@ampless/admin 0.2.0-alpha.18 → 0.2.0-alpha.19

package/dist/api/index.d.ts

@@ -2,7 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { Admin } from '../index.js';
 import 'ampless';
 import '@ampless/runtime';
-import '../i18n-B1gZ90FD.js';
+import '../i18n-MWvAMHzn.js';
 import '@aws-amplify/adapter-nextjs';
 
 /**
@@ -21,50 +21,4 @@ declare function createMediaProxyRoute(admin: Admin): {
     }) => Promise<NextResponse<unknown>>;
 };
 
-/**
- * HTTP MCP transport.
- *
- * Mounts at `/api/mcp` on the user's site. Speaks the MCP JSON-RPC
- * protocol over POST (no SSE streaming — single request/response per
- * tool call, which is what every MCP client uses for `tools/call`).
- *
- * Auth: `Authorization: Bearer amp_mcp_<...>`. The Bearer token is
- * hashed (sha256) and looked up in KvStore (`mcp-tokens` PK). On
- * match the route runs the tool with a `ToolContext` backed by:
- *   - The Cognito service user's id token (server-side cached)
- *   - The site's AppSync endpoint
- *
- * Per-token role enforcement happens before tool dispatch — an
- * `editor`-scoped token can't reach admin-only mutations even though
- * the underlying Cognito identity could.
- *
- * `upload_media` is intentionally NOT supported over HTTP in v0.x:
- * the SSR Lambda's execution role doesn't have direct S3 PUT
- * permission, and granting it across Amplify Hosting's managed
- * compute model requires extra setup we punt to v0.y. The other six
- * tools (read + write Post / read schema) cover most automation.
- */
-
-declare function createMcpRoute(admin: Admin): {
-    POST: (req: Request) => Promise<Response>;
-};
-
-/**
- * MCP token management API.
- *
- * Mounted at `/api/admin/mcp-tokens` (POST = create, DELETE = revoke).
- * Both endpoints require the calling admin's Cognito session to be in
- * the `ampless-admin` group — token issuance is sensitive and
- * `editor` is intentionally excluded.
- *
- * Token format (`amp_mcp_<base64url(32)>`) and storage layout live in
- * `lib/mcp-token-storage.ts`.
- */
-
-declare function createMcpTokensRoute(admin: Admin): {
-    GET: () => Promise<Response>;
-    POST: (req: Request) => Promise<Response>;
-    DELETE: (req: Request) => Promise<Response>;
-};
-
-export { createMcpRoute, createMcpTokensRoute, createMediaProxyRoute };
+export { createMediaProxyRoute };

package/dist/api/index.js

@@ -36,568 +36,6 @@ function createMediaProxyRoute(admin) {
   }
   return { GET };
 }
-
-// src/api/mcp.ts
-import {
-  dispatchToolCall,
-  getTools
-} from "@ampless/mcp-server/tools";
-
-// src/lib/mcp-service-auth.ts
-import {
-  CognitoUserPool,
-  CognitoUser,
-  AuthenticationDetails,
-  CognitoRefreshToken
-} from "amazon-cognito-identity-js";
-var REFRESH_BUFFER_SECONDS = 5 * 60;
-var globals = globalThis;
-if (!globals.navigator) {
-  globals.navigator = { userAgent: "ampless-mcp-http" };
-}
-function toSession(result) {
-  return {
-    idToken: result.getIdToken().getJwtToken(),
-    refreshToken: result.getRefreshToken().getToken(),
-    expiresAt: result.getIdToken().getExpiration()
-  };
-}
-var McpServiceAuth = class {
-  constructor(outputs) {
-    this.outputs = outputs;
-  }
-  outputs;
-  pool = null;
-  session = null;
-  refreshPromise = null;
-  getPool() {
-    if (this.pool) return this.pool;
-    const auth = this.outputs.auth;
-    if (!auth?.user_pool_id || !auth?.user_pool_client_id) {
-      throw new Error(
-        "[mcp] amplify_outputs.json is missing the auth block. Deploy the auth resource first."
-      );
-    }
-    this.pool = new CognitoUserPool({
-      UserPoolId: auth.user_pool_id,
-      ClientId: auth.user_pool_client_id
-    });
-    return this.pool;
-  }
-  readEnvCreds() {
-    const email = process.env.AMPLESS_MCP_SERVICE_EMAIL;
-    const password = process.env.AMPLESS_MCP_SERVICE_PASSWORD;
-    if (!email || !password) {
-      throw new Error(
-        "[mcp] AMPLESS_MCP_SERVICE_EMAIL / AMPLESS_MCP_SERVICE_PASSWORD env vars are required. Create a dedicated Cognito user in the `ampless-admin` group (e.g. via /admin/users) and set its credentials as Amplify Hosting environment variables."
