critical

@instantdb/mcp

v0.22.142

Model Context Protocol (MCP) server for managing Instant apps, schemas, and permissions!

npmGitHub ActionsFirst seen Feb 22, 2026

Total

Critical

High

Medium

Findings

unknown

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    106: 
    107: ```bash
>>> 108: cp .env.example .env
    109: ```
    110:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    109: ```
    110: 
>>> 111: Fill in all of the environment variables for your new `.env` file.
    112: 
    113: ```bash

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    117: Visit the server at [http://localhost:3123](http://localhost:3123).
    118: 
>>> 119: To work on the `stdio` version of the codebase, update your `.env` file with `SERVER_TYPE=stdio`.

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    197: 
    198:       const adminDb = init({
>>> 199:         appId: process.env.NEXT_PUBLIC_INSTANT_APP_ID!,
    200:         adminToken: process.env.INSTANT_APP_ADMIN_TOKEN!,
    201:       });

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    198:       const adminDb = init({
    199:         appId: process.env.NEXT_PUBLIC_INSTANT_APP_ID!,
>>> 200:         adminToken: process.env.INSTANT_APP_ADMIN_TOKEN!,
    201:       });
    202:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    237: 
    238:       const adminDb = init({
>>> 239:         appId: process.env.NEXT_PUBLIC_INSTANT_APP_ID!,
    240:         adminToken: process.env.INSTANT_APP_ADMIN_TOKEN!,
    241:       });

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    238:       const adminDb = init({
    239:         appId: process.env.NEXT_PUBLIC_INSTANT_APP_ID!,
>>> 240:         adminToken: process.env.INSTANT_APP_ADMIN_TOKEN!,
    241:       });
    242:

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    336:         },
    337:     });
>>> 338:     const accessToken = token || process.env.INSTANT_ACCESS_TOKEN;
    339:     if (!accessToken) {
    340:         console.error('Provide an access token using --token or set INSTANT_ACCESS_TOKEN environment variable');

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    348: }
    349: function ensureEnv(key) {
>>> 350:     const v = process.env[key];
    351:     if (!v) {
    352:         throw new Error(`Missing environment variable ${key}`);

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    356: async function startSse() {
    357:     const honeycomb = new HoneycombSDK({
>>> 358:         apiKey: process.env.HONEYCOMB_API_KEY,
    359:         serviceName: 'mcp-server',
    360:     });

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    359:         serviceName: 'mcp-server',
    360:     });
>>> 361:     if (process.env.HONEYCOMB_API_KEY) {
    362:         honeycomb.start();
    363:     }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    549:         res.status(200).send('Tip top!');
    550:     });
>>> 551:     const port = parseInt(process.env.PORT || '3123');
    552:     const host = process.env.IN_FLY ? '0.0.0.0' : 'localhost';
    553:     if (process.env.IN_FLY) {

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    550:     });
    551:     const port = parseInt(process.env.PORT || '3123');
>>> 552:     const host = process.env.IN_FLY ? '0.0.0.0' : 'localhost';
    553:     if (process.env.IN_FLY) {
    554:         app.set('trust proxy', 2);

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    551:     const port = parseInt(process.env.PORT || '3123');
    552:     const host = process.env.IN_FLY ? '0.0.0.0' : 'localhost';
>>> 553:     if (process.env.IN_FLY) {
    554:         app.set('trust proxy', 2);
    555:     }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    557: }
    558: async function main() {
>>> 559:     if (process.env.SERVER_TYPE === 'http') {
    560:         return startSse();
    561:     }

