WIP copy workers-observability to workers-builds

Author: jahands

apps/workers-builds/.dev.vars.example

@@ -0,0 +1,5 @@
+CLOUDFLARE_CLIENT_ID=
+CLOUDFLARE_CLIENT_SECRET=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/workers-builds/.eslintrc.cjs

@@ -0,0 +1,5 @@
+/** @type {import("eslint").Linter.Config} */
+module.exports = {
+	root: true,
+	extends: ['@repo/eslint-config/default.cjs'],
+}

apps/workers-builds/CONTRIBUTING.md

@@ -0,0 +1,65 @@
+# Setup
+
+If you'd like to iterate and test your MCP server, you can do so in local development.
+
+## Local Development
+
+1. Create a `.dev.vars` file in your project root:
+
+   If you're a Cloudflare employee:
+
+   ```
+   CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
+   CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
+   ```
+
+   If you're an external contributor, you can provide a development API token:
+
+   ```
+   DEV_DISABLE_OAUTH=true
+   DEV_CLOUDFLARE_EMAIL=your_cloudflare_email
+   # This is your global api token
+   DEV_CLOUDFLARE_API_TOKEN=your_development_api_token
+   ```
+
+2. Start the local development server:
+
+   ```bash
+   npx wrangler dev
+   ```
+
+3. To test locally, open Inspector, and connect to `http://localhost:8976/sse`.
+   Once you follow the prompts, you'll be able to "List Tools". You can also connect with any MCP client.
+
+## Deploying the Worker ( Cloudflare employees only )
+
+Set secrets via Wrangler:
+
+```bash
+npx wrangler secret put CLOUDFLARE_CLIENT_ID -e <ENVIRONMENT>
+npx wrangler secret put CLOUDFLARE_CLIENT_SECRET -e <ENVIRONMENT>
+```
+
+## Set up a KV namespace
+
+Create the KV namespace:
+
+```bash
+npx wrangler kv namespace create "OAUTH_KV"
+```
+
+Then, update the Wrangler file with the generated KV namespace ID.
+
+## Deploy & Test
+
+Deploy the MCP server to make it available on your workers.dev domain:
+
+```bash
+npx wrangler deploy -e <ENVIRONMENT>
+```
+
+Test the remote server using [Inspector](https://modelcontextprotocol.io/docs/tools/inspector):
+
+```bash
+npx @modelcontextprotocol/inspector@latest
+```

apps/workers-builds/README.md

@@ -0,0 +1,50 @@
+# Workers Observability MCP Server 🔭
+
+This is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server that supports remote MCP
+connections, with Cloudflare OAuth built-in.
+
+It integrates tools powered by [Workers Observability](https://developers.cloudflare.com/workers/observability/) to provide global
+Internet traffic insights, trends and other utilities.
+
+## 🔨 Available Tools
+
+Currently available tools:
+
+| **Category**          | **Tool**                     | **Description**                                                                                                                                                            |
+| --------------------- | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Workers Analytics** | `query_worker_observability` | Queries Workers Observability API to analyze logs and metrics from your Cloudflare Workers. Supports listing events, calculating metrics, and finding specific invocations |
+| **Schema Discovery**  | `observability_keys`         | Discovers available data fields in your Workers logs including metadata fields, worker-specific fields, and custom logged fields                                           |
+| **Value Exploration** | `observability_values`       | Finds available values for specific fields in Workers logs to help build precise filters for analytics queries                                                             |
+
+This MCP server is still a work in progress, and we plan to add more tools in the future.
+
+### Prompt Examples
+
+- `Can you tell me about any potential issues on this particular worker 'my-worker-name'?`
+- `Show me the CPU time usage for my worker 'api-gateway' over the last 24 hours`
+- `What were the top 5 countries by request count for my worker yesterday?`
+- `How many requests were made to my worker 'my-app' broken down by HTTP status code?`
+- `Compare the error rates between my production and staging workers`
+
+## Access the remote MCP server from from any MCP Client
+
+If your MCP client has first class support for remote MCP servers, the client will provide a way to accept the server URL (`https://observability.mcp.cloudflare.com`) directly within its interface (for example in [Cloudflare AI Playground](https://playground.ai.cloudflare.com/)).
+
+If your client does not yet support remote MCP servers, you will need to set up its resepective configuration file using [mcp-remote](https://www.npmjs.com/package/mcp-remote) to specify which servers your client can access.
+
+Replace the content with the following configuration:
+
+```json
+{
+	"mcpServers": {
+		"cloudflare": {
+			"command": "npx",
+			"args": ["mcp-remote", "https://observability.mcp.cloudflare.com/sse"]
+		}
+	}
+}
+```
+
+Once you've set up your configuration file, restart MCP client and a browser window will open showing your OAuth login page. Proceed through the authentication flow to grant the client access to your MCP server. After you grant access, the tools will become available for you to use.
+
+Interested in contributing, and running this server locally? See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.