-      );
-    }
-    return { email, password };
-  }
-  async signIn() {
-    const { email, password } = this.readEnvCreds();
-    const user = new CognitoUser({ Username: email, Pool: this.getPool() });
-    const auth = new AuthenticationDetails({ Username: email, Password: password });
-    const session = await new Promise((resolveOk, reject) => {
-      user.authenticateUser(auth, {
-        onSuccess: (result) => resolveOk(toSession(result)),
-        onFailure: (err) => reject(err),
-        newPasswordRequired: () => reject(
-          new Error(
-            "[mcp] Cognito returned NEW_PASSWORD_REQUIRED for the service user. Sign in to /admin/login once with the service-user creds to set a permanent password."
-          )
-        )
-      });
-    });
-    this.session = session;
-    return session;
-  }
-  /**
-   * Returns a valid id token for the service user, signing in or
-   * refreshing as needed. Concurrent callers share the same in-flight
-   * refresh via `refreshPromise` so we don't fan out duplicate
-   * sign-ins on cold-start bursts.
-   */
-  async getIdToken() {
-    const now = Math.floor(Date.now() / 1e3);
-    if (!this.session) {
-      const s = await this.signIn();
-      return s.idToken;
-    }
-    if (this.session.expiresAt - now > REFRESH_BUFFER_SECONDS) {
-      return this.session.idToken;
-    }
-    const fresh = await this.refresh();
-    return fresh.idToken;
-  }
-  async refresh() {
-    if (this.refreshPromise) return this.refreshPromise;
-    if (!this.session) return this.signIn();
-    const refreshToken = new CognitoRefreshToken({ RefreshToken: this.session.refreshToken });
-    const { email } = this.readEnvCreds();
-    const user = new CognitoUser({ Username: email, Pool: this.getPool() });
-    this.refreshPromise = new Promise((resolveOk, reject) => {
-      user.refreshSession(refreshToken, (err, result) => {
-        if (err || !result) {
-          this.session = null;
-          this.signIn().then(resolveOk, reject);
-          return;
-        }
-        const session = toSession(result);
-        this.session = session;
-        resolveOk(session);
-      });
-    }).finally(() => {
-      this.refreshPromise = null;
-    });
-    return this.refreshPromise;
-  }
-};
-var cache = /* @__PURE__ */ new WeakMap();
-function getMcpServiceAuth(outputs) {
-  const existing = cache.get(outputs);
-  if (existing) return existing;
-  const fresh = new McpServiceAuth(outputs);
-  cache.set(outputs, fresh);
-  return fresh;
-}
-
-// src/lib/kv-provider-server.ts
-import { setKvStore } from "ampless";
-var installed = /* @__PURE__ */ new WeakSet();
-function installServerKvProvider(outputs) {
-  if (installed.has(outputs)) return;
-  installed.add(outputs);
-  const serviceAuth = getMcpServiceAuth(outputs);
-  async function gql(operation, variables) {
-    if (!outputs.data?.url) {
-      throw new Error(
-        "[kv-provider-server] amplify_outputs.json is missing data.url \u2014 KvStore is unreachable."
-      );
-    }
-    const appsyncUrl = outputs.data.url;
-    const idToken = await serviceAuth.getIdToken();
-    const res = await fetch(appsyncUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        // AppSync userPool auth: bare id token, no "Bearer" prefix.
