@anton.andrusenko/shopify-mcp-admin 2.1.1 → 2.1.2

package/README.md

@@ -1249,17 +1249,27 @@ All checks must pass before merging pull requests.
 To publish a new version to npm:
 
 ```bash
-# 1. Update version (creates git tag automatically)
-npm version patch  # or minor, or major
-
-# 2. Push commit and tag
-git push origin main --follow-tags
+# 1. Bump version (does NOT create a tag)
+npm run version:patch  # or version:minor, or version:major
+
+# 2. Commit + push the version bump to main (this triggers CI + Railway auto-deploy)
+git add package.json package-lock.json
+git commit -m "Release v$(node -p \"require('./package.json').version\")"
+git push origin main
+
+# 3. Create and push the version tag (this triggers the Release workflow)
+VERSION=$(node -p "require('./package.json').version")
+git tag "v$VERSION"
+git push origin "v$VERSION"
 ```
 
 The release workflow automatically:
-1. Runs all CI checks
-2. Publishes to npm with [provenance](https://docs.npmjs.com/generating-provenance-statements)
-3. Tags the npm package to match the git tag
+1. Reads release notes from `CHANGELOG.md`
+2. Builds the package (including dashboard assets)
+3. Publishes to npm
+4. Creates a GitHub Release
+
+**Important:** The Release workflow triggers on tags (`v*`) and does **not** rerun the full CI matrix. Tag releases only after the `CI` workflow is green for the commit you’re tagging.
 
 ### Repository Setup (for Maintainers)
 

package/dist/chunk-DCQTHXKI.js

@@ -0,0 +1,124 @@
+import {
+  log
+} from "./chunk-QXLLD2A7.js";
+
+// src/middleware/mcp-auth.ts
+var MCP_AUTH_ERROR_CODES = {
+  AUTH_REQUIRED: -32001,
+  // Missing authentication
+  AUTH_INVALID: -32002,
+  // Invalid API key format or key
+  AUTH_REVOKED: -32003,
+  // API key has been revoked
+  AUTH_FORBIDDEN: -32004
+  // Tenant suspended or no access
+};
+function createJsonRpcError(code, message, hint) {
+  const error = {
+    jsonrpc: "2.0",
+    error: {
+      code,
+      message
+    },
+    id: null
+  };
+  if (hint) {
+    error.error.data = { hint };
+  }
+  return error;
+}
+function parseBearerToken(authHeader) {
+  if (!authHeader) {
+    return null;
+  }
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+    return null;
+  }
+  const token = parts[1];
+  if (!token || token.trim() === "") {
+    return null;
+  }
+  return token;
+}
+async function validateMcpApiKey(authHeader, apiKeyService, prisma) {
+  const token = parseBearerToken(authHeader);
+  if (!token) {
+    return {
+      valid: false,
+      error: "Authentication required",
+      httpStatus: 401
+    };
+  }
+  const validationResult = await apiKeyService.validate(token);
+  if (!validationResult.valid) {
+    const isRevoked = validationResult.error?.includes("revoked");
+    return {
+      valid: false,
+      error: validationResult.error || "Invalid API key",
+      httpStatus: isRevoked ? 403 : 401
+    };
+  }
+  const tenant = validationResult.tenant;
+  const tenantShops = await prisma.tenantShop.findMany({
+    where: {
+      tenantId: tenant.tenantId,
+      uninstalledAt: null
+      // Only active shops
+    },
+    select: {
+      shopDomain: true,
+      scopes: true
+    }
+  });
+  const allowedShops = tenantShops.map((shop) => shop.shopDomain);
+  const mcpTenantContext = {
+    tenantId: tenant.tenantId,
+    email: tenant.email,
+    defaultShop: validationResult.shop,
+    allowedShops
+  };
+  return {
+    valid: true,
+    tenant: mcpTenantContext
+  };
+}
+function createMcpAuthMiddleware(options) {
+  const { apiKeyService, prisma, isRemote } = options;
+  return async (req, res, next) => {
+    if (!isRemote) {
+      log.debug("[mcp-auth] Local mode: skipping API key validation");
+      next();
+      return;
+    }
+    const authResult = await validateMcpApiKey(req.headers.authorization, apiKeyService, prisma);
+    if (!authResult.valid) {
+      log.debug(`[mcp-auth] Auth failed: ${authResult.error}`);
+      let errorCode;
+      let hint;
+      if (authResult.httpStatus === 401) {
+        errorCode = authResult.error === "Authentication required" ? MCP_AUTH_ERROR_CODES.AUTH_REQUIRED : MCP_AUTH_ERROR_CODES.AUTH_INVALID;
+        hint = "Include Authorization: Bearer sk_live_xxx header";
+      } else {
+        errorCode = authResult.error?.includes("revoked") ? MCP_AUTH_ERROR_CODES.AUTH_REVOKED : MCP_AUTH_ERROR_CODES.AUTH_FORBIDDEN;
+        hint = "API key has been revoked or tenant is inactive";
+      }
+      res.status(authResult.httpStatus || 401).json(createJsonRpcError(errorCode, authResult.error || "Authentication failed", hint));
+      return;
+    }
+    req.mcpTenantContext = authResult.tenant;
+    log.debug(
+      `[mcp-auth] Auth successful for tenant: ${authResult.tenant?.tenantId?.substring(0, 8)}...`
+    );
+    next();
+  };
+}
+var MCP_AUTH_ERRORS = MCP_AUTH_ERROR_CODES;
+
+export {
+  createJsonRpcError,
+  parseBearerToken,
+  validateMcpApiKey,
+  createMcpAuthMiddleware,
+  MCP_AUTH_ERRORS
+};

package/dist/chunk-EGGOXEIC.js

@@ -0,0 +1,249 @@
+// src/config/schema.ts
+import { z } from "zod";
+var configSchema = z.object({
+  // Server operation mode (ADR-008)
+  // local: Single-tenant, credentials via env vars (default)
+  // remote: Multi-tenant, credentials via database
+  SERVER_MODE: z.enum(["local", "remote"]).default("local"),
+  // Database connection URL (required in remote mode)
+  DATABASE_URL: z.string().url().optional().describe("PostgreSQL connection URL for multi-tenant mode"),
+  // Required in local mode - store identity
+  SHOPIFY_STORE_URL: z.string().min(1, "SHOPIFY_STORE_URL is required").regex(/\.myshopify\.com$/, "Must be a valid myshopify.com domain").optional(),
+  // Authentication Option 1: Legacy Custom App (static token)
+  SHOPIFY_ACCESS_TOKEN: z.string().optional(),
+  // Authentication Option 2: Dev Dashboard (OAuth 2.0 client credentials)
+  SHOPIFY_CLIENT_ID: z.string().optional(),
+  SHOPIFY_CLIENT_SECRET: z.string().optional(),
+  // Optional with defaults
+  SHOPIFY_API_VERSION: z.string().default("2025-10"),
+  DEBUG: z.string().optional(),
+  LOG_LEVEL: z.enum(["debug", "info", "warn", "error"]).default("info"),
+  // Log format configuration (Story 13.1: Structured Logging)
+  // json: JSON output for production (default)
+  // pretty: Human-readable output for development
+  LOG_FORMAT: z.enum(["json", "pretty"]).default("json"),
+  PORT: z.string().default("3000").transform(Number),
+  // Transport selection (AC-2.2.6, AC-2.2.7)
+  // Default: stdio for Claude Desktop compatibility
+  TRANSPORT: z.enum(["stdio", "http"]).default("stdio"),
+  // Store info cache TTL (milliseconds)
+  // Default: 5 minutes (300000ms) - configurable for performance tuning
+  STORE_INFO_CACHE_TTL_MS: z.string().optional().default("300000").transform(Number).describe("Cache TTL for store info in milliseconds (default: 5 minutes)"),
+  // Lazy loading configuration (Epic 12)
+  // Default: false - loads all tools at startup for maximum compatibility
+  // Note: Claude Desktop doesn't support dynamic tool refresh via notifications,
+  // so lazy loading is disabled by default. Set to 'true' for clients that
+  // properly handle notifications/tools/list_changed.
+  SHOPIFY_MCP_LAZY_LOADING: z.string().optional().default("false").transform((val) => val === "true" || val === "1").describe("Enable lazy loading of tools via modules (default: false)"),
+  // Role preset configuration (Story 12.3: Progressive Loading)
+  // Automatically loads appropriate modules at startup based on role
+  // Valid roles: inventory-manager, product-manager, content-manager,
+  //              seo-specialist, international-manager, full-access
+  // When not set, only core module is loaded (requires manual module loading)
+  SHOPIFY_MCP_ROLE: z.string().optional().describe("Role preset for automatic module loading at startup"),
+  // AES-256-GCM encryption key for credential protection (Story 6-2)
+  // Must be exactly 64 hex characters (32 bytes = 256 bits)
+  // Required in remote mode for encrypting stored Shopify access tokens
+  // Generate with: openssl rand -hex 32
+  ENCRYPTION_KEY: z.string().regex(
+    /^[0-9a-fA-F]{64}$/,
+    "ENCRYPTION_KEY must be exactly 64 hex characters (32 bytes). Generate with: openssl rand -hex 32"
+  ).optional().describe("AES-256-GCM encryption key for credential protection (required in remote mode)"),
+  // CORS allowed origins configuration (Story 6-7)
+  // Comma-separated list of allowed origins for cross-origin requests