apps/workers-builds/package.json

@@ -0,0 +1,33 @@
+{
+	"name": "workers-builds",
+	"version": "0.0.1",
+	"private": true,
+	"scripts": {
+		"check:lint": "run-eslint-workers",
+		"check:types": "run-tsc",
+		"deploy": "wrangler deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"types": "wrangler types --include-env=false",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.5",
+		"@hono/zod-validator": "0.4.3",
+		"@modelcontextprotocol/sdk": "1.10.2",
+		"@repo/mcp-common": "workspace:*",
+		"@repo/mcp-observability": "workspace:*",
+		"agents": "0.0.67",
+		"cloudflare": "4.2.0",
+		"hono": "4.7.6",
+		"zod": "3.24.2"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
+		"@types/node": "22.14.1",
+		"prettier": "3.5.3",
+		"typescript": "5.5.4",
+		"vitest": "3.0.9",
+		"wrangler": "4.10.0"
+	}
+}

apps/workers-builds/src/context.ts

@@ -0,0 +1,21 @@
+import type { UserDetails } from '@repo/mcp-common/src/durable-objects/user_details'
+import type { ObservabilityMCP } from './index'
+
+export interface Env {
+	OAUTH_KV: KVNamespace
+	ENVIRONMENT: 'development' | 'staging' | 'production'
+	MCP_SERVER_NAME: string
+	MCP_SERVER_VERSION: string
+	CLOUDFLARE_CLIENT_ID: string
+	CLOUDFLARE_CLIENT_SECRET: string
+	MCP_OBJECT: DurableObjectNamespace<ObservabilityMCP>
+	USER_DETAILS: DurableObjectNamespace<UserDetails>
+	MCP_METRICS: AnalyticsEngineDataset
+	SENTRY_ACCESS_CLIENT_ID: string
+	SENTRY_ACCESS_CLIENT_SECRET: string
+	GIT_HASH: string
+	SENTRY_DSN: string
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
+}

apps/workers-builds/src/index.ts

@@ -0,0 +1,137 @@
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+import { McpAgent } from 'agents/mcp'
+
+import {
+	createAuthHandlers,
+	handleTokenExchangeCallback,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details'
+import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
+import { initSentryWithUser } from '@repo/mcp-common/src/sentry'
+import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
+import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
+import { registerWorkersTools } from '@repo/mcp-common/src/tools/worker'
+
+import { MetricsTracker } from '../../../packages/mcp-observability/src'
+import { registerObservabilityTools } from './tools/observability'
+
+import type { AuthProps } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import type { Env } from './context'
+
+export { UserDetails }
+
+const env = getEnv<Env>()
+
+const metrics = new MetricsTracker(env.MCP_METRICS, {
+	name: env.MCP_SERVER_NAME,
+	version: env.MCP_SERVER_VERSION,
+})
+
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+type Props = AuthProps
+
+type State = { activeAccountId: string | null }
+
+export class ObservabilityMCP extends McpAgent<Env, State, Props> {
+	_server: CloudflareMCPServer | undefined
+	set server(server: CloudflareMCPServer) {
+		this._server = server
+	}
+	get server(): CloudflareMCPServer {
+		if (!this._server) {
+			throw new Error('Tried to access server before it was initialized')
+		}
+
+		return this._server
+	}
+
+	async init() {
+		this.server = new CloudflareMCPServer({
+			userId: this.props.user.id,
+			wae: this.env.MCP_METRICS,
+			serverInfo: {
+				name: this.env.MCP_SERVER_NAME,
+				version: this.env.MCP_SERVER_VERSION,
+			},
+			sentry: initSentryWithUser(env, this.ctx, this.props.user.id),
+			options: {
+				instructions: `# Cloudflare Workers Observability Tool
+				* A cloudflare worker is a serverless function
+				* Workers Observability is the tool to inspect the logs for your cloudflare Worker
+				* Each log is a structured JSON payload with keys and values
+
+
+				This server allows you to analyze your Cloudflare Workers logs and metrics.
+				`,
+			},
+		})
+
+		registerAccountTools(this)
+
+		// Register Cloudflare Workers tools
+		registerWorkersTools(this)
+
+		// Register Cloudflare Workers logs tools
+		registerObservabilityTools(this)
+	}
+
+	async getActiveAccountId() {
+		try {
+			// Get UserDetails Durable Object based off the userId and retrieve the activeAccountId from it
+			// we do this so we can persist activeAccountId across sessions
+			const userDetails = getUserDetails(env, this.props.user.id)
+			return await userDetails.getActiveAccountId()
+		} catch (e) {
+			this.server.recordError(e)
+			return null
+		}
+	}
+
+	async setActiveAccountId(accountId: string) {
+		try {
+			const userDetails = getUserDetails(env, this.props.user.id)
+			await userDetails.setActiveAccountId(accountId)
+		} catch (e) {
+			this.server.recordError(e)
+		}
+	}
+}
+
+const ObservabilityScopes = {
+	...RequiredScopes,
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'workers:write':
+		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
+	'workers_observability:read': 'See observability logs for your account',
+} as const
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(ObservabilityMCP, req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiHandlers: {
+				'/mcp': ObservabilityMCP.serve('/mcp'),
+				'/sse': ObservabilityMCP.serveSSE('/sse'),
+			},
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: ObservabilityScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}