@anton.andrusenko/shopify-mcp-admin 2.0.0 → 2.0.1

package/README.md

@@ -129,6 +129,13 @@ Tokens are automatically refreshed every 24 hours.
 | `LOG_LEVEL` | No | `info` | Log level: `debug`, `info`, `warn`, `error` |
 | `SHOPIFY_MCP_LAZY_LOADING` | No | `false` | Enable modular lazy loading (set to `true` for on-demand module loading) |
 | `SHOPIFY_MCP_ROLE` | No | — | Role preset for automatic module loading (see [Role Presets](#-role-presets)) |
+| `ALLOWED_HOSTS` | ✅ (remote mode) | — | Comma-separated list of allowed hostnames (e.g., `shopify-mcp.com,api.shopify-mcp.com`) |
+| `ALLOWED_ORIGINS` | ✅ (remote mode) | — | Comma-separated list of allowed CORS origins (e.g., `https://shopify-mcp.com`) |
+| `METRICS_ENDPOINT_ENABLED` | No | `false` | Enable Prometheus metrics endpoint at `/metrics` |
+| `ENABLE_HSTS` | No | `false` | Enable HTTP Strict Transport Security headers |
+| `SHUTDOWN_DRAIN_SECONDS` | No | `30` | Graceful shutdown drain timeout in seconds (1-300) |
+| `LOG_FORMAT` | No | `json` | Log format: `json` (production) or `pretty` (development) |
+| `SENTRY_DSN` | No | — | Sentry error tracking DSN (recommended for production) |
 
 ### Server Modes
 
@@ -987,9 +994,9 @@ shopify-mcp-admin uses a modular architecture to optimize AI agent performance.
 
 ## 🔄 Upgrading from Previous Versions
 
-### What's New in v0.8.0+: Modular Tool Loading
+### What's New in v2.0.0+: Modular Tool Loading
 
-Starting with v0.8.0, shopify-mcp-admin supports **modular lazy loading** to optimize AI agent performance. Research shows that presenting more than 30 tools to an AI agent can degrade performance by up to 85%.
+Starting with v2.0.0, shopify-mcp-admin supports **modular lazy loading** to optimize AI agent performance. Research shows that presenting more than 30 tools to an AI agent can degrade performance by up to 85%.
 
 **Default Behavior (All Tools Loaded):**
 - All 79 domain tools are loaded at startup for maximum compatibility
@@ -1227,56 +1234,6 @@ Enable these settings for the `main` branch in **Settings → Branches**:
 
 ---
 
-## 🚀 Deployment
-
-shopify-mcp-admin supports multiple deployment options for different environments:
-
-### Railway (Recommended for Quick Start)
-
-Deploy to [Railway](https://railway.app) with the included `railway.json` configuration:
-
-1. Connect your GitHub repository to Railway
-2. Add environment variables (DATABASE_URL, ENCRYPTION_KEY, etc.)
-3. Deploy — Railway auto-detects the Dockerfile
-
-### Kubernetes
-
-For self-hosted or cloud Kubernetes clusters, see the [Kubernetes Deployment Guide](docs/kubernetes.md).
-
-Quick start:
-```bash
-# Build and push image
-docker build -t yourregistry/shopify-mcp-admin:v1.0.0 .
-docker push yourregistry/shopify-mcp-admin:v1.0.0
-
-# Configure and deploy
-cd k8s
-kustomize edit set image shopify-mcp-admin=yourregistry/shopify-mcp-admin:v1.0.0
-kubectl apply -k .
-```
-
-### Docker (Local/Development)
-
-```bash
-# Build image
-docker build -t shopify-mcp-admin .
-
-# Run container
-docker run -p 3000:3000 \
-  -e DATABASE_URL="postgresql://..." \
-  -e ENCRYPTION_KEY="..." \
-  shopify-mcp-admin
-```
-
-### Image Size
-
-The production Docker image is optimized for minimal size:
-- Multi-stage build with Alpine Linux
-- Production dependencies only (`npm prune --production`)
-- Target size: <150MB
-
----
-
 ## 🎨 Tenant Dashboard (Remote Mode)
 
 When running in remote mode (`SERVER_MODE=remote`), shopify-mcp-admin includes a web-based dashboard for tenant management. The dashboard provides a modern, responsive UI for:
@@ -1383,6 +1340,8 @@ This project is licensed under the **MIT License** — see the [LICENSE](LICENSE
 
 ## 🚀 Deployment
 
+shopify-mcp-admin supports multiple deployment options for different environments.
+
 ### Production Deployment
 