+  // Default: '*' (all origins allowed - suitable for development)
+  // Example: 'https://app.example.com,https://admin.example.com'
+  ALLOWED_ORIGINS: z.string().optional().describe("Comma-separated list of allowed origins for CORS"),
+  // Enable HSTS header (Story 6-7)
+  // When true, sends Strict-Transport-Security header with HTTPS responses
+  // Default: true in remote mode, false in local mode
+  ENABLE_HSTS: z.string().optional().default("false").transform((val) => val === "true" || val === "1").describe("Enable HTTP Strict Transport Security header"),
+  // Metrics endpoint configuration (Story 13-2: Metrics & Monitoring)
+  // Exposes Prometheus-format metrics at /metrics endpoint
+  // Default: true in remote mode (HTTP transport), false in local mode (STDIO)
+  METRICS_ENDPOINT_ENABLED: z.string().optional().transform((val) => val === "true" || val === "1").describe("Enable Prometheus metrics endpoint at /metrics"),
+  // Sentry error tracking DSN (Story 13.7: Production Deployment Infrastructure)
+  // Optional but recommended for production error tracking
+  // Get from: https://sentry.io → Your Project → Settings → Client Keys (DSN)
+  SENTRY_DSN: z.string().url("SENTRY_DSN must be a valid URL").optional().describe("Sentry error tracking DSN (optional but recommended for production)"),
+  // Graceful shutdown drain timeout configuration (Story 13-3: Graceful Shutdown)
+  // Time in seconds to wait for existing connections to complete before force shutdown
+  // Default: 30 seconds, max: 300 seconds (5 minutes)
+  // Railway recommends values less than termination grace period (default 10s)
+  // Kubernetes default terminationGracePeriodSeconds is 30s
+  SHUTDOWN_DRAIN_SECONDS: z.string().optional().default("30").transform(Number).pipe(
+    z.number().int("SHUTDOWN_DRAIN_SECONDS must be an integer").positive("SHUTDOWN_DRAIN_SECONDS must be positive").max(300, "SHUTDOWN_DRAIN_SECONDS cannot exceed 300 seconds (5 minutes)")
+  ).describe("Graceful shutdown drain timeout in seconds (default: 30, max: 300)"),
+  // App URL for OAuth redirects (required in remote mode when OAuth is enabled)
+  // Used as the redirect_uri in OAuth flows
+  APP_URL: z.string().url("APP_URL must be a valid URL").optional().describe("Base URL of the application (required for OAuth redirects in remote mode)")
+}).refine(
+  (data) => {
+    if (data.SERVER_MODE === "remote" && !data.DATABASE_URL) {
+      return false;
+    }
+    return true;
+  },
+  {
+    message: "DATABASE_URL is required when SERVER_MODE=remote. Example: postgresql://user:pass@localhost:5432/dbname",
+    path: ["DATABASE_URL"]
+  }
+).refine(
+  (data) => {
+    if (data.SERVER_MODE === "remote" && !data.ENCRYPTION_KEY) {
+      return false;
+    }
+    return true;
+  },
+  {
+    message: "ENCRYPTION_KEY is required when SERVER_MODE=remote. Generate with: openssl rand -hex 32",
+    path: ["ENCRYPTION_KEY"]
+  }
+).refine(
+  (data) => {
+    if (data.SERVER_MODE === "local" && !data.SHOPIFY_STORE_URL) {
+      return false;
+    }
+    return true;
+  },
+  {
+    message: "SHOPIFY_STORE_URL is required when SERVER_MODE=local",
+    path: ["SHOPIFY_STORE_URL"]
+  }
+).refine(
+  (data) => {
+    if (data.SERVER_MODE === "remote") {
+      return true;
+    }
+    const hasLegacyAuth = !!data.SHOPIFY_ACCESS_TOKEN;
+    const hasClientId = !!data.SHOPIFY_CLIENT_ID;
+    const hasClientSecret = !!data.SHOPIFY_CLIENT_SECRET;
+    const hasClientCredentials = hasClientId && hasClientSecret;
