actionmcp 0.71.1 → 0.80.0

data/app/models/action_mcp/session/sse_event.rb

@@ -1,26 +1,32 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_sse_events"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_sse_events
+# columns = [
+#   { name = "id", type = "integer", primary_key = true, nullable = false },
+#   { name = "session_id", type = "string", nullable = false },
+#   { name = "event_id", type = "integer", nullable = false },
+#   { name = "data", type = "text", nullable = false },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false }
+# ]
 #
-#  id         :integer          not null, primary key
-#  data       :text             not null
-#  created_at :datetime         not null
-#  updated_at :datetime         not null
-#  event_id   :integer          not null
-#  session_id :string           not null
+# indexes = [
+#   { name = "index_action_mcp_sse_events_on_created_at", columns = ["created_at"] },
+#   { name = "index_action_mcp_sse_events_on_session_id_and_event_id", columns = ["session_id", "event_id"], unique = true },
+#   { name = "index_action_mcp_sse_events_on_session_id", columns = ["session_id"] }
+# ]
 #
-# Indexes
-#
-#  index_action_mcp_sse_events_on_created_at               (created_at)
-#  index_action_mcp_sse_events_on_session_id               (session_id)
-#  index_action_mcp_sse_events_on_session_id_and_event_id  (session_id,event_id) UNIQUE
-#
-# Foreign Keys
-#
-#  session_id  (session_id => action_mcp_sessions.id)
+# foreign_keys = [
+#   { column = "session_id", references_table = "action_mcp_sessions", references_column = "id" }
+# ]
 #
+# == Notes
+# - Association 'session' should specify inverse_of
+# - String column 'session_id' has no length limit - consider adding one
+# <rails-lens:schema:end>
 module ActionMCP
   class Session
     # Represents a Server-Sent Event (SSE) in an MCP session

data/app/models/action_mcp/session/subscription.rb

@@ -1,24 +1,31 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_session_subscriptions"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_session_subscriptions
+# columns = [
+#   { name = "id", type = "integer", primary_key = true, nullable = false },
+#   { name = "session_id", type = "string", nullable = false },
+#   { name = "uri", type = "string", nullable = false },
+#   { name = "last_notification_at", type = "datetime", nullable = true },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false }
+# ]
 #
-#  id                   :integer          not null, primary key
-#  last_notification_at :datetime
-#  uri                  :string           not null
-#  created_at           :datetime         not null
-#  updated_at           :datetime         not null
-#  session_id           :string           not null
+# indexes = [
+#   { name = "index_action_mcp_session_subscriptions_on_session_id", columns = ["session_id"] }
+# ]
 #
-# Indexes
-#
-#  index_action_mcp_session_subscriptions_on_session_id  (session_id)
-#
-# Foreign Keys
-#
-#  session_id  (session_id => action_mcp_sessions.id) ON DELETE => cascade
+# foreign_keys = [
+#   { column = "session_id", references_table = "action_mcp_sessions", references_column = "id", on_delete = "cascade" }
+# ]
 #
+# == Notes
+# - Consider adding counter cache for 'session'
+# - String column 'session_id' has no length limit - consider adding one
+# - String column 'uri' has no length limit - consider adding one
+# <rails-lens:schema:end>
 module ActionMCP
   class Session
     #