-        Authorization: idToken
-      },
-      body: JSON.stringify({ query: operation, variables })
-    });
-    const body = await res.json();
-    if (body.errors && body.errors.length > 0) {
-      throw new Error(`[kv-provider-server] AppSync error: ${body.errors[0].message}`);
-    }
-    if (body.data === void 0) {
-      throw new Error("[kv-provider-server] AppSync response had no `data` field");
-    }
-    return body.data;
-  }
-  function encodeValue(value) {
-    return JSON.stringify(value ?? null);
-  }
-  function decodeValue(raw) {
-    if (typeof raw !== "string") return raw;
-    try {
-      return JSON.parse(raw);
-    } catch {
-      return raw;
-    }
-  }
-  const store = {
-    async get(pk, sk) {
-      const data = await gql(
-        `query GetKv($pk: String!, $sk: String!) {
-          getKvStore(pk: $pk, sk: $sk) { pk sk value ttl }
-        }`,
-        { pk, sk }
-      );
-      const row = data.getKvStore;
-      return row ? decodeValue(row.value) : null;
-    },
-    async query(pk) {
-      const data = await gql(
-        `query QueryKv($filter: ModelKvStoreFilterInput, $limit: Int) {
-          listKvStores(filter: $filter, limit: $limit) {
-            items { pk sk value ttl }
-            nextToken
-          }
-        }`,
-        { filter: { pk: { eq: pk } }, limit: 1e3 }
-      );
-      return data.listKvStores.items.map((row) => ({
-        pk: row.pk,
-        sk: row.sk,
-        value: decodeValue(row.value),
-        ttl: row.ttl ?? void 0
-      }));
-    },
-    async put(pk, sk, value, opts) {
-      const ttl = opts?.ttlSeconds ? Math.floor(Date.now() / 1e3) + opts.ttlSeconds : null;
-      const existing = await gql(
-        `query GetKv($pk: String!, $sk: String!) {
-          getKvStore(pk: $pk, sk: $sk) { pk sk }
-        }`,
-        { pk, sk }
-      );
-      if (existing.getKvStore) {
-        await gql(
-          `mutation UpdateKv($input: UpdateKvStoreInput!) {
-            updateKvStore(input: $input) { pk sk }
-          }`,
-          { input: { pk, sk, value: encodeValue(value), ttl } }
-        );
-      } else {
-        await gql(
-          `mutation CreateKv($input: CreateKvStoreInput!) {
-            createKvStore(input: $input) { pk sk }
-          }`,
-          { input: { pk, sk, value: encodeValue(value), ttl } }
-        );
-      }
-    },
-    async remove(pk, sk) {
-      await gql(
-        `mutation DeleteKv($input: DeleteKvStoreInput!) {
-          deleteKvStore(input: $input) { pk sk }
-        }`,
-        { input: { pk, sk } }
-      );
-    }
-  };
-  setKvStore(store);
-}
-
-// src/lib/mcp-token-storage.ts
-import { createHash, randomBytes } from "crypto";
-import { getKvStore } from "ampless";
-var TOKENS_PK = "mcp-tokens";
-function generateToken() {
-  const raw = randomBytes(32).toString("base64url");
-  const plaintext = `amp_mcp_${raw}`;
-  const hash = hashToken(plaintext);
-  return { plaintext, hash };
-}
-function hashToken(plaintext) {
-  return createHash("sha256").update(plaintext).digest("hex");
-}
-async function listTokens() {
-  const items = await getKvStore().query(TOKENS_PK);
-  return items.map((it) => ({ hash: it.sk, ...it.value })).sort((a, b) => {
-    return b.createdAt.localeCompare(a.createdAt);
-  });
-}
-async function saveToken(hash, meta) {
-  await getKvStore().put(TOKENS_PK, hash, meta);
-}
-async function revokeToken(hash) {
-  await getKvStore().remove(TOKENS_PK, hash);
-}
-async function markTokenUsed(hash) {
-  try {
-    const meta = await getKvStore().get(TOKENS_PK, hash);
-    if (!meta) return;
-    await getKvStore().put(TOKENS_PK, hash, {
-      ...meta,
-      lastUsedAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  } catch (err) {
-    console.warn("[mcp-token-storage] markTokenUsed failed", err);
-  }
-}
-
-// src/api/mcp.ts
-import { getKvStore as getKvStore2 } from "ampless";
-var TOKEN_PREFIX = "amp_mcp_";
-var UNSUPPORTED_OVER_HTTP = /* @__PURE__ */ new Set(["upload_media"]);
-var ADMIN_ONLY_TOOLS = /* @__PURE__ */ new Set(["delete_post"]);
-function createMcpRoute(admin) {
-  const { outputs, cmsConfig } = admin;
-  const defaultSiteId = cmsConfig.defaultSiteId ?? "default";
-  if (!outputs.data?.url) {
-    throw new Error(
-      "[mcp] createMcpRoute requires amplify_outputs.json with a `data.url` (AppSync endpoint)."
-    );
-  }
-  const appsyncUrl = outputs.data.url;
-  const serviceAuth = getMcpServiceAuth(outputs);
-  installServerKvProvider(outputs);
-  function makeGraphqlClient() {
-    return {
-      async query(operation, variables) {
-        const idToken = await serviceAuth.getIdToken();
-        const res = await fetch(appsyncUrl, {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            // AppSync userPool auth: bare id token, no "Bearer" prefix.