 For production deployment on Railway with Cloudflare, Sentry, and uptime monitoring, see the comprehensive deployment guide:
@@ -1396,6 +1355,79 @@ The guide includes:
 - **Staging Environment**: Separate staging deployment configuration
 - **Monitoring**: Sentry error tracking and uptime monitoring setup
 
+### Production URLs
+
+The production service is available at:
+
+**Root Domain:**
+- **Dashboard:** `https://shopify-mcp.com/` → redirects to `/app`
+- **Dashboard UI:** `https://shopify-mcp.com/app`
+- **Health Check:** `https://shopify-mcp.com/health`
+- **Metrics:** `https://shopify-mcp.com/metrics`
+- **MCP Endpoint:** `https://shopify-mcp.com/mcp`
+
+**API Subdomain:**
+- **Dashboard:** `https://api.shopify-mcp.com/app`
+- **Health Check:** `https://api.shopify-mcp.com/health`
+- **Metrics:** `https://api.shopify-mcp.com/metrics`
+- **MCP Endpoint:** `https://api.shopify-mcp.com/mcp`
+
+**Available Endpoints:**
+
+| Endpoint | Description | Authentication |
+|----------|-------------|----------------|
+| `/` | Root path - redirects to `/app` (dashboard) | None |
+| `/app` | Dashboard UI (React SPA) | Session cookie |
+| `/health` | Health check endpoint | None |
+| `/metrics` | Prometheus metrics | None |
+| `/mcp` | MCP protocol endpoint | API key or session |
+| `/api/tenants` | Tenant management API | Session cookie |
+| `/api/shops` | Shop connection API | Session cookie |
+| `/api/keys` | API key management | Session cookie |
+
+**Note:** The root domain (`shopify-mcp.com`) redirects to the dashboard (`/app`) for a better user experience. All API endpoints are also available on the root domain.
+
+### Deployment Options
+
+#### Railway (Recommended for Quick Start)
+
+Deploy to [Railway](https://railway.app) with the included `railway.json` configuration:
+
+1. Connect your GitHub repository to Railway
+2. Add environment variables (DATABASE_URL, ENCRYPTION_KEY, etc.)
+3. Deploy — Railway auto-detects the Dockerfile
+
+#### Kubernetes
+
+For self-hosted or cloud Kubernetes clusters, see the [Kubernetes Deployment Guide](docs/kubernetes.md).
+
+Quick start:
+```bash
+# Build and push image
+docker build -t yourregistry/shopify-mcp-admin:v2.0.0 .
+docker push yourregistry/shopify-mcp-admin:v2.0.0
+
+# Configure and deploy
+cd k8s
+kustomize edit set image shopify-mcp-admin=yourregistry/shopify-mcp-admin:v2.0.0
+kubectl apply -k .
+```
+
+#### Docker (Local/Development)
+
+```bash
+# Build image
+docker build -t shopify-mcp-admin .
+
+# Run container
+docker run -p 3000:3000 \
+  -e DATABASE_URL="postgresql://..." \
+  -e ENCRYPTION_KEY="..." \
+  shopify-mcp-admin
+```
+
+**Image Size:** The production Docker image is optimized for minimal size (<150MB) with multi-stage Alpine Linux build.
+
 ### Environment Variables
 
 For production environment variables, see:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anton.andrusenko/shopify-mcp-admin",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "MCP server for Shopify Admin API - enables AI agents to manage Shopify stores with 79 tools for products, inventory, collections, content, SEO, metafields, markets & translations",
   "type": "module",
   "main": "./dist/index.js",