Report false positive

criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

>>> 1: {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,eAAe,CAAC;AACvB,OAAO,OAA8B,MAAM,SAAS,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,OAAO,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAC/D,OAAO,EACL,KAAK,EACL,QAAQ,EACR,cAAc,GAGf,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,mBAAmB,EACnB,aAAa,GACd,MAAM,iDAAiD,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAExC,OAAO,MAAM,MAAM,wBAAwB,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,gEAAgE,CAAC;AACnG,OAAO,EACL,cAAc,EAEd,eAAe,EACf,mBAAmB,GACpB,MAAM,6BAA6B,CAAC;AAErC,OAAO,SAAS,MAAM,iBAAiB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAE7E,UAAU;AACV,cAAc;AACd,SAAS,eAAe;IACtB,OAAO,IAAI,SAAS,CAAC;QACnB,IAAI,EAAE,gBAAgB;QACtB,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,oBAAoB;AACpB,cAAc;AAEd,8BAA8B;AAC9B,SAAS,qBAAqB,CAC5B,MAAiB,EACjB,MAAc,EACd,KAAiB;IAEjB,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE9C,MAAM,CAAC,IAAI,GAAG,UAAU,IAAY,EAAE,GAAG,IAAW;QAClD,oDAAoD;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAEpC,iCAAiC;QACjC,MAAM,eAAe,GAAG,KAAK,EAAE,GAAG,YAAmB,EAAE,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,QAAQ,IAAI,EAAE,EAAE;gBAC5C,UAAU,EAAE,KAAK;aAClB,CAAC,CAAC;YACH,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,GAAG,YAAY,CAAC,CAAC;gBAC/C,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC5C,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,CAAC,CAAC;gBAC/C,IAAI,CAAC,eAAe,CAAC,KAAc,CAAC,CAAC;gBACrC,MAAM,KAAK,CAAC;YACd,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,CAAC;QACH,CAAC,CAAC;QAEF,OAAO,YAAY,CACjB,IAAI;QACJ,8CAA8C;QAC9C,GAAG,SAAS,EACZ,eAAe,CAChB,CAAC;IACJ,CAAQ,CAAC;IAET,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CAAC,MAAiB;IACtC,MAAM,CAAC,IAAI,CACT,OAAO,EACP,0FAA0F,EAC1F,EAAE,EACF,KAAK,IAAI,EAAE;QACT,MAAM,YAAY,GAAG;;;;OAIpB,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,oCAAoC,EACpC;QACE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QACpD,UAAU,EAAE,CAAC;aACV,MAAM,EAAE;aACR,IAAI,EAAE;aACN,QAAQ,CAAC,qCAAqC,CAAC;KACnD,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE;QAC9B,MAAM,YAAY,GAAG;;;;0CAIe,KAAK,YAAY,UAAU;;;;OAI9D,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,WAAW,EACX,wCAAwC,EACxC;QACE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QACpD,UAAU,EAAE,CAAC;aACV,MAAM,EAAE;aACR,IAAI,EAAE;aACN,QAAQ,CAAC,qCAAqC,CAAC;KACnD,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE;QAC9B,MAAM,YAAY,GAAG;;;;yCAIc,KAAK,YAAY,UAAU;;;;OAI7D,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,aAAa,EACb;4GACwG,EACxG;QACE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QACpD,UAAU,EAAE,CAAC;aACV,MAAM,EAAE;aACR,IAAI,EAAE;aACN,QAAQ,CAAC,qCAAqC,CAAC;KACnD,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE;QAC9B,MAAM,YAAY,GAAG;;;;;0CAKe,KAAK,YAAY,UAAU;;;;;;;;;0CAS3B,KAAK,YAAY,UAAU;;OAE9D,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,YAAY,EACZ;0GACsG,EACtG;QACE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QACpD,UAAU,EAAE,CAAC;aACV,MAAM,EAAE;aACR,IAAI,EAAE;aACN,QAAQ,CAAC,qCAAqC,CAAC;KACnD,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE;QAC9B,MAAM,YAAY,GAAG;;;;0CAIe,KAAK,YAAY,UAAU;;;;OAI9D,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,OAAO,EACP,uEAAuE,EACvE,EAAE,EACF,KAAK,IAAI,EAAE;QACT,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6BpB,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,UAAU,EACV,wFAAwF,EACxF,EAAE,EACF,KAAK,IAAI,EAAE;QACT,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsFpB,CAAC;QAEF,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,YAAY;iBACnB;aACF;SACF,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,MAAM,EACJ,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,GACvC,GAAG,SAAS,CAAC;QACZ,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,IAAI,EAAE,QAAQ;aACf;YACD,CAAC,SAAS,CAAC,EAAE;gBACX,IAAI,EAAE,QAAQ;aACf;SACF;KACF,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAC9D,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CACX,wFAAwF,CACzF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,aAAa,CAAC,MAAM,CAAC,CAAC;IAEtB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,SAAS,CAAC,GAAW;IAC5B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,KAAK,UAAU,QAAQ;IACrB,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC;QACjC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;QACrC,WAAW,EAAE,YAAY;KAC1B,CAAC,CAAC;IAEH,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAClC,SAAS,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IAE7C,MAAM,EAAE,GAAG,IAAI,CAAC;QACd,UAAU,EAAE,SAAS,CAAC,qBAAqB,CAAC;QAC5C,KAAK,EAAE,SAAS,CAAC,gBAAgB,CAAC;QAClC,MAAM;QACN,iBAAiB,EAAE,IAAI;KACxB,CAAC,CAAC;IAEH,MAAM,WAAW,GAAgB;QAC/B,QAAQ,EAAE,SAAS,CAAC,yBAAyB,CAAC;QAC9C,YAAY,EAAE,SAAS,CAAC,6BAA6B,CAAC;QACtD,YAAY,EAAE,SAAS,CAAC,eAAe,CAAC;KACzC,CAAC;IAEF,MAAM,SAAS,GAAc,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAEtE,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAEvC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE;YACxC,IAAI,EAAE,QAAQ,CAAC,MAAM;YACrB,UAAU,EAAE;gBACV,aAAa,EAAE,GAAG,CAAC,MAAM;gBACzB,UAAU,EAAE,GAAG,CAAC,GAAG;gBACnB,aAAa,EAAE,GAAG,CAAC,IAAI;gBACvB,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC;gBAC5B,aAAa,EAAE,GAAG,CAAC,QAAQ;aAC5B;SACF,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtC,GAAG,CAAC,GAAG,GAAG,UAA4B,GAAG,IAAW;YAClD,IAAI,CAAC,YAAY,CAAC,kBAAkB,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;YACtD,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,EAAE;aACvE,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,EAAE,CAAC;YACX,OAAO,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC;QAC9B,CAAC,CAAC;QAEF,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CACL,QAAQ,CAAC;QACP,MAAM;QACN,WAAW,EAAE;YACX,MAAM,CAAC,GAAG;gBACR,OAAO,GAAG,CAAC,GAAG,KAAK,SAAS,CAAC;YAC/B,CAAC;SACF;KACF,CAAC,CACH,CAAC;IACF,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAExB,MAAM,aAAa,GAAG,IAAI,eAAe,CAAC,EAAE,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAEtE,MAAM,iBAAiB,GAAG;QACxB,eAAe,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC;QAC5C,QAAQ,EAAE,aAAa;QACvB,SAAS,EAAE,IAAI,GAAG,CAAC,WAAW,CAAC,YAAY,CAAC;QAC5C,OAAO,EAAE,IAAI,GAAG,CAAC,WAAW,CAAC,YAAY,CAAC;QAC1C,uBAAuB,EAAE,IAAI,GAAG,CAAC,4BAA4B,CAAC;KAC/D,CAAC;IAEF,MAAM,aAAa,GAAG,mBAAmB,CAAC,iBAAiB,CAAC,CAAC;IAE7D,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAE1C,cAAc,CAAC,GAAG,EAAE,EAAE,EAAE,WAAW,CAAC,CAAC;IAErC,GAAG,CAAC,GAAG,CAAC,2CAA2C,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACjE,GAAG,CAAC,IAAI,CAAC;YACP,QAAQ,EAAE,GAAG,WAAW,CAAC,YAAY,MAAM;YAC3C,qBAAqB,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YAC7C,gBAAgB,EAAE,aAAa,CAAC,gBAAgB;YAChD,sBAAsB,EAAE,4BAA4B;SACrD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,2CAA2C,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACjE,GAAG,CAAC,IAAI,CAAC;YACP,QAAQ,EAAE,GAAG,WAAW,CAAC,YAAY,MAAM;YAC3C,qBAAqB,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;YAC7C,gBAAgB,EAAE,aAAa,CAAC,gBAAgB;YAChD,sBAAsB,EAAE,4BAA4B;SACrD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,sBAAsB,GAAG,CAAC,IAAY,EAAE,EAAE,CAC9C,iBAAiB,CAAC;QAChB,QAAQ,EAAE,aAAa;QACvB,mBAAmB,EAAE,GAAG,WAAW,CAAC,YAAY,yCAAyC,IAAI,EAAE;KAChG,CAAC,CAAC;IAEL,0DAA0D;IAC1D,GAAG,CAAC,IAAI,CACN,MAAM,EACN,sBAAsB,CAAC,KAAK,CAAC,EAC7B,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACpC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,EAAE,GAAG,CAAC,IAAK,CAAC,KAAK,CAAC,CAAC;YAE9D,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE;gBACpC,kBAAkB,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,SAAS;gBACrD,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,WAAW;gBAClD,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE;gBACvC,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK;gBAC7C,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU;gBAChD,sBAAsB,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,aAAa;aAC9D,CAAC,CAAC;YACH,aAAa,CAAC,MAAM,CAAC,CAAC;YACtB,MAAM,SAAS,GACb,IAAI,6BAA6B,CAAC;gBAChC,kBAAkB,EAAE,SAAS;aAC9B,CAAC,CAAC;YAEL,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACnB,SAAS,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,CAAC,CAAC,CAAC;YAChD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,uBAAuB;qBACjC;oBACD,EAAE,EAAE,IAAI;iBACT,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CACF,CAAC;IAEF,8CAA8C;IAC9C,MAAM,oBAAoB,GAAG,KAAK,EAChC,IAAqB,EACrB,GAAqB,EACrB,EAAE;QACF,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CACpB,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,CAAC,KAAK;gBACZ,OAAO,EAAE,qBAAqB;aAC/B;YACD,EAAE,EAAE,IAAI;SACT,CAAC,CACH,CAAC;IACJ,CAAC,