npm - @anton.andrusenko/shopify-mcp-admin - Versions diffs - 2.1.2 → 2.3.0 - Mend

@anton.andrusenko/shopify-mcp-admin 2.1.2 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.md +400 -18
package/dist/{chunk-QXLLD2A7.js → chunk-5QMYOO4B.js} +20 -4
package/dist/chunk-EQUN4XCH.js +257 -0
package/dist/{chunk-UXI33LQD.js → chunk-JU5IFCVJ.js} +1 -1
package/dist/chunk-RBXQOPVF.js +14743 -0
package/dist/dashboard/assets/index-ClITn1me.css +1 -0
package/dist/dashboard/assets/index-Cvo1L2xM.js +126 -0
package/dist/dashboard/assets/index-Cvo1L2xM.js.map +1 -0
package/dist/dashboard/index.html +6 -3
package/dist/dashboard/mcp-icon.svg +34 -0
package/dist/index.js +6678 -16909
package/dist/mcp-auth-CWOWKID3.js +24 -0
package/dist/{security-XP6MXK5B.js → security-44M6F2QU.js} +17 -3
package/dist/{store-FM7HCQVW.js → store-JK2ZU6DR.js} +2 -2
package/dist/tools-BCI3Z2AW.js +82 -0
package/package.json +13 -2
package/dist/chunk-DCQTHXKI.js +0 -124
package/dist/dashboard/assets/index-BSh6M640.js +0 -107
package/dist/dashboard/assets/index-BSh6M640.js.map +0 -1
package/dist/dashboard/assets/index-DLoVESj2.css +0 -1
package/dist/mcp-auth-2WVQELV5.js +0 -16

package/dist/mcp-auth-CWOWKID3.js ADDED Viewed

@@ -0,0 +1,24 @@
+import {
+  MCP_AUTH_ERRORS,
+  createJsonRpcError,
+  createMcpAuthMiddleware,
+  getWwwAuthenticateHeader,
+  isOAuthAccessToken,
+  parseBearerToken,
+  validateMcpApiKey,
+  validateMcpBearerToken,
+  validateOAuthAccessToken
+} from "./chunk-EQUN4XCH.js";
+import "./chunk-5QMYOO4B.js";
+import "./chunk-EGGOXEIC.js";
+export {
+  MCP_AUTH_ERRORS,
+  createJsonRpcError,
+  createMcpAuthMiddleware,
+  getWwwAuthenticateHeader,
+  isOAuthAccessToken,
+  parseBearerToken,
+  validateMcpApiKey,
+  validateMcpBearerToken,
+  validateOAuthAccessToken
+};

package/dist/{security-XP6MXK5B.js → security-44M6F2QU.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   log
-} from "./chunk-QXLLD2A7.js";
+} from "./chunk-5QMYOO4B.js";
 import "./chunk-EGGOXEIC.js";
 // src/middleware/security.ts
@@ -12,7 +12,12 @@ var DEFAULT_SECURITY_OPTIONS = {
   enableSecurityHeaders: true
 };
 var CORS_ALLOWED_METHODS = ["GET", "POST", "DELETE", "OPTIONS"];
-var CORS_ALLOWED_HEADERS = ["Content-Type", "Authorization", "Mcp-Session-Id"];
+var CORS_ALLOWED_HEADERS = [
+  "Content-Type",
+  "Authorization",
+  "Mcp-Session-Id",
+  "MCP-Protocol-Version"
+];
 var CORS_MAX_AGE = 86400;
 var SECURITY_HEADERS = {
   "X-Frame-Options": "DENY",
@@ -51,7 +56,16 @@ function createCorsMiddleware(options) {
     // Allowed HTTP methods
     methods: CORS_ALLOWED_METHODS,
     // Allowed request headers
-    allowedHeaders: CORS_ALLOWED_HEADERS,
+    //
+    // IMPORTANT: For browser-based MCP clients (Claude custom connectors), the client may
+    // include additional non-simple headers (e.g. tracing or client metadata). If we
+    // hardcode allowedHeaders, CORS preflight can fail and the connector will remain
+    // "Disconnected" even though OAuth succeeds.
+    //
+    // The `cors` package will, by default, reflect `Access-Control-Request-Headers` from
+    // the preflight request when `allowedHeaders` is not explicitly set.
+    //
+    // We keep CORS_ALLOWED_HEADERS exported for documentation/tests, but do not enforce it.
     // Headers exposed to browser JavaScript
     exposedHeaders: opts.exposedHeaders,
     // Allow credentials (cookies, authorization headers)

package/dist/{store-FM7HCQVW.js → store-JK2ZU6DR.js} RENAMED Viewed

@@ -1,8 +1,8 @@
 import {
   SessionStore,
   sessionStore
-} from "./chunk-UXI33LQD.js";
-import "./chunk-QXLLD2A7.js";
+} from "./chunk-JU5IFCVJ.js";
+import "./chunk-5QMYOO4B.js";
 import "./chunk-EGGOXEIC.js";
 export {
   SessionStore,

package/dist/tools-BCI3Z2AW.js ADDED Viewed

@@ -0,0 +1,82 @@
+import {
+  GID_PATTERN,
+  LOCALE_CODE_PATTERN,
+  articleIdSchema,
+  blogIdSchema,
+  clearRegisteredTools,
+  collectionIdSchema,
+  convertZodToJsonSchema,
+  createHandlerWithContext,
+  deriveDefaultAnnotations,
+  disableTool,
+  enableTool,
+  getAllRegisteredToolNames,
+  getRegisteredTools,
+  getToolByName,
+  getToolCount,
+  getToolNames,
+  gidSchema,
+  imageIdSchema,
+  inventoryItemIdSchema,
+  isToolEnabled,
+  isToolRegistered,
+  isValidToolName,
+  localeCodeSchema,
+  locationIdSchema,
+  marketIdSchema,
+  pageIdSchema,
+  productIdSchema,
+  redirectIdSchema,
+  registerAllTools,
+  registerContextAwareTool,
+  registerTool,
+  resetToolEnabledState,
+  setToolListChangedCallback,
+  validateInput,
+  validateToolName,
+  variantIdSchema,
+  webPresenceIdSchema,
+  wrapToolHandler
+} from "./chunk-RBXQOPVF.js";
+import "./chunk-5QMYOO4B.js";
+import "./chunk-EGGOXEIC.js";
+export {
+  GID_PATTERN,
+  LOCALE_CODE_PATTERN,
+  articleIdSchema,
+  blogIdSchema,
+  clearRegisteredTools,
+  collectionIdSchema,
+  convertZodToJsonSchema,
+  createHandