npm - @akropolys/mcp - Versions diffs - 1.5.3 - Mend

@akropolys/mcp 1.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/src/test-e2e.ts ADDED Viewed

@@ -0,0 +1,167 @@
+process.env.NODE_ENV = 'test';
+import dotenv from 'dotenv';
+dotenv.config();
+import assert from 'assert';
+import { Client } from 'pg';
+import { CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { LocalAESVault } from './vault';
+import { fetchPropertyAndTools } from './db';
+// We use httpbin.org to echo back our request and verify mapping
+async function runE2E() {
+  console.log('🧪 Starting E2E Integration Test...');
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    console.error('⚠️ Skipping E2E test: DATABASE_URL not set');
+    return;
+  }
+  const kmsKey = 'e2e-kms-secret-master-key';
+  process.env.AKROPOLYS_KMS_MASTER_KEY = kmsKey;
+  process.env.AKROPOLYS_PROPERTY_ID = 'prop_e2e_test';
+  const client = new Client({
+    connectionString: dbUrl,
+    ssl: { rejectUnauthorized: false }
+  });
+  await client.connect();
+  try {
+    // 1. Setup - encrypt a mock token
+    const vault = new LocalAESVault();
+    const mockPlaintextToken = 'my-super-secret-token-value';
+    const encryptedToken = await vault.encrypt(mockPlaintextToken);
+    // Clean any residue first
+    await client.query('DELETE FROM developer_tools WHERE property_id = $1', ['prop_e2e_test']);
+    await client.query('DELETE FROM developer_properties WHERE id = $1', ['prop_e2e_test']);
+    // Clean Redis cache key
+    const redisUrl = process.env.UPSTASH_REDIS_URL;
+    if (redisUrl) {
+      const { createClient } = await import('redis');
+      const redisClient = createClient({ url: redisUrl });
+      await redisClient.connect();
+      await redisClient.del('mcp:config:prop_e2e_test');
+      await redisClient.disconnect();
+      console.log('Cleared Redis cache for "prop_e2e_test"');
+    }
+    // 2. Insert mock developer property (using the real sites table to link if needed)
+    // Let's get an existing site ID to avoid foreign key failure.
+    const siteRes = await client.query('SELECT id FROM sites LIMIT 1');
+    if (siteRes.rows.length === 0) {
+      throw new Error('No sites found in the database. Cannot link property.');
+    }
+    const siteId = siteRes.rows[0].id;
+    console.log(`Inserting mock property "prop_e2e_test" linked to site: ${siteId}`);
+    await client.query(`
+      INSERT INTO developer_properties (id, site_id, name, api_base, auth_type, auth_token)
+      VALUES ($1, $2, $3, $4, $5, $6)
+    `, ['prop_e2e_test', siteId, 'E2E Test Store', 'https://httpbin.org', 'bearer', encryptedToken]);
+    // 3. Insert mock tool config
+    // path: /anything/products/:sku
+    // response_mapping: { "sku_echoed": "json.sku", "header_echoed": "headers.X-Test-Header", "method_echoed": "method", "token_echoed": "headers.Authorization" }
+    const parameters = {
+      type: 'object',
+      properties: {
+        sku: { type: 'string', location: 'path', description: 'Product SKU' },
+        qty: { type: 'integer', location: 'query', description: 'Quantity' },
+        'x-test-header': { type: 'string', location: 'header', description: 'Custom Header' },
+        note: { type: 'string', location: 'body', description: 'Body note' }
+      },
+      required: ['sku']
+    };
+    const responseMapping = {
+      url_echoed: 'url',
+      header_echoed: 'headers.X-Test-Header',
+      method_echoed: 'method',
+      token_echoed: 'headers.Authorization',
+      note_echoed: 'json.note'
+    };
+    console.log('Inserting mock tool "get_product_e2e"');
+    await client.query(`
+      INSERT INTO developer_tools (property_id, name, description, method, path, parameters, response_mapping)
+      VALUES ($1, $2, $3, $4, $5, $6, $7)
+    `, [
+      'prop_e2e_test',
+      'get_product_e2e',
+      'Mock tool for testing E2E proxy parameters mapping',
+      'POST',
+      '/anything/products/:sku',
+      JSON.stringify(parameters),
+      JSON.stringify(responseMapping)
+    ]);
+    const rawResp = await fetch('https://httpbin.org/anything/products/SKU-777-XYZ', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ note: 'test' })
+    });
+    const rawJson = await rawResp.json();
+    console.log('Raw httpbin keys:', Object.keys(rawJson));
+    console.log('Raw httpbin url field is:', rawJson.url);
+    // 4. Import index dynamically and invoke call tool logic manually
+    const { server } = await import('./index');
+    // We can directly call the registered handler
+    // Find the handler for CallToolRequestSchema
+    const handlersMap: Map<any, any> = (server as any)._requestHandlers;
+    const callHandlerInfo = handlersMap.get('tools/call');
+    if (!callHandlerInfo) {
+      throw new Error('CallToolRequestSchema handler not registered on server');
+    }
+    const callHandler = callHandlerInfo;
+    console.log('Executing mock tool call with arguments...');
+    const result = await callHandler({
+      method: 'tools/call',
+      params: {
+        name: 'get_product_e2e',
+        arguments: {
+          sku: 'SKU-777-XYZ',
+          qty: 5,
+          'x-test-header': 'Akropolys-Integration-Test',
+          note: 'E2E Integration logic runs successfully!'
+        }
+      }
+    });
+    console.log('Call result received:', JSON.stringify(result, null, 2));
+    assert.ok(!result.isError, 'Call must succeed');
+    assert.ok(result.content && result.content[0] && result.content[0].type === 'text', 'Result content format incorrect');
+    const parsedPayload = JSON.parse(result.content[0].text);
+    // Verify mapped elements
+    assert.ok(parsedPayload.url_echoed.includes('/products/SKU-777-XYZ'), 'Path parameters mapping failed: ' + parsedPayload.url_echoed);
+    assert.strictEqual(parsedPayload.header_echoed, 'Akropolys-Integration-Test', 'Header mapping failed');
+    assert.strictEqual(parsedPayload.method_echoed, 'POST', 'HTTP method mapping failed');
+    assert.strictEqual(parsedPayload.token_echoed, `Bearer ${mockPlaintextToken}`, 'Encrypted Auth Token decryption or insertion failed');
+    assert.strictEqual(parsedPayload.note_echoed, 'E2E Integration logic runs successfully!', 'Body mapping failed');
+    console.log('✅ E2E Integration Test passed perfectly!');
+  } finally {
+    // 5. Cleanup database
+    console.log('Cleaning up mock database entities...');
+    await client.query('DELETE FROM developer_tools WHERE property_id = $1', ['prop_e2e_test']);
+    await client.query('DELETE FROM developer_properties WHERE id = $1', ['prop_e2e_test']);
+    await client.end();
+  }
+}
+runE2E().catch(err => {
+  console.error('❌ E2E Integration Test failed:', err);
+  process.exit(1);
+});