data/app/models/action_mcp/session.rb

@@ -1,38 +1,49 @@
 # frozen_string_literal: true
 
-# == Schema Information
+# <rails-lens:schema:begin>
+# table = "action_mcp_sessions"
+# database_dialect = "SQLite"
 #
-# Table name: action_mcp_sessions
-#
-#  id                     :string           not null, primary key
-#  authentication_method  :string           default("none")
-#  client_capabilities    :json
-#  client_info            :json
-#  ended_at               :datetime
-#  initialized            :boolean          default(FALSE), not null
-#  messages_count         :integer          default(0), not null
-#  oauth_access_token     :string
-#  oauth_refresh_token    :string
-#  oauth_token_expires_at :datetime
-#  oauth_user_context     :json
-#  prompt_registry        :json
-#  protocol_version       :string
-#  resource_registry      :json
-#  role                   :string           default("server"), not null
-#  server_capabilities    :json
-#  server_info            :json
-#  sse_event_counter      :integer          default(0), not null
-#  status                 :string           default("pre_initialize"), not null
-#  tool_registry          :json
-#  created_at             :datetime         not null
-#  updated_at             :datetime         not null
-#
-# Indexes
-#
-#  index_action_mcp_sessions_on_authentication_method   (authentication_method)
-#  index_action_mcp_sessions_on_oauth_access_token      (oauth_access_token) UNIQUE
-#  index_action_mcp_sessions_on_oauth_token_expires_at  (oauth_token_expires_at)
+# columns = [
+#   { name = "id", type = "string", primary_key = true, nullable = false },
+#   { name = "role", type = "string", nullable = false, default = "server" },
+#   { name = "status", type = "string", nullable = false, default = "pre_initialize" },
+#   { name = "ended_at", type = "datetime", nullable = true },
+#   { name = "protocol_version", type = "string", nullable = true },
+#   { name = "server_capabilities", type = "json", nullable = true },
+#   { name = "client_capabilities", type = "json", nullable = true },
+#   { name = "server_info", type = "json", nullable = true },
+#   { name = "client_info", type = "json", nullable = true },
+#   { name = "initialized", type = "boolean", nullable = false, default = "0" },
+#   { name = "messages_count", type = "integer", nullable = false, default = "0" },
+#   { name = "sse_event_counter", type = "integer", nullable = false, default = "0" },
+#   { name = "tool_registry", type = "json", nullable = true, default = "[]" },
+#   { name = "prompt_registry", type = "json", nullable = true, default = "[]" },
+#   { name = "resource_registry", type = "json", nullable = true, default = "[]" },
+#   { name = "created_at", type = "datetime", nullable = false },
+#   { name = "updated_at", type = "datetime", nullable = false },
+#   { name = "consents", type = "json", nullable = false, default = "{}" }
+# ]
 #
+# == Notes
+# - Association 'messages' has N+1 query risk. Consider using includes/preload
+# - Association 'subscriptions' has N+1 query risk. Consider using includes/preload
+# - Association 'resources' has N+1 query risk. Consider using includes/preload
+# - Association 'sse_events' has N+1 query risk. Consider using includes/preload
+# - Column 'protocol_version' should probably have NOT NULL constraint
+# - Column 'server_capabilities' should probably have NOT NULL constraint
+# - Column 'client_capabilities' should probably have NOT NULL constraint
+# - Column 'server_info' should probably have NOT NULL constraint
+# - Column 'client_info' should probably have NOT NULL constraint
+# - Column 'tool_registry' should probably have NOT NULL constraint
+# - Column 'prompt_registry' should probably have NOT NULL constraint
+# - Column 'resource_registry' should probably have NOT NULL constraint
+# - String column 'id' has no length limit - consider adding one
+# - String column 'role' has no length limit - consider adding one
+# - String column 'status' has no length limit - consider adding one
+# - String column 'protocol_version' has no length limit - consider adding one
+# - Column 'status' is commonly used in queries - consider adding an index
+# <rails-lens:schema:end>
 module ActionMCP
   ##
   # Represents an MCP session, which is a connection between a client and a server.
@@ -40,6 +51,10 @@ module ActionMCP
   # such as client and server capabilities, protocol version, and session status.
   # It also manages the association with messages and subscriptions related to the session.
   class Session < ApplicationRecord
+    after_initialize do
+      self.consents = {} if consents == "{}" || consents.nil?
+    end
+
     include MCPConsoleHelpers
     attribute :id, :string, default: -> { SecureRandom.hex(6) }
     has_many :messages,
@@ -180,9 +195,7 @@ module ActionMCP
       # Maintain cache limit by removing oldest events if needed
       count = sse_events.count
       excess = count - max_events
-      if excess.positive?
-        sse_events.order(event_id: :asc).limit(excess).delete_all
-      end
+      sse_events.order(event_id: :asc).limit(excess).delete_all if excess.positive?
 
       event
     end
@@ -359,92 +372,37 @@ module ActionMCP
       resource_registry == [ "*" ]
     end
 
-    # OAuth Session Management
-    # Required by MCP 2025-03-26 specification for session binding
 