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IACtC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAEzC,wBAAwB;IACxB,MAAM,UAAU,GAAG;QACjB,GAAG,EAAE,EAAwC;KAC9C,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,MAAM,EACN,sBAAsB,CAAC,KAAK,CAAC,EAC7B,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACpC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,kBAAkB,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAC3D,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,OAAO,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,EAAE,GAAG,CAAC,IAAK,CAAC,KAAK,CAAC,CAAC;YAE9D,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE;gBACpC,kBAAkB,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,SAAS;gBACrD,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,WAAW;gBAClD,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE;gBACvC,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK;gBAC7C,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU;gBAChD,sBAAsB,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,aAAa;aAC9D,CAAC,CAAC;YAEH,aAAa,CAAC,MAAM,CAAC,CAAC;YACtB,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC;QAClD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,CAAC,CAAC,CAAC;YACpD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,KAAK;wBACZ,OAAO,EAAE,uBAAuB;qBACjC;oBACD,EAAE,EAAE,IAAI;iBACT,CAAC,CAAC;YACL,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;IAEF,4CAA4C;IAC5C,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACvC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,SAAmB,CAAC;QAChD,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,SAAS,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,GAAa,EAAE,EAAE;QACnC,GAAG;aACA,MAAM,CAAC,GAAG,CAAC;aACX,GAAG,CAAC,cAAc,EAAE,0BAA0B,CAAC;aAC/C,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAa,EAAE,EAAE;QACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;IAE1D,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IAC5B,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QACvC,OAAO,QAAQ,EAAE,CAAC;IACpB,CAAC;IACD,OAAO,UAAU,EAAE,CAAC;AACtB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;IAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC","sourcesContent":["#!/usr/bin/env node\n\nimport 'dotenv/config';\nimport express, { Request, Response } from 'express';\nimport { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';\nimport { z } from 'zod';\nimport { parseArgs } from 'node:util';\nimport version from './version.ts';\nimport { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';\nimport { HoneycombSDK } from '@honeycombio/opentelemetry-node';\nimport {\n  trace,\n  SpanKind,\n  SpanStatusCode,\n  Tracer,\n  Attributes,\n} from '@opentelemetry/api';\n\nimport {\n  createOAuthMetadata,\n  mcpAuthRouter,\n} from '@modelcontextprotocol/sdk/server/auth/router.js';\nimport { pinoHttp } from 'pino-http';\nimport { pino } from 'pino';\nimport { init } from '@instantdb/admin';\n\nimport schema from './db/instant.schema.ts';\nimport { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';\nimport {\n  addOAuthRoutes,\n  OAuthConfig,\n  ServiceProvider,\n  tokensOfBearerToken,\n} from './oauth-service-provider.ts';\nimport { KeyConfig } from './crypto.ts';\nimport indexHtml from './index.html.ts';\nimport { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';\n\n// Helpers\n// -----------\nfunction createMCPServer(): McpServer {\n  return new McpServer({\n    name: '@instantdb/mcp',\n    version,\n  });\n}\n\n// Tool Registration\n// -----------\n\n// Adds tracing to server.tool\nfunction wrapServerWithTracing(\n  server: McpServer,\n  tracer: Tracer,\n  attrs: Attributes,\n): McpServer {\n  const originalTool = server.tool.bind(server);\n\n  server.tool = function (name: string, ...args: any[]): any {\n    // Find the callback (it's always the last argument)\n    const callback = args[args.length - 1];\n    const otherArgs = args.slice(0, -1);\n\n    // Wrap the callback with tracing\n    const wrappedCallback = async (...callbackArgs: any[]) => {\n      const span = tracer.startSpan(`tool.