package/src/test.ts ADDED Viewed

@@ -0,0 +1,170 @@
+process.env.NODE_ENV = 'test';
+import assert from 'assert';
+import { LocalAESVault } from './vault';
+// Test 1: KMS local vault AES-256-GCM cycle
+async function testKMSVault() {
+  console.log('🧪 Testing KMS Vault...');
+  const key = 'test-kms-secret-master-key-longer-value';
+  process.env.AKROPOLYS_KMS_MASTER_KEY = key;
+  const vault = new LocalAESVault();
+  const plaintext = 'super-secret-api-token-12345';
+  const ciphertext = await vault.encrypt(plaintext);
+  assert.ok(ciphertext.includes(':'), 'Ciphertext must contain colon delimiters');
+  const decrypted = await vault.decrypt(ciphertext);
+  assert.strictEqual(decrypted, plaintext, 'Decrypted text must match plaintext');
+  console.log('✅ KMS Vault passed.');
+}
+// Test 2: Nested response mapping resolver
+function testResponseMapping(getNestedValue: Function, applyResponseMapping: Function) {
+  console.log('🧪 Testing Response Mapping...');
+  const payload = {
+    data: {
+      product: {
+        id: '123',
+        title: 'Vivo X300',
+        pricing: { amount: 169999.00 },
+        tags: ['smartphone', 'android']
+      },
+      items: [
+        { name: 'Item A', value: 10 },
+        { name: 'Item B', value: 20 }
+      ]
+    }
+  };
+  // Test getNestedValue
+  assert.strictEqual(getNestedValue(payload, 'data.product.id'), '123');
+  assert.strictEqual(getNestedValue(payload, 'data.product.pricing.amount'), 169999.00);
+  assert.strictEqual(getNestedValue(payload, 'data.product.nonexistent'), undefined);
+  // Test array mapping inside getNestedValue
+  const itemNames = getNestedValue(payload, 'data.items.name');
+  assert.deepStrictEqual(itemNames, ['Item A', 'Item B']);
+  // Test applyResponseMapping
+  const mapping = {
+    productId: 'data.product.id',
+    name: 'data.product.title',
+    price: 'data.product.pricing.amount',
+    tagsList: 'data.product.tags',
+    itemNames: 'data.items.name'
+  };
+  const normalized = applyResponseMapping(payload, mapping);
+  assert.deepStrictEqual(normalized, {
+    productId: '123',
+    name: 'Vivo X300',
+    price: 169999.00,
+    tagsList: ['smartphone', 'android'],
+    itemNames: ['Item A', 'Item B']
+  });
+  console.log('✅ Response Mapping passed.');
+}
+// Test 3: Parameter cleaning schema
+function testParameterCleaning(cleanParameterSchema: Function) {
+  console.log('🧪 Testing Parameter Cleaning...');
+  const devParams = {
+    type: 'object',
+    properties: {
+      sku: {
+        type: 'string',
+        location: 'path',
+        description: 'Stock keeping unit identifier'
+      },
+      quantity: {
+        type: 'integer',
+        location: 'query',
+        description: 'Quantity to purchase'
+      }
+    },
+    required: ['sku']
+  };
+  const cleaned = cleanParameterSchema(devParams);
+  assert.deepStrictEqual(cleaned, {
+    type: 'object',
+    properties: {
+      sku: {
+        type: 'string',
+        description: 'Stock keeping unit identifier'
+      },
+      quantity: {
+        type: 'integer',
+        description: 'Quantity to purchase'
+      }
+    },
+    required: ['sku']
+  });
+  console.log('✅ Parameter Cleaning passed.');
+}
+// Test 4: SSRF prevention check
+async function testSSRFProtection(isPrivateIp: Function, validateUrlForSSRF: Function) {
+  console.log('🧪 Testing SSRF Protection...');
+  // Private IPs should be blocked
+  assert.ok(isPrivateIp('127.0.0.1'), 'Localhost should be classified as private');
+  assert.ok(isPrivateIp('10.0.0.1'), 'RFC 1918 10.x should be classified as private');
+  assert.ok(isPrivateIp('172.16.0.1'), 'RFC 1918 172.16.x should be classified as private');
+  assert.ok(isPrivateIp('192.168.1.100'), 'RFC 1918 192.168.x should be classified as private');