-    # Store OAuth token and user context in session
-    def store_oauth_token(access_token:, refresh_token: nil, expires_at:, user_context: {})
-      update!(
-        oauth_access_token: access_token,
-        oauth_refresh_token: refresh_token,
-        oauth_token_expires_at: expires_at,
-        oauth_user_context: user_context,
-        authentication_method: "oauth"
-      )
-    end
+    # Consent management methods as per MCP specification
+    # These methods manage user consents for tools and resources
 
-    # Retrieve OAuth token information
-    def oauth_token_info
-      return nil unless oauth_access_token
-
-      {
-        access_token: oauth_access_token,
-        refresh_token: oauth_refresh_token,
-        expires_at: oauth_token_expires_at,
-        user_context: oauth_user_context || {},
-        authentication_method: authentication_method
-      }
+    # Checks if consent has been granted for a specific key
+    # @param key [String] The consent key (e.g., tool name or resource URI)
+    # @return [Boolean] true if consent is granted, false otherwise
+    def consent_granted_for?(key)
+      consents_hash = consents.is_a?(String) ? JSON.parse(consents) : consents
+      consents_hash&.key?(key) && consents_hash[key] == true
     end
 
-    # Check if OAuth token is valid and not expired
-    def oauth_token_valid?
-      return false unless oauth_access_token
-      return true unless oauth_token_expires_at
-
-      oauth_token_expires_at > Time.current
-    end
-
-    # Clear OAuth token data
-    def clear_oauth_token!
-      update!(
-        oauth_access_token: nil,
-        oauth_refresh_token: nil,
-        oauth_token_expires_at: nil,
-        oauth_user_context: nil,
-        authentication_method: "none"
-      )
-    end
-
-    # Update OAuth token (for refresh flow)
-    def update_oauth_token(access_token:, refresh_token: nil, expires_at:)
-      update!(
-        oauth_access_token: access_token,
-        oauth_refresh_token: refresh_token,
-        oauth_token_expires_at: expires_at
-      )
-    end
-
-    # Get user information from OAuth context
-    def oauth_user
-      return nil unless oauth_user_context.is_a?(Hash)
-
-      OpenStruct.new(oauth_user_context)
-    end
-
-    # Check if session is authenticated via OAuth
-    def oauth_authenticated?
-      authentication_method == "oauth" && oauth_token_valid?
+    # Grants consent for a specific key
+    # @param key [String] The consent key to grant
+    # @return [Boolean] true if saved successfully
+    def grant_consent(key)
+      self.consents = JSON.parse(consents) if consents.is_a?(String)
+      self.consents ||= {}
+      self.consents[key] = true
+      save!
     end
 
-    # Find session by OAuth access token (class method)
-    def self.find_by_oauth_token(access_token)
-      find_by(oauth_access_token: access_token)
-    end
+    # Revokes consent for a specific key
+    # @param key [String] The consent key to revoke
+    # @return [void]
+    def revoke_consent(key)
+      self.consents = JSON.parse(self.consents) if self.consents.is_a?(String)
+      return unless consents&.key?(key)
 
-    # Find sessions with expired OAuth tokens (class method)
-    def self.with_expired_oauth_tokens
-      where("oauth_token_expires_at IS NOT NULL AND oauth_token_expires_at < ?", Time.current)
-    end
-
-    # Cleanup expired OAuth tokens (class method)
-    def self.cleanup_expired_oauth_tokens
-      with_expired_oauth_tokens.update_all(
-        oauth_access_token: nil,
-        oauth_refresh_token: nil,
-        oauth_token_expires_at: nil,
-        oauth_user_context: nil,
-        authentication_method: "none"
-      )
+      consents.delete(key)
+      save!
     end
 
     private

data/config/routes.rb

@@ -3,17 +3,6 @@
 ActionMCP::Engine.routes.draw do
   get "/up", to: "/rails/health#show", as: :action_mcp_health_check
 