${name}`, {\n        attributes: attrs,\n      });\n      try {\n        const result = await callback(...callbackArgs);\n        span.setStatus({ code: SpanStatusCode.OK });\n        return result;\n      } catch (error) {\n        span.setStatus({ code: SpanStatusCode.ERROR });\n        span.recordException(error as Error);\n        throw error;\n      } finally {\n        span.end();\n      }\n    };\n\n    return originalTool(\n      name,\n      // @ts-expect-error: not sure how to type this\n      ...otherArgs,\n      wrappedCallback,\n    );\n  } as any;\n\n  return server;\n}\n\nfunction registerTools(server: McpServer) {\n  server.tool(\n    'learn',\n    \"If you don't have any context provided about InstantDB, use this tool to learn about it!\",\n    {},\n    async () => {\n      const instructions = `\n      You can learn about InstantDB by fetching our rules file for agents:\n\n      https://www.instantdb.com/llm-rules/AGENTS.md\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n\n  server.tool(\n    'get-schema',\n    'Fetch schema for an app by its ID!',\n    {\n      appId: z.string().uuid().describe('UUID of the app'),\n      adminToken: z\n        .string()\n        .uuid()\n        .describe('UUID of the admin token for the app'),\n    },\n    async ({ appId, adminToken }) => {\n      const instructions = `\n      You can fetch the schema for the app by using the instant-cli tool:\n\n      \\`\\`\\`\n      npx instant-cli pull schema --app ${appId} --token ${adminToken} --yes\n      \\`\\`\\`\n\n      We supply the --yes flag to skip confirmation prompts. Now 'instant.schema.ts' with contain the schema for the app.\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n\n  server.tool(\n    'get-perms',\n    'Fetch permissions for an app by its ID',\n    {\n      appId: z.string().uuid().describe('UUID of the app'),\n      adminToken: z\n        .string()\n        .uuid()\n        .describe('UUID of the admin token for the app'),\n    },\n    async ({ appId, adminToken }) => {\n      const instructions = `\n      You fetch the permissions for the app by using the instant-cli tool:\n\n      \\`\\`\\`\n      npx instant-cli pull perms --app ${appId} --token ${adminToken} --yes\n      \\`\\`\\`\n\n      We supply the --yes flag to skip confirmation prompts. Now 'instant.perms.ts' will contain the permissions for the app.\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n\n  server.tool(\n    'push-schema',\n    `Push local schema changes for an app to the server. Do this after updating your local 'instant.schema.ts' file.\n    If you don't have an instant.schema.ts file yet, use the get-schema tool to learn how to get this file.`,\n    {\n      appId: z.string().uuid().describe('UUID of the app'),\n      adminToken: z\n        .string()\n        .uuid()\n        .describe('UUID of the admin token for the app'),\n    },\n    async ({ appId, adminToken }) => {\n      const instructions = `\n      Push schema changes by using the instant-cli tool:\n\n\n      \\`\\`\\`\n      npx instant-cli push schema --app ${appId} --token ${adminToken} --yes\n      \\`\\`\\`\n\n      We supply the --yes flag to skip confirmation prompts.\n\n      By default the instant-cli tool will assume new fields from the previous schema are additions and missing fields are deletions.\n      If you want to rename fields as part of your schema changes you can use the --rename flag to specify renames.\n\n      \\`\\`\\`\n      npx instant-cli push schema --app ${appId} --token ${adminToken} --rename 'posts.author:posts.creator stores.owner:stores.manager' --yes\n      \\`\\`\\`\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n\n  server.tool(\n    'push-perms',\n    `Push local permissions changes for an app to the server. Do this after updating your local instant.perms.ts file.\n    If you don't have an instant.perms.ts file yet, use the get-perms tool to learn how to get this file.`,\n    {\n      appId: z.string().uuid().describe('UUID of the app'),\n      adminToken: z\n        .string()\n        .uuid()\n        .describe('UUID of the admin token for the app'),\n    },\n    async ({ appId, adminToken }) => {\n      const instructions = `\n      Push permission changes by using the instant-cli tool:\n\n      \\`\\`\\`\n      npx instant-cli push schema --app ${appId} --token ${adminToken} --yes\n      \\`\\`\\`\n\n      We supply the --yes flag to skip confirmation prompts.