mcpeye 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b65ed38eb2861006ebcd79b5592922e1281d71fce912dec5543b01cba961244
-  data.tar.gz: 3184681a41e2669cf3b9c240acad0bd4418d811fdbc97bb988ac82b5533ec42b
+  metadata.gz: 3d50e6d30ef0e2cf6796b7b7b67397c40c11290f289152d124c3ff5417ff6150
+  data.tar.gz: 23729136fae41b35dcf3152354d59fd5e2753d7429831b1f474bc01de56c6d5a
 SHA512:
-  metadata.gz: fe8f68cdae22753dd5ff53e284e0c493e313e4f9dca104e50f3a9be6d5ae6147d19b8215f0f288989ae8e30c2e3c4134d02a85ee4cbd12cebc2f07241e9dd2e8
-  data.tar.gz: dd3ca7ff1636b5a7b1cd424c2a854e095cddb331c199c4c7775737a0f2e7bd88a1cf861e5b59b112cf04a114cfb424c565173145356829dd6c735447b0008d68
+  metadata.gz: 84b70bcbed2a41a80a198b44e32b4f84eaa7f753aa3701e708eebc7210e78833dd6a1d67f471ac7e62aa7f1326dd96a75eaa9b3e8946465e78432e2554ee67e7
+  data.tar.gz: a75cc956872617ae3da0400b44b8a54a1f3e2bb7b265ca6e4dad5fb5ae50f453d24ec3256cfda971563091ff77f1a4b33059d6bfc73b378745530ffdefd015a4

data/README.md

@@ -165,9 +165,19 @@ MCPEYE = Mcpeye.track(
   ENV.fetch("MCPEYE_PROJECT_ID"),
   ingest_url: ENV.fetch("MCPEYE_INGEST_URL", "http://localhost:3001"),
   ingest_secret: ENV["MCPEYE_INGEST_SECRET"],
-  # Per-request identity: evaluated once per flush, so a thread/request-local
-  # value is attributed correctly. Pass an OPAQUE, non-PII id (coerced to a string).
-  identify: -> { { userId: Current.user_id&.to_s, client: Current.client, serverVersion: MyApp::VERSION } },
+  # End-user identity. `userId`/`userEmail` are resolved PER CALL on the request
+  # thread (so a thread/request-local value like Rails Current / RequestStore is
+  # attributed correctly even on a multi-user / stateless server); client/serverVersion
+  # are read per flush. Pass an OPAQUE, stable userId. This is what powers the
+  # dashboard's search-by-id/email — without it, sessions read "user not identified".
+  identify: lambda {
+    {
+      userId: Current.user_id&.to_s,        # who the end user is (for search)
+      userEmail: Current.user_email,        # human-readable, optional (PII you store)
+      client: Current.client,               # process/connection-level
+      serverVersion: MyApp::VERSION,
+    }
+  },
   # Drop your own domain-sensitive fields on top of the built-in denylist:
   denylist_fields: %w[ssn account_number],
   # Forward diagnostics into your logger instead of stderr:
@@ -175,6 +185,13 @@ MCPEYE = Mcpeye.track(
 )
 ```
 
+> **Multi-user / stateless servers (e.g. a streamable-HTTP MCP).** Because `identify`
+> runs per call on the request thread, set your per-request user context BEFORE the
+> tool dispatches (e.g. in middleware: `RequestStore.store[:current_user_id] = ...`)
+> and read it in `identify` (`RequestStore.store[:current_user_id]`). Each captured
+> call is then attributed to the right user, even though one flushed batch may mix
+> users.
+
 ### Puma / Unicorn (forking servers)
 
 A thread does **not** survive `fork`, so in a clustered server start the flush

data/lib/mcpeye/tracker.rb

@@ -24,7 +24,12 @@ module Mcpeye
   #
   # The wire shape matches @mcpeye/core's IngestPayload exactly (and is
   # byte-compatible with the TS and Python SDKs):
-  #   { projectId, identity: { userId?, client?, serverVersion? }, events: [...] }
+  #   { projectId, identity: { userId?, userEmail?, client?, serverVersion? },
+  #     events: [{ ..., userId?, userEmail? }] }
+  # Each event also carries its OWN userId/userEmail, resolved PER CALL on the
+  # request thread (see #resolve_call_identity) — so attribution is correct on a
+  # multi-user server where one flushed batch mixes users; the batch identity is the
+  # fallback.