-  # OAuth 2.1 metadata endpoints
-  get "/.well-known/oauth-authorization-server", to: "oauth/metadata#authorization_server", as: :oauth_authorization_server_metadata
-  get "/.well-known/oauth-protected-resource", to: "oauth/metadata#protected_resource", as: :oauth_protected_resource_metadata
-
-  # OAuth 2.1 endpoints
-  get "/oauth/authorize", to: "oauth/endpoints#authorize", as: :oauth_authorize
-  post "/oauth/token", to: "oauth/endpoints#token", as: :oauth_token
-  post "/oauth/introspect", to: "oauth/endpoints#introspect", as: :oauth_introspect
-  post "/oauth/revoke", to: "oauth/endpoints#revoke", as: :oauth_revoke
-  post "/oauth/register", to: "oauth/registration#create", as: :oauth_register
-
   # MCP 2025-03-26 Spec routes
   get "/", to: "application#show", as: :mcp_get
   post "/", to: "application#create", as: :mcp_post

data/db/migrate/20250512154359_consolidated_migration.rb

@@ -133,9 +133,9 @@ class ConsolidatedMigration < ActiveRecord::Migration[8.0]
     return unless column_exists?(:action_mcp_session_messages, :direction)
 
     # SQLite3 doesn't support changing column comments
-    if connection.adapter_name.downcase != 'sqlite'
-      change_column_comment :action_mcp_session_messages, :direction, 'The message recipient'
-    end
+    return unless connection.adapter_name.downcase != 'sqlite'
+
+    change_column_comment :action_mcp_session_messages, :direction, 'The message recipient'
   end
 
   private

data/db/migrate/20250715070713_add_consents_to_action_mcp_sess.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddConsentsToActionMCPSess < ActiveRecord::Migration[8.0]
+  def change
+    add_column :action_mcp_sessions, :consents, :json, default: {}, null: false
+  end
+end

data/db/migrate/20250727000001_remove_oauth_support.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+class RemoveOauthSupport < ActiveRecord::Migration[8.0]
+  def change
+    # Remove OAuth tables
+    drop_table :action_mcp_oauth_clients, if_exists: true do |t|
+      t.string :client_id, null: false
+      t.string :client_secret
+      t.string :client_name
+      t.json :redirect_uris, default: []
+      t.json :grant_types, default: [ "authorization_code" ]
+      t.json :response_types, default: [ "code" ]
+      t.string :token_endpoint_auth_method, default: "client_secret_basic"
+      t.text :scope
+      t.boolean :active, default: true
+      t.integer :client_id_issued_at
+      t.integer :client_secret_expires_at
+      t.string :registration_access_token
+      t.json :metadata, default: {}
+      t.datetime :created_at, null: false
+      t.datetime :updated_at, null: false
+    end
+
+    drop_table :action_mcp_oauth_tokens, if_exists: true do |t|
+      t.string :token, null: false
+      t.string :token_type, null: false
+      t.string :client_id, null: false
+      t.string :user_id
+      t.text :scope
+      t.datetime :expires_at
+      t.boolean :revoked, default: false
+      t.string :redirect_uri
+      t.string :code_challenge
+      t.string :code_challenge_method
+      t.string :access_token
+      t.json :metadata, default: {}
+      t.datetime :created_at, null: false
+      t.datetime :updated_at, null: false
+    end
+
+    # Remove OAuth columns from sessions table
+    if table_exists?(:action_mcp_sessions)
+      remove_column :action_mcp_sessions, :oauth_access_token, :string if column_exists?(:action_mcp_sessions, :oauth_access_token)
+      remove_column :action_mcp_sessions, :oauth_refresh_token, :string if column_exists?(:action_mcp_sessions, :oauth_refresh_token)
+      remove_column :action_mcp_sessions, :oauth_token_expires_at, :datetime if column_exists?(:action_mcp_sessions, :oauth_token_expires_at)
+      remove_column :action_mcp_sessions, :oauth_user_context, :json if column_exists?(:action_mcp_sessions, :oauth_user_context)
+    end
+  end
+
+  private
+
+  def table_exists?(table_name)
+    ActiveRecord::Base.connection.table_exists?(table_name)
+  end
+
+  def column_exists?(table_name, column_name)
+    ActiveRecord::Base.connection.column_exists?(table_name, column_name)
+  end
+end

data/lib/action_mcp/base_response.rb

@@ -19,7 +19,7 @@ module ActionMCP
     end
 
     # Convert to hash format expected by MCP protocol
-    def to_h(options = nil)
+    def to_h(_options = nil)
       if @is_error
         JSON_RPC::JsonRpcError.new(@symbol, message: @error_message, data: @error_data).to_h
       else