+    return hasLegacyAuth || hasClientCredentials;
+  },
+  {
+    message: "Authentication required: Provide either SHOPIFY_ACCESS_TOKEN (legacy) OR both SHOPIFY_CLIENT_ID and SHOPIFY_CLIENT_SECRET (Dev Dashboard)"
+  }
+).refine(
+  (data) => {
+    if (data.SERVER_MODE === "remote") {
+      return true;
+    }
+    const hasClientId = !!data.SHOPIFY_CLIENT_ID;
+    const hasClientSecret = !!data.SHOPIFY_CLIENT_SECRET;
+    if (hasClientId && !hasClientSecret) {
+      return false;
+    }
+    return true;
+  },
+  {
+    message: "Incomplete client credentials: SHOPIFY_CLIENT_SECRET is required when SHOPIFY_CLIENT_ID is provided"
+  }
+).refine(
+  (data) => {
+    if (data.SERVER_MODE === "remote") {
+      return true;
+    }
+    const hasClientId = !!data.SHOPIFY_CLIENT_ID;
+    const hasClientSecret = !!data.SHOPIFY_CLIENT_SECRET;
+    if (hasClientSecret && !hasClientId) {
+      return false;
+    }
+    return true;
+  },
+  {
+    message: "Incomplete client credentials: SHOPIFY_CLIENT_ID is required when SHOPIFY_CLIENT_SECRET is provided"
+  }
+);
+function getAuthMode(config) {
+  if (config.SHOPIFY_ACCESS_TOKEN) {
+    return "token";
+  }
+  return "client_credentials";
+}
+function isDebugEnabled(debugValue) {
+  if (!debugValue) return false;
+  const normalized = debugValue.toLowerCase().trim();
+  return normalized === "1" || normalized === "true";
+}
+function isLazyLoadingEnabled(config) {
+  return config.SHOPIFY_MCP_LAZY_LOADING;
+}
+function getConfiguredRole(config) {
+  return config.SHOPIFY_MCP_ROLE;
+}
+function getServerMode(config) {
+  return config.SERVER_MODE;
+}
+function isRemoteMode(config) {
+  return config.SERVER_MODE === "remote";
+}
+function getDatabaseUrl(config) {
+  return config.DATABASE_URL;
+}
+function getStoreUrl(config) {
+  return config.SHOPIFY_STORE_URL;
+}
+function requireStoreUrl(config) {
+  if (!config.SHOPIFY_STORE_URL) {
+    throw new Error(
+      "SHOPIFY_STORE_URL is not available in remote mode. Use per-request shop domain instead."
+    );
+  }
+  return config.SHOPIFY_STORE_URL;
+}
+function getEncryptionKey(config) {
+  if (!config.ENCRYPTION_KEY) {
+    return void 0;
+  }
+  return Buffer.from(config.ENCRYPTION_KEY, "hex");
+}
+function requireEncryptionKey(config) {
+  if (!config.ENCRYPTION_KEY) {
+    throw new Error(
+      "ENCRYPTION_KEY is required in remote mode. Generate with: openssl rand -hex 32"
+    );
+  }
+  return Buffer.from(config.ENCRYPTION_KEY, "hex");
+}
+function getAllowedOrigins(config) {
+  if (!config.ALLOWED_ORIGINS) {
+    return ["*"];
+  }
+  return config.ALLOWED_ORIGINS.split(",").map((origin) => origin.trim()).filter((origin) => origin.length > 0);
+}
+function isHSTSEnabled(config) {
+  return config.ENABLE_HSTS;
+}
+function isMetricsEnabled(config) {
+  if (config.METRICS_ENDPOINT_ENABLED !== void 0) {
+    return config.METRICS_ENDPOINT_ENABLED;
+  }
+  return config.SERVER_MODE === "remote" && config.TRANSPORT === "http";
+}
+function getShutdownDrainMs(config) {
+  return config.SHUTDOWN_DRAIN_SECONDS * 1e3;
+}
+function getShutdownDrainSeconds(config) {
+  return config.SHUTDOWN_DRAIN_SECONDS;
+}
+
+export {
+  configSchema,
+  getAuthMode,
+  isDebugEnabled,
+  isLazyLoadingEnabled,
+  getConfiguredRole,
+  getServerMode,
+  isRemoteMode,
+  getDatabaseUrl,
+  getStoreUrl,
+  requireStoreUrl,
+  getEncryptionKey,
+  requireEncryptionKey,
+  getAllowedOrigins,
+  isHSTSEnabled,
+  isMetricsEnabled,
+  getShutdownDrainMs,
+  getShutdownDrainSeconds
+};