   #
   # Prime directive: this NEVER raises into, or alters, the host MCP server. The
   # only intentional raise is an empty `project_id` at construction (fail loud
@@ -182,10 +187,15 @@ module Mcpeye
     # ingest_secret   — shared secret sent as x-mcpeye-secret.
     #                   Defaults to ENV["MCPEYE_INGEST_SECRET"].
     # redact          — when true (default) scrub arguments/result/intent/error client-side.
-    # identity        — static Hash { userId:, client:, serverVersion: }.
-    # identify        — optional callable evaluated once per flush, returning the
-    #                   identity Hash (per-request/thread-local attribution). A
-    #                   raising identify yields {} for that flush, never breaks it.
+    # identity        — static Hash { userId:, userEmail:, client:, serverVersion: }
+    #                   (batch-level fallback).
+    # identify        — optional callable for dynamic attribution. Evaluated PER CALL
+    #                   on the request thread for userId/userEmail (correct per-event
+    #                   attribution on a multi-user server) AND once per flush for the
+    #                   batch identity. Return { userId:, userEmail:, client:,
+    #                   serverVersion: }. A raising identify yields no identity for that
+    #                   call/flush, never breaks the host. Example:
+    #                     identify: -> { { userId: RequestStore.store[:current_user_id] } }
     # flush_threshold — eager-flush buffer size (default 20).
     # flush_interval  — background flush interval in seconds (default nil = no
     #                   background thread; stay zero-thread unless asked).
@@ -519,6 +529,14 @@ module Mcpeye
       event["errorMessage"] = guard_error_message(error_message.to_s) unless error_message.nil?
       # Only a non-blank intent is recorded (whitespace-only is dropped, TS/Python parity).
       event["intent"] = guard_error_message(intent.to_s) if intent && !intent.to_s.strip.empty?
+      # Per-CALL end-user identity. build_event runs on the caller's (request) thread
+      # — via the official call_tool hook or the wrap proc — so `identify` is evaluated
+      # where the host's per-request user context is live (unlike the per-flush batch
+      # identity, which runs on the flush thread). This is what makes attribution
+      # correct on a multi-user server. Per-event values win over the batch identity.
+      uid, uemail = resolve_call_identity
+      event["userId"] = uid if uid
+      event["userEmail"] = uemail if uemail
       event
     end
 
@@ -649,6 +667,30 @@ module Mcpeye
       {}
     end
 
+    # Per-CALL end-user identity for ONE event, resolved on the caller's (request)
+    # thread. Uses `identify` (evaluated per call) when given, else the static
+    # `identity`. Returns [user_id, user_email] as normalized Strings or nils.
+    # Fail-open: a raising identify yields [nil, nil], never into the host call.
+    def resolve_call_identity
+      raw = @identify ? @identify.call : @identity
+      raw = {} unless raw.is_a?(Hash)
+      [norm_ident(raw[:userId] || raw["userId"]), norm_ident(raw[:userEmail] || raw["userEmail"])]
+    rescue StandardError => e
+      @on_error.call(e)
+      [nil, nil]
+    end
+
+    # Coerce an identity value to a trimmed String <=256 chars, or nil if blank.
+    # Coerces a non-String id (e.g. an Integer user id) like normalize_identity.
+    def norm_ident(value)
+      return nil if value.nil?
+
+      s = value.to_s.strip
+      return nil if s.empty?
+
+      s.length > 256 ? s[0, 256] : s
+    end
+
     # Prepend a failed batch to the front of the buffer (oldest-first, so it
     # retries first) and re-apply the cap. Caller must NOT hold @mutex.
     def requeue(batch)
@@ -1057,7 +1099,7 @@ module Mcpeye
     def normalize_identity(identity)
       h = identity.is_a?(Hash) ? identity : {}
       out = {}
-      %w[userId client serverVersion].each do |k|
+      %w[userId userEmail client serverVersion].each do |k|
         v = h[k.to_sym]
         v = h[k] if v.nil?
         next if v.nil?

data/lib/mcpeye/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mcpeye
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mcpeye
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - mcpeye