-            Authorization: idToken
-          },
-          body: JSON.stringify({ query: operation, variables: variables ?? {} })
-        });
-        const json2 = await res.json();
-        if (json2.errors && json2.errors.length > 0) {
-          throw new Error(`[mcp] AppSync error: ${json2.errors[0].message}`);
-        }
-        if (json2.data === void 0) {
-          throw new Error("[mcp] AppSync response had no `data` field");
-        }
-        return json2.data;
-      }
-    };
-  }
-  function unsupportedStorage() {
-    return {
-      async putObject() {
-        throw new Error(
-          "[mcp] upload_media is not supported over HTTP in v0.x. Upload via the admin UI instead."
-        );
-      }
-    };
-  }
-  async function POST(req) {
-    const auth = req.headers.get("authorization") ?? "";
-    const plaintext = /^Bearer\s+(.+)$/.exec(auth.trim())?.[1]?.trim();
-    if (!plaintext || !plaintext.startsWith(TOKEN_PREFIX)) {
-      logMcp({ event: "mcp.auth_failed", reason: "missing-or-malformed-bearer" });
-      return jsonRpcError(null, -32e3, "unauthorized", 401);
-    }
-    let tokenRecord = null;
-    let tokenHash;
-    try {
-      tokenHash = hashToken(plaintext);
-      const meta = await getKvStore2().get("mcp-tokens", tokenHash);
-      if (meta) tokenRecord = { hash: tokenHash, ...meta };
-    } catch (err) {
-      console.error("[mcp] token lookup failed", err);
-      return jsonRpcError(null, -32e3, "token lookup failed", 500);
-    }
-    if (!tokenRecord) {
-      logMcp({
-        event: "mcp.auth_failed",
-        reason: "token-not-found",
-        tokenHashPrefix: tokenHash ? tokenHash.slice(0, 12) : void 0
-      });
-      return jsonRpcError(null, -32e3, "unauthorized", 401);
-    }
-    let body;
-    try {
-      body = await req.json();
-    } catch {
-      return jsonRpcError(null, -32700, "parse error", 400);
-    }
-    if (body.jsonrpc !== "2.0" || typeof body.method !== "string") {
-      return jsonRpcError(body.id ?? null, -32600, "invalid request", 400);
-    }
-    const reqId = body.id ?? null;
-    try {
-      switch (body.method) {
-        case "initialize": {
-          return jsonRpcOk(reqId, {
-            protocolVersion: "2024-11-05",
-            capabilities: { tools: {} },
-            serverInfo: { name: "ampless-mcp", version: "0.2.0-alpha" }
-          });
-        }
-        case "notifications/initialized":
-        case "notifications/cancelled": {
-          return new Response(null, { status: 204 });
-        }
-        case "tools/list": {
-          const tools = getTools().map((t) => ({
-            name: t.name,
-            description: t.description,
-            inputSchema: t.inputSchema
-          }));
-          return jsonRpcOk(reqId, { tools });
-        }
-        case "tools/call": {
-          const params = body.params ?? {};
-          const name = params.name;
-          if (!name || typeof name !== "string") {
-            return jsonRpcError(reqId, -32602, "missing tool name", 400);
-          }
-          const tokenContext = {
-            tokenHashPrefix: tokenRecord.hash.slice(0, 12),
-            tokenLabel: tokenRecord.label,
-            tokenRole: tokenRecord.role
-          };
-          const startedAt = Date.now();
-          logMcp({
-            event: "mcp.tool_call",
-            ...tokenContext,
-            tool: name,
-            argKeys: Object.keys(params.arguments ?? {})
-          });
-          if (UNSUPPORTED_OVER_HTTP.has(name)) {
-            logMcp({ event: "mcp.tool_unsupported", ...tokenContext, tool: name });
-            return jsonRpcError(
-              reqId,
-              -32001,
-              `${name} is not supported over HTTP \u2014 use the admin UI`,
-              200
-            );
-          }
-          if (ADMIN_ONLY_TOOLS.has(name) && tokenRecord.role !== "admin") {
-            logMcp({ event: "mcp.role_denied", ...tokenContext, tool: name });
-            return jsonRpcError(reqId, -32003, `${name} requires admin role`, 403);
-          }
-          const ctx = {
-            graphql: makeGraphqlClient(),
-            storage: unsupportedStorage,
-            defaultSiteId
-          };
-          try {
-            const result = await dispatchToolCall(name, params.arguments ?? {}, ctx);
-            if (result === null) {
-              logMcp({
-                event: "mcp.tool_unknown",
-                ...tokenContext,
-                tool: name,
-                durationMs: Date.now() - startedAt
-              });
-              return jsonRpcError(reqId, -32601, `unknown tool: ${name}`, 404);
-            }
-            logMcp({
-              event: "mcp.tool_ok",
-              ...tokenContext,
-              tool: name,
-              durationMs: Date.now() - startedAt
-            });
-            void markTokenUsed(tokenRecord.hash);
-            return jsonRpcOk(reqId, {
-              content: [{ type: "text", text: JSON.stringify(result) }]
-            });
-          } catch (err) {
-            logMcp({
-              event: "mcp.tool_failed",
-              ...tokenContext,
-              tool: name,
-              durationMs: Date.now() - startedAt,
-              error: err instanceof Error ? err.message : String(err)
-            });
-            throw err;
-          }
-        }
-        default:
-          return jsonRpcError(reqId, -32601, `method not found: ${body.method}`, 404);
-      }
-    } catch (err) {
-      console.error("[mcp] tool dispatch failed", err);
-      const message = err instanceof Error ? err.message : String(err);
-      return jsonRpcError(reqId, -32e3, message, 500);
-    }
-  }
-  return { POST };
-}
-function jsonRpcOk(id, result) {
-  return new Response(JSON.stringify({ jsonrpc: "2.0", id, result }), {
-    status: 200,
-    headers: { "Content-Type": "application/json" }
-  });
-}
-function logMcp(record) {
-  console.log(JSON.stringify({ ...record, ts: (/* @__PURE__ */ new Date()).toISOString() }));
-}
-function jsonRpcError(id, code, message, status) {
-  return new Response(JSON.stringify({ jsonrpc: "2.0", id, error: { code, message } }), {
-    status,
-    headers: { "Content-Type": "application/json" }
-  });
-}
-
-// src/api/mcp-tokens.ts
-function isRole(value) {
-  return value === "admin" || value === "editor";
-}
-function createMcpTokensRoute(admin) {
-  installServerKvProvider(admin.outputs);
-  async function requireAdminSession() {
-    const session = await admin.getServerSession();
-    if (!session || !admin.isAdmin(session)) {
-      return json({ error: "admin role required" }, 403);
-    }
-    return { userId: session.userId };
-  }
-  async function GET() {
-    const guard = await requireAdminSession();
-    if (guard instanceof Response) return guard;
-    try {
-      const tokens = await listTokens();
-      return json({ tokens });
-    } catch (err) {
-      console.error("[mcp-tokens] list failed", err);
-      return json({ error: err instanceof Error ? err.message : String(err) }, 500);
-    }
-  }
-  async function POST(req) {
-    const guard = await requireAdminSession();
-    if (guard instanceof Response) return guard;
-    let body;
-    try {
-      body = await req.json();
-    } catch {
-      return json({ error: "invalid JSON body" }, 400);
-    }
-    const label = typeof body.label === "string" ? body.label.replace(/[\x00-\x1f<>]/g, "").trim().slice(0, 80) : "";
-    if (!label) {
-      return json({ error: "label is required" }, 400);
-    }
-    if (!isRole(body.role)) {
-      return json({ error: 'role must be "admin" or "editor"' }, 400);
-    }
-    const { plaintext, hash } = generateToken();
-    const meta = {
-      label,
-      role: body.role,
-      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-      createdBy: guard.userId
-    };
-    try {
-      await saveToken(hash, meta);
-    } catch (err) {
-      console.error("[mcp-tokens] save failed", err);
-      return json({ error: err instanceof Error ? err.message : String(err) }, 500);
-    }
-    return json({ token: plaintext, record: { hash, ...meta } }, 201);
-  }
-  async function DELETE(req) {
-    const guard = await requireAdminSession();
-    if (guard instanceof Response) return guard;
-    let body;
-    try {
-      body = await req.json();
-    } catch {
-      return json({ error: "invalid JSON body" }, 400);
-    }
-    let hash;
-    if (typeof body.hash === "string" && body.hash.length === 64) {
-      hash = body.hash;
-    } else if (typeof body.token === "string") {
-      hash = hashToken(body.token);
-    } else {
-      return json({ error: "hash or token required" }, 400);
-    }
-    try {
-      await revokeToken(hash);
-    } catch (err) {
-      console.error("[mcp-tokens] revoke failed", err);
-      return json({ error: err instanceof Error ? err.message : String(err) }, 500);
-    }
-    return json({ ok: true });
-  }
-  return { GET, POST, DELETE };
-}
-function json(body, status = 200) {
-  return new Response(JSON.stringify(body), {
-    status,
-    headers: { "Content-Type": "application/json" }
-  });
-}
 export {
-  createMcpRoute,
-  createMcpTokensRoute,
   createMediaProxyRoute
 };