data/lib/action_mcp/client/base.rb

@@ -26,8 +26,8 @@ module ActionMCP
       def initialize(transport:, logger: ActionMCP.logger, protocol_version: nil, **options)
         @logger = logger
         @transport = transport
-        @session = nil  # Session will be created/loaded based on server response
-        @session_id = options[:session_id]  # Optional session ID for resumption
+        @session = nil # Session will be created/loaded based on server response
+        @session_id = options[:session_id] # Optional session ID for resumption
         @protocol_version = protocol_version || ActionMCP::DEFAULT_PROTOCOL_VERSION
         @server_capabilities = nil
         @connection_error = nil
@@ -91,7 +91,7 @@ module ActionMCP
 
         begin
           # Only write to session if it exists (after initialization)
-          session.write(payload) if session
+          session&.write(payload)
           data = payload.to_json unless payload.is_a?(String)
           @transport.send_message(data)
           true
@@ -109,11 +109,11 @@ module ActionMCP
         end
 
         # Only update session if it exists
-        if @session
-          @session.server_capabilities = server.capabilities
-          @session.server_info = server.server_info
-          @session.save
-        end
+        return unless @session
+
+        @session.server_capabilities = server.capabilities
+        @session.server_info = server.server_info
+        @session.save
       end
 
       def initialized?
@@ -176,9 +176,7 @@ module ActionMCP
         log_debug("Sending client capabilities")
 
         # If we have a session_id, we're trying to resume
-        if @session_id
-          log_debug("Attempting to resume session: #{@session_id}")
-        end
+        log_debug("Attempting to resume session: #{@session_id}") if @session_id
 
         params = {
           protocolVersion: @protocol_version,

data/lib/action_mcp/client/elicitation.rb

@@ -8,15 +8,15 @@ module ActionMCP
       # @param id [String, Integer] The request ID
       # @param params [Hash] The elicitation parameters
       def process_elicitation_request(id, params)
-        message = params["message"]
-        requested_schema = params["requestedSchema"]
+        params["message"]
+        params["requestedSchema"]
 
         # In a real implementation, this would prompt the user
         # For now, we'll just return a decline response
         # Actual implementations should override this method
         send_jsonrpc_response(id, result: {
-          action: "decline"
-        })
+                                action: "decline"
+                              })
       end
 
       # Send elicitation response

data/lib/action_mcp/client/json_rpc_handler.rb

@@ -53,15 +53,13 @@ module ActionMCP
         case rpc_method
         when Methods::ELICITATION_CREATE
           client.process_elicitation_request(id, params)
-        when /^roots\//
+        when %r{^roots/}
           process_roots(rpc_method, id)
-        when /^sampling\//
+        when %r{^sampling/}
           process_sampling(rpc_method, id, params)
         else
           common_result = handle_common_methods(rpc_method, id, params)
-          if common_result.nil?
-            client.log_warn("Unknown server method: #{rpc_method} #{id} #{params}")
-          end
+          client.log_warn("Unknown server method: #{rpc_method} #{id} #{params}") if common_result.nil?
         end
       end
 
@@ -161,7 +159,7 @@ module ActionMCP
         client.log_error("Unknown error: #{id} #{error}")
       end
 
-      def handle_initialize_response(request_id, result)
+      def handle_initialize_response(_request_id, result)
         # Session ID comes from HTTP headers, not the response body
         # The transport should have already extracted it
         session_id = transport.instance_variable_get(:@session_id)
@@ -179,13 +177,13 @@ module ActionMCP
         else
           # Create a new session with the server-provided ID
           client.instance_variable_set(:@session, ActionMCP::Session.from_client.new(
-            id: session_id,
-            protocol_version: result["protocolVersion"] || ActionMCP::DEFAULT_PROTOCOL_VERSION,
-            client_info: client.client_info,
-            client_capabilities: client.client_capabilities,
-            server_info: result["serverInfo"],
-            server_capabilities: result["capabilities"]
-          ))
+                                                    id: session_id,
+                                                    protocol_version: result["protocolVersion"] || ActionMCP::DEFAULT_PROTOCOL_VERSION,
+                                                    client_info: client.client_info,
+                                                    client_capabilities: client.client_capabilities,
+                                                    server_info: result["serverInfo"],
+                                                    server_capabilities: result["capabilities"]
+                                                  ))
           client.session.save
           client.log_info("Created new session: #{session_id}")
         end