package/dist/chunk-3Y4P67GZ.js

@@ -1,124 +0,0 @@
-import {
-  log
-} from "./chunk-GKGHMPEC.js";
-
-// src/middleware/mcp-auth.ts
-var MCP_AUTH_ERROR_CODES = {
-  AUTH_REQUIRED: -32001,
-  // Missing authentication
-  AUTH_INVALID: -32002,
-  // Invalid API key format or key
-  AUTH_REVOKED: -32003,
-  // API key has been revoked
-  AUTH_FORBIDDEN: -32004
-  // Tenant suspended or no access
-};
-function createJsonRpcError(code, message, hint) {
-  const error = {
-    jsonrpc: "2.0",
-    error: {
-      code,
-      message
-    },
-    id: null
-  };
-  if (hint) {
-    error.error.data = { hint };
-  }
-  return error;
-}
-function parseBearerToken(authHeader) {
-  if (!authHeader) {
-    return null;
-  }
-  const parts = authHeader.split(" ");
-  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
-    return null;
-  }
-  const token = parts[1];
-  if (!token || token.trim() === "") {
-    return null;
-  }
-  return token;
-}
-async function validateMcpApiKey(authHeader, apiKeyService, prisma) {
-  const token = parseBearerToken(authHeader);
-  if (!token) {
-    return {
-      valid: false,
-      error: "Authentication required",
-      httpStatus: 401
-    };
-  }
-  const validationResult = await apiKeyService.validate(token);
-  if (!validationResult.valid) {
-    const isRevoked = validationResult.error?.includes("revoked");
-    return {
-      valid: false,
-      error: validationResult.error || "Invalid API key",
-      httpStatus: isRevoked ? 403 : 401
-    };
-  }
-  const tenant = validationResult.tenant;
-  const tenantShops = await prisma.tenantShop.findMany({
-    where: {
-      tenantId: tenant.tenantId,
-      uninstalledAt: null
-      // Only active shops
-    },
-    select: {
-      shopDomain: true,
-      scopes: true
-    }
-  });
-  const allowedShops = tenantShops.map((shop) => shop.shopDomain);
-  const mcpTenantContext = {
-    tenantId: tenant.tenantId,
-    email: tenant.email,
-    defaultShop: validationResult.shop,
-    allowedShops
-  };
-  return {
-    valid: true,
-    tenant: mcpTenantContext
-  };
-}
-function createMcpAuthMiddleware(options) {
-  const { apiKeyService, prisma, isRemote } = options;
-  return async (req, res, next) => {
-    if (!isRemote) {
-      log.debug("[mcp-auth] Local mode: skipping API key validation");
-      next();
-      return;
-    }
-    const authResult = await validateMcpApiKey(req.headers.authorization, apiKeyService, prisma);
-    if (!authResult.valid) {
-      log.debug(`[mcp-auth] Auth failed: ${authResult.error}`);
-      let errorCode;
-      let hint;
-      if (authResult.httpStatus === 401) {
-        errorCode = authResult.error === "Authentication required" ? MCP_AUTH_ERROR_CODES.AUTH_REQUIRED : MCP_AUTH_ERROR_CODES.AUTH_INVALID;
-        hint = "Include Authorization: Bearer sk_live_xxx header";
-      } else {
-        errorCode = authResult.error?.includes("revoked") ? MCP_AUTH_ERROR_CODES.AUTH_REVOKED : MCP_AUTH_ERROR_CODES.AUTH_FORBIDDEN;
-        hint = "API key has been revoked or tenant is inactive";
-      }
-      res.status(authResult.httpStatus || 401).json(createJsonRpcError(errorCode, authResult.error || "Authentication failed", hint));
-      return;
-    }
-    req.mcpTenantContext = authResult.tenant;
-    log.debug(
-      `[mcp-auth] Auth successful for tenant: ${authResult.tenant?.tenantId?.substring(0, 8)}...`
-    );
-    next();
-  };
-}
-var MCP_AUTH_ERRORS = MCP_AUTH_ERROR_CODES;
-
-export {
-  createJsonRpcError,
-  parseBearerToken,
-  validateMcpApiKey,
-  createMcpAuthMiddleware,
-  MCP_AUTH_ERRORS
-};