\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n\n  server.tool(\n    'query',\n    'Execute a query againt an app. Useful for inspecting data in the app.',\n    {},\n    async () => {\n      const instructions = `\n      You can query data for an app by writing and executing a script using the\n      Admin SDK. Here's an example script for fetching a habit and its completions:\n\n      \\`\\`\\`typescript\n      import { init } from \"@instantdb/admin\";\n      import \"dotenv/config\";\n\n      const adminDb = init({\n        appId: process.env.NEXT_PUBLIC_INSTANT_APP_ID!,\n        adminToken: process.env.INSTANT_APP_ADMIN_TOKEN!,\n      });\n\n      async function fetchHabit(habitName: string) {\n        const { habits } = await adminDb.query({\n          habits: {\n            $: { where: { name: habitName } },\n            completions: {},\n          },\n        });\n        console.log(habits);\n      }\n\n      fetchHabit(\"Read\");\n      \\`\\`\\`\n\n      If you're unsure how to write queries, refer to the documentation:\n\n      https://instantdb.com/docs/instaql.md\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n\n  server.tool(\n    'transact',\n    'Execute a transaction against an app. Useful for seeding or modifying data in the app.',\n    {},\n    async () => {\n      const instructions = `\n      You can transact data for an app by writing and executing a script using the\n      Admin SDK. Here's an example script for seeding a microblog app with some posts:\n\n      \\`\\`\\`typescript\n      import { init, id } from \"@instantdb/admin\";\n      import \"dotenv/config\";\n\n      const adminDb = init({\n        appId: process.env.NEXT_PUBLIC_INSTANT_APP_ID!,\n        adminToken: process.env.INSTANT_APP_ADMIN_TOKEN!,\n      });\n\n      interface Post {\n        id: number;\n        author: string;\n        handle: string;\n        color: string;\n        content: string;\n        timestamp: string;\n        likes: number;\n        liked: boolean;\n      }\n\n      const mockPosts: Post[] = [\n        {\n          author: 'Sarah Chen',\n          handle: 'sarahchen',\n          color: 'bg-blue-100',\n          content: 'Just launched my new project! Really excited to share it with everyone.',\n          timestamp: '2h ago',\n          likes: 12,\n          liked: false,\n        },\n        {\n          author: 'Alex Rivera',\n          handle: 'alexrivera',\n          color: 'bg-purple-100',\n          content: 'Beautiful sunset today. Nature never stops amazing me.',\n          timestamp: '4h ago',\n          likes: 19,\n          liked: true,\n        },\n        {\n          author: 'Jordan Lee',\n          handle: 'jordanlee',\n          color: 'bg-pink-100',\n          content: 'Working on something cool with Next.js and TypeScript. Updates coming soon!',\n          timestamp: '6h ago',\n          likes: 7,\n          liked: false,\n        },\n      ];\n\n      function friendlyTimeToTimestamp(friendlyTime: string) {\n        const hours = parseInt(friendlyTime);\n        const now = Date.now();\n        return now - (hours * 60 * 60 * 1000);\n      }\n\n      function seed() {\n        console.log(\"Seeding db...\");\n        mockPosts.forEach(post => {\n          const userId = id();\n          const postId = id();\n          const user = adminDb.tx.$users[userId].create({});\n          const profile = adminDb.tx.profiles[userId].create({\n            displayName: post.author,\n            handle: post.handle,\n          }).link({ user: userId });\n          const postEntity = adminDb.tx.posts[postId].create({\n            color: post.color,\n            content: post.content,\n            timestamp: friendlyTimeToTimestamp(post.timestamp),\n          }).link({ author: userId });\n          const likes = Array.from({ length: post.likes }, () => adminDb.tx.likes[id()].create({ postId, userId }).link({ post: postId, user: userId }));\n          adminDb.transact([user, profile, postEntity, ...likes]);\n        })\n      }\n\n      seed();\n      \\`\\`\\`\n\n      If you're unsure how to make transactions, refer to the documentation:\n\n      https://instantdb.com/docs/instaml.md\n      `;\n\n      return {\n        content: [\n          {\n            type: 'text',\n            text: instructions,\n          },\n        ],\n      };\n    },\n  );\n}\n\nasync function startStdio() {\n  const {\n    values: { token, ['api-url']: apiUrl },\n  } = parseArgs({\n    options: {\n      token: {\n        type: 'string',\n      },\n      ['api-url']: {\n        type: 'string',\n      },\n    },\n  });\n\n  const accessToken = token || process.env.INSTANT_ACCESS_TOKEN;\n  if (!accessToken) {\n    console.error(\n      'Provide an access token using --token or set INSTANT_ACCESS_TOKEN environment variable',\n    );\n    process.exit(1);\n  }\n\n  const server = createMCPServer();\n  registerTools(server);\n\n  const transport = new StdioServerTransport();\n  await server.connect(transport);\n  console.error('Instant Platform MCP Server running on stdio');\n}\n\nfunction ensureEnv(key: string): string {\n  const v = process.env[key];\n  if (!v) {\n    throw new Error(`Missing environment variable ${key}`);\n  }\n  return v;\n}\n\nasync function startSse() {\n  const honeycomb = new HoneycombSDK({\n    apiKey: process.env.HONEYCOMB_API_KEY,\n    serviceName: 'mcp-server',\n  });\n\n  if (process.env.HONEYCOMB_API_KEY) {\n    honeycomb.start();\n  }\n\n  const tracer = trace.getTracer('mcp-server');\n\n  const db = init({\n    adminToken: ensureEnv('INSTANT_ADMIN_TOKEN'),\n    appId: ensureEnv('INSTANT_APP_ID'),\n    schema,\n    disableValidation: true,\n  });\n\n  const oauthConfig: OAuthConfig = {\n    clientId: ensureEnv('INSTANT_OAUTH_CLIENT_ID'),\n    clientSecret: ensureEnv('INSTANT_OAUTH_CLIENT_SECRET'),\n    serverOrigin: ensureEnv('SERVER_ORIGIN'),\n  };\n\n  const keyConfig: KeyConfig = JSON.parse(ensureEnv('INSTANT_AES_KEY'));\n\n  const app = express();\n  const logger = pino({ level: 'info' });\n\n  app.use((req, res, next) => {\n    const span = tracer.startSpan('http-req', {\n      kind: SpanKind.SERVER,\n      attributes: {\n        'http.method': req.method,\n        'http.url': req.url,\n        'http.target': req.path,\n        'http.host': req.get('host'),\n        'http.scheme': req.protocol,\n      },\n    });\n\n    const originalEnd = res.end.bind(res);\n    res.end = function (this: typeof res, ...args: any[]): typeof res {\n      span.setAttribute('http.status_code', res.statusCode);\n      span.setStatus({\n        code: res.statusCode >= 400 ? SpanStatusCode.ERROR : SpanStatusCode.OK,\n      });\n      span.end();\n      return originalEnd(...args);\n    };\n\n    next();\n  });\n\n  app.use(\n    pinoHttp({\n      logger,\n      autoLogging: {\n        ignore(req) {\n          return req.url === '/health';\n        },\n      },\n    }),\n  );\n  app.use(express.json());\n\n  const proxyProvider = new ServiceProvider(db, oauthConfig, keyConfig);\n\n  const authRouterOptions = {\n    scopesSupported: ['apps-read', 'apps-write'],\n    provider: proxyProvider,\n    issuerUrl: new URL(oauthConfig.serverOrigin),\n    baseUrl: new URL(oauthConfig.serverOrigin),\n    serviceDocumentationUrl: new URL('https://instantdb.com/docs'),\n  };\n\n  const oauthMetadata = createOAuthMetadata(authRouterOptions);\n\n  app.use(mcpAuthRouter(authRouterOptions));\n\n  addOAuthRoutes(app, db, oauthConfig);\n\n  app.get('/.well-known/oauth-protected-resource/mcp', (_req, res) => {\n    res.json({\n      resource: `${oauthConfig.serverOrigin}/mcp`,\n      authorization_servers: [oauthMetadata.issuer],\n      scopes_supported: oauthMetadata.scopes_supported,\n      resource_documentation: 'https://instantdb.com/docs',\n    });\n  });\n\n  app.get('/.well-known/oauth-protected-resource/sse', (_req, res) => {\n    res.json({\n      resource: `${oauthConfig.serverOrigin}/mcp`,\n      authorization_servers: [oauthMetadata.issuer],\n      scopes_supported: oauthMetadata.scopes_supported,\n      resource_documentation: 'https://instantdb.com/docs',\n    });\n  });\n\n  const requireTokenMiddleware = (path: string) =>\n    requireBearerAuth({\n      verifier: proxyProvider,\n      resourceMetadataUrl: `${oauthConfig.serverOrigin}/.well-known/oauth-protected-resource/${path}`,\n    });\n\n  // Handle POST requests for client-to-server communication\n  app.post(\n    '/mcp',\n    requireTokenMiddleware('mcp'),\n    async (req: Request, res: Response) => {\n      const server = createMCPServer();\n      try {\n        const tokens = await tokensOfBearerToken(db, req.auth!.token);\n\n        wrapServerWithTracing(server, tracer, {\n          