debugging (but not in production to avoid log spam)
>>> 39:             if (process.env.NODE_ENV !== 'production') {
    40:                 console.error('[HapticPaperClient] Request failed:', {
    41:                     url: error.config?.url,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    30:             clientId: 'mcp-client', // Matches seedMcpClient.ts
    31:             authorizationUrl: process.env.AUTH_URL || 'https://hh.hapticpaper.com/oauth/authorize',
>>> 32:             tokenUrl: process.env.TOKEN_URL || 'https://hh.hapticpaper.com/api/v1/oauth/token',
    33:             redirectUri: 'http://127.0.0.1/callback',
    34:             scopes: ['tasks:read', 'tasks:write', 'workers:read', 'account:read']

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    29:         const auth = new MCPOAuthHandler({
    30:             clientId: 'mcp-client', // Matches seedMcpClient.ts
>>> 31:             authorizationUrl: process.env.AUTH_URL || 'https://hh.hapticpaper.com/oauth/authorize',
    32:             tokenUrl: process.env.TOKEN_URL || 'https://hh.hapticpaper.com/api/v1/oauth/token',
    33:             redirectUri: 'http://127.0.0.1/callback',

Decoded base64 content: ��ޭ�^ �^U��~'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ޭ�^ �^U��~'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � m� +������~)^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � m� +�����"�[?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � m� +����ǫ�'�q�b�{?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � m�Ʃi���؞��j�!

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � m��������+ʛh

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: j�a1�Zu�Z+nW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: q��v���+�a1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: j�a1�Zu�Z+nW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: q��v���+�a1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��-y�^u����xǭi֭iJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��N�a>�-y�^u����xǭi֭iJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��-y�^u����xǭi֭iJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��H�˞�Z+1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: j�a1�Zu�Z+nW�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��-y�^u����xǭi֭iJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��n�R6�b~'�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��n�R6�b~'�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �{�Ȩ�)�&��7�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞲Ȩ����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞲Ȩ����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞲Ȩ����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��N�a>�-y�^u����xǭi֭iJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��N�a>�-y�^u����xǭi֭iJ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"�׫YQz�.�Ǭ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���j/����7�r���*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��"�׫YQz�.�Ǭ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��H�˞�Z+1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��H�˞�Z+1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��H�˞�Z+1�Zu�Z

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    6: import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
    7: import { mcpAuthMetadataRouter, getOAuthProtectedResourceMetadataUrl } from "@modelcontextprotocol/sdk/server/auth/router.js";
>>> 8: import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
    9: import dotenv from 'dotenv';
    10: import crypto from 'node:crypto';

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    65:             client_id: this.clientId,
    66:         });
>>> 67:         const response = await fetch(this.refreshUrl, {
    68:             method: 'POST',
    69:             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    125:         params.append('redirect_uri', redirectUri);
    126:         params.append('code_verifier', this.codeVerifier);
>>> 127:         const response = await fetch(this.config.tokenUrl, {
    128:             method: 'POST',
    129:             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    271:         app.post('/register', async (req, res) => {
    272:             try {
>>> 273:                 const response = await fetch(`${backendOAuthBase}/register`, {
    274:                     method: 'POST',
    275:                     headers: { 'Content-Type': 'application/json' },

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.