+  assert.ok(isPrivateIp('169.254.169.254'), 'AWS Metadata service IP should be classified as private');
+  assert.ok(isPrivateIp('::1'), 'IPv6 loopback should be classified as private');
+  assert.ok(isPrivateIp('::'), 'IPv6 unspecified should be classified as private');
+  // Public IPs should be allowed
+  assert.ok(!isPrivateIp('8.8.8.8'), 'Google DNS IP should be public');
+  assert.ok(!isPrivateIp('1.1.1.1'), 'Cloudflare DNS IP should be public');
+  // URL check throws on loopback/private
+  try {
+    await validateUrlForSSRF('http://127.0.0.1:8080/admin');
+    assert.fail('Should block loopback URLs');
+  } catch (err: any) {
+    assert.ok(err.message.includes('SSRF Prevention'), 'Error message must mention SSRF Prevention');
+  }
+  try {
+    await validateUrlForSSRF('http://169.254.169.254/latest/meta-data');
+    assert.fail('Should block AWS metadata service URLs');
+  } catch (err: any) {
+    assert.ok(err.message.includes('SSRF Prevention'), 'Error message must mention SSRF Prevention');
+  }
+  // URL check succeeds on public sites
+  await validateUrlForSSRF('https://httpbin.org/anything');
+  await validateUrlForSSRF('https://api.github.com');
+  console.log('✅ SSRF Protection passed.');
+}
+async function runAll() {
+  try {
+    await testKMSVault();
+    // Dynamically import helpers to prevent ESM/TS hoisting execution issues
+    const { getNestedValue, applyResponseMapping, cleanParameterSchema, isPrivateIp, validateUrlForSSRF } = await import('./index');
+    testResponseMapping(getNestedValue, applyResponseMapping);
+    testParameterCleaning(cleanParameterSchema);
+    await testSSRFProtection(isPrivateIp, validateUrlForSSRF);
+    console.log('🎉 ALL TESTS PASSED SUCCESSFULLY!');
+  } catch (err: any) {
+    console.error('❌ TEST FAILURE:', err);
+    process.exit(1);
+  }
+}
+runAll();

package/src/vault.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import crypto from 'crypto';
+export interface CredentialVault {
+  encrypt(plaintext: string): Promise<string>;
+  decrypt(ciphertext: string): Promise<string>;
+}
+export class LocalAESVault implements CredentialVault {
+  private masterKey: Buffer;
+  constructor(masterKeyEnvVar = 'AKROPOLYS_KMS_MASTER_KEY') {
+    const keyStr = process.env[masterKeyEnvVar];
+    if (!keyStr) {
+      throw new Error(`Master key environment variable ${masterKeyEnvVar} is not defined`);
+    }
+    // Hash the master key to ensure it is exactly 32 bytes for AES-256
+    this.masterKey = crypto.createHash('sha256').update(keyStr).digest();
+  }
+  async encrypt(plaintext: string): Promise<string> {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', this.masterKey, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag().toString('hex');
+    // Format: iv:authTag:encryptedData
+    return `${iv.toString('hex')}:${authTag}:${encrypted}`;
+  }
+  async decrypt(ciphertext: string): Promise<string> {
+    const parts = ciphertext.split(':');
+    if (parts.length !== 3) {
+      throw new Error('Invalid ciphertext format');
+    }
+    const iv = Buffer.from(parts[0], 'hex');
+    const authTag = Buffer.from(parts[1], 'hex');
+    const encryptedData = parts[2];
+    const decipher = crypto.createDecipheriv('aes-256-gcm', this.masterKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+  }
+}

package/tsconfig.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "outDir": "./dist"
+  },
+  "include": ["src/**/*"]
+}

package/tsup.config.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import { defineConfig } from 'tsup';
+export default defineConfig({
+  entry: ['src/index.ts', 'src/test.ts', 'src/test-e2e.ts'],
+  format: ['cjs'],
+  clean: true,
+  dts: false,
+  banner: {
+    js: '#!/usr/bin/env node',
+  },
+});