package/dist/chunk-QXLLD2A7.js

@@ -0,0 +1,130 @@
+import {
+  configSchema,
+  isDebugEnabled
+} from "./chunk-EGGOXEIC.js";
+
+// src/config/index.ts
+var _config = null;
+function getConfig() {
+  if (_config !== null) {
+    return _config;
+  }
+  const result = configSchema.safeParse(process.env);
+  if (!result.success) {
+    const errors = result.error.errors.map((err) => {
+      const path = err.path.join(".");
+      return `  - ${path}: ${err.message}`;
+    });
+    console.error("Configuration error:");
+    console.error(errors.join("\n"));
+    process.exit(1);
+  }
+  _config = result.data;
+  return _config;
+}
+
+// src/utils/logger.ts
+var SANITIZATION_PATTERNS = [
+  { pattern: /shpat_[a-zA-Z0-9]+/g, replacement: "[REDACTED]" },
+  { pattern: /shpua_[a-zA-Z0-9]+/g, replacement: "[REDACTED]" },
+  { pattern: /Bearer\s+[a-zA-Z0-9_-]+/g, replacement: "Bearer [REDACTED]" },
+  { pattern: /access_token[=:]\s*[a-zA-Z0-9_-]+/gi, replacement: "access_token=[REDACTED]" },
+  { pattern: /client_secret[=:]\s*[a-zA-Z0-9_-]+/gi, replacement: "client_secret=[REDACTED]" }
+];
+function sanitizeLogMessage(message) {
+  let result = message;
+  for (const { pattern, replacement } of SANITIZATION_PATTERNS) {
+    result = result.replace(pattern, replacement);
+  }
+  return result;
+}
+function sanitizeObject(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (typeof obj === "string") {
+    return sanitizeLogMessage(obj);
+  }
+  if (obj === null || typeof obj !== "object") {
+    return obj;
+  }
+  if (seen.has(obj)) {
+    return "[Circular]";
+  }
+  seen.add(obj);
+  if (Array.isArray(obj)) {
+    return obj.map((item) => sanitizeObject(item, seen));
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    result[key] = sanitizeObject(value, seen);
+  }
+  return result;
+}
+function safeStringify(data) {
+  try {
+    const seen = /* @__PURE__ */ new WeakSet();
+    return JSON.stringify(data, (_key, value) => {
+      if (typeof value === "object" && value !== null) {
+        if (seen.has(value)) {
+          return "[Circular]";
+        }
+        seen.add(value);
+      }
+      return value;
+    });
+  } catch {
+    return "[Unable to stringify]";
+  }
+}
+var log = {
+  /**
+   * Debug level logging - only outputs when DEBUG=1 or DEBUG=true
+   *
+   * @param msg - Debug message
+   * @param data - Optional data object to include (JSON-stringified)
+   */
+  debug: (msg, data) => {
+    if (isDebugEnabled(process.env.DEBUG)) {
+      const sanitizedMsg = sanitizeLogMessage(msg);
+      if (data) {
+        const sanitizedData = sanitizeObject(data);
+        const dataStr = safeStringify(sanitizedData);
+        console.error(`[DEBUG] ${sanitizedMsg} ${dataStr}`);
+      } else {
+        console.error(`[DEBUG] ${sanitizedMsg}`);
+      }
+    }
+  },
+  /**
+   * Info level logging
+   *
+   * @param msg - Info message
+   */
+  info: (msg) => {
+    console.error(`[INFO] ${sanitizeLogMessage(msg)}`);
+  },
+  /**
+   * Warning level logging
+   *
+   * @param msg - Warning message
+   */
+  warn: (msg) => {
+    console.error(`[WARN] ${sanitizeLogMessage(msg)}`);
+  },
+  /**
+   * Error level logging
+   *
+   * @param msg - Error message
+   * @param err - Optional Error object (stack trace shown when DEBUG enabled)
+   */
+  error: (msg, err) => {
+    console.error(`[ERROR] ${sanitizeLogMessage(msg)}`);
+    if (err && isDebugEnabled(process.env.DEBUG)) {
+      console.error(sanitizeLogMessage(err.stack || err.message));
+    }
+  }
+};
+
+export {
+  getConfig,
+  sanitizeLogMessage,
+  log
+};