'client.client_id': tokens.mcpToken.client?.client_id,\n          'client.name': tokens.mcpToken.client?.client_name,\n          'client.id': tokens.mcpToken.client?.id,\n          'client.scope': tokens.mcpToken.client?.scope,\n          'client.uri': tokens.mcpToken.client?.client_uri,\n          'client.redirect_urls': tokens.mcpToken.client?.redirect_uris,\n        });\n        registerTools(server);\n        const transport: StreamableHTTPServerTransport =\n          new StreamableHTTPServerTransport({\n            sessionIdGenerator: undefined,\n          });\n\n        req.on('close', () => {\n          transport.close();\n          server.close();\n        });\n        await server.connect(transport);\n        await transport.handleRequest(req, res, req.body);\n      } catch (e) {\n        console.error('Error handling MCP request:', e);\n        if (!res.headersSent) {\n          res.status(500).json({\n            jsonrpc: '2.0',\n            error: {\n              code: -32603,\n              message: 'Internal server error',\n            },\n            id: null,\n          });\n        }\n      }\n    },\n  );\n\n  // We're a stateless server, so disallow these\n  const handleSessionRequest = async (\n    _req: express.Request,\n    res: express.Response,\n  ) => {\n    res.writeHead(405).end(\n      JSON.stringify({\n        jsonrpc: '2.0',\n        error: {\n          code: -32000,\n          message: 'Method not allowed.',\n        },\n        id: null,\n      }),\n    );\n  };\n\n  app.get('/mcp', handleSessionRequest);\n  app.delete('/mcp', handleSessionRequest);\n\n  // SSE for older clients\n  const transports = {\n    sse: {} as Record<string, SSEServerTransport>,\n  };\n\n  app.get(\n    '/sse',\n    requireTokenMiddleware('sse'),\n    async (req: Request, res: Response) => {\n      const server = createMCPServer();\n      const transport = new SSEServerTransport('/messages', res);\n      res.on('close', () => {\n        delete transports.sse[transport.sessionId];\n      });\n\n      try {\n        const tokens = await tokensOfBearerToken(db, req.auth!.token);\n\n        wrapServerWithTracing(server, tracer, {\n          'client.client_id': tokens.mcpToken.client?.client_id,\n          'client.name': tokens.mcpToken.client?.client_name,\n          'client.id': tokens.mcpToken.client?.id,\n          'client.scope': tokens.mcpToken.client?.scope,\n          'client.uri': tokens.mcpToken.client?.client_uri,\n          'client.redirect_urls': tokens.mcpToken.client?.redirect_uris,\n        });\n\n        registerTools(server);\n        transports.sse[transport.sessionId] = transport;\n      } catch (e) {\n        console.error('Error handling MCP SSE request:', e);\n        if (!res.headersSent) {\n          res.status(500).json({\n            jsonrpc: '2.0',\n            error: {\n              code: -32603,\n              message: 'Internal server error',\n            },\n            id: null,\n          });\n        }\n        return;\n      }\n\n      await server.connect(transport);\n    },\n  );\n\n  // Legacy message endpoint for older clients\n  app.post('/messages', async (req, res) => {\n    const sessionId = req.query.sessionId as string;\n    const transport = transports.sse[sessionId];\n    if (transport) {\n      await transport.handlePostMessage(req, res, req.body);\n    } else {\n      res.status(400).send('No transport found for sessionId');\n    }\n  });\n\n  app.get('/', (_req, res: Response) => {\n    res\n      .status(200)\n      .set('Content-Type', 'text/html; charset=UTF-8')\n      .send(indexHtml(oauthConfig.serverOrigin));\n  });\n\n  app.get('/health', (_req, res: Response) => {\n    res.status(200).send('Tip top!');\n  });\n\n  const port = parseInt(process.env.PORT || '3123');\n  const host = process.env.IN_FLY ? '0.0.0.0' : 'localhost';\n\n  if (process.env.IN_FLY) {\n    app.set('trust proxy', 2);\n  }\n\n  app.listen(port, host, () => console.log(`listening on port ${port}`));\n}\n\nasync function main() {\n  if (process.env.SERVER_TYPE === 'http') {\n    return startSse();\n  }\n  return startStdio();\n}\n\nmain().catch((error) => {\n  console.error('Fatal error in main():', error);\n  process.exit(1);\n});\n"]}

Report false positive

highDO-BASunknownMedium ConfidenceLine 0

Decoded base64 content: ��ݕ䞲Ȩ��-