package/dist/chunk-6YECVENJ.js

@@ -1,208 +0,0 @@
-import {
-  log
-} from "./chunk-GKGHMPEC.js";
-
-// src/db/client.ts
-import { PrismaClient } from "@prisma/client";
-import { PrismaClient as PrismaClient2 } from "@prisma/client";
-var prismaInstance = null;
-function getPrismaClient() {
-  if (!prismaInstance) {
-    log.debug("Creating new Prisma client instance");
-    prismaInstance = new PrismaClient({
-      log: process.env.DEBUG === "true" ? ["query", "info", "warn", "error"] : ["error"]
-    });
-  }
-  return prismaInstance;
-}
-async function disconnectPrisma() {
-  if (prismaInstance) {
-    log.debug("Disconnecting Prisma client");
-    await prismaInstance.$disconnect();
-    prismaInstance = null;
-  }
-}
-var prisma = getPrismaClient();
-
-// src/session/store.ts
-var SessionStore = class {
-  cleanupInterval = null;
-  prisma = getPrismaClient();
-  SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
-  // 24 hours
-  /**
-   * Retrieve session data by session ID
-   * @param sessionId - Unique session identifier
-   * @returns SessionData if valid and not expired, null otherwise
-   */
-  async get(sessionId) {
-    try {
-      const session = await this.prisma.tenantSession.findUnique({
-        where: { id: sessionId },
-        select: {
-          tenantId: true,
-          expiresAt: true
-        }
-      });
-      if (!session) {
-        return null;
-      }
-      const expiresAt = session.expiresAt.getTime();
-      if (expiresAt < Date.now()) {
-        await this.prisma.tenantSession.delete({
-          where: { id: sessionId }
-        }).catch(() => {
-        });
-        return null;
-      }
-      return {
-        tenantId: session.tenantId,
-        expiresAt
-      };
-    } catch (error) {
-      log.error("Failed to retrieve session", error instanceof Error ? error : void 0);
-      return null;
-    }
-  }
-  /**
-   * Store session data with automatic 24-hour expiration
-   * @param sessionId - Unique session identifier
-   * @param data - Session data (tenantId)
-   */
-  async set(sessionId, data) {
-    const expiresAt = new Date(Date.now() + this.SESSION_TTL_MS);
-    try {
-      await this.prisma.tenantSession.upsert({
-        where: { id: sessionId },
-        update: {
-          expiresAt
-        },
-        create: {
-          id: sessionId,
-          tenantId: data.tenantId,
-          expiresAt
-        }
-      });
-    } catch (error) {
-      log.error("Failed to store session", error instanceof Error ? error : void 0);
-      throw error;
-    }
-  }
-  /**
-   * Delete a specific session
-   * @param sessionId - Session identifier to delete
-   */
-  async delete(sessionId) {
-    try {
-      await this.prisma.tenantSession.delete({
-        where: { id: sessionId }
-      });
-    } catch (error) {
-      if (error && typeof error === "object" && "code" in error && error.code !== "P2025") {
-        log.error("Failed to delete session", error instanceof Error ? error : void 0);
-      }
-    }
-  }
-  /**
-   * Delete all sessions for a specific tenant
-   * Used when a tenant changes their password for security
-   * @param tenantId - Tenant identifier
-   */
-  async deleteByTenantId(tenantId) {
-    try {
-      await this.prisma.tenantSession.deleteMany({
-        where: { tenantId }
-      });
-      log.debug(`Deleted all sessions for tenant ${tenantId}`);
-    } catch (error) {
-      log.error("Failed to delete tenant sessions", error instanceof Error ? error : void 0);
-      throw error;
-    }
-  }
-  /**
-   * Remove all expired sessions from the store
-   */
-  async cleanup() {
-    try {
-      const result = await this.prisma.tenantSession.deleteMany({
-        where: {
-          expiresAt: {
-            lt: /* @__PURE__ */ new Date()
-          }
-        }
-      });
-      if (result.count > 0) {
-        log.debug(`Cleaned up ${result.count} expired sessions`);
-      }
-    } catch (error) {
-      log.error("Session cleanup failed", error instanceof Error ? error : void 0);
-    }
-  }
-  /**
-   * Start automatic cleanup task (runs every 10 minutes)
-   * @returns Timer handle for cleanup task
-   */
-  startCleanup() {
-    if (this.cleanupInterval) {
-      return this.cleanupInterval;
-    }
-    this.cleanupInterval = setInterval(
-      () => {
-        this.cleanup().catch((error) => {
-          log.error("Background session cleanup error", error instanceof Error ? error : void 0);
-        });
-      },
-      10 * 60 * 1e3
-    );
-    this.cleanupInterval.unref();
-    log.info("Session cleanup background task started (runs every 10 minutes)");
-    return this.cleanupInterval;
-  }
-  /**
-   * Stop the automatic cleanup task
-   */
-  stopCleanup() {
-    if (this.cleanupInterval) {
-      clearInterval(this.cleanupInterval);
-      this.cleanupInterval = null;
-      log.info("Session cleanup background task stopped");
-    }
-  }
-  /**
-   * Get the number of active sessions (for testing/monitoring)
-   */
-  async size() {
-    try {
-      return await this.prisma.tenantSession.count({
-        where: {
-          expiresAt: {
-            gte: /* @__PURE__ */ new Date()
-          }
-        }
-      });
-    } catch (error) {
-      log.error("Failed to count sessions", error instanceof Error ? error : void 0);
-      return 0;
-    }
-  }
-  /**
-   * Clear all sessions (for testing)
-   */
-  async clear() {
-    try {
-      await this.prisma.tenantSession.deleteMany();
-    } catch (error) {
-      log.error("Failed to clear sessions", error instanceof Error ? error : void 0);
-      throw error;
-    }
-  }
-};
-var sessionStore = new SessionStore();
-
-export {
-  getPrismaClient,
-  disconnectPrisma,
-  prisma,
-  SessionStore,
-  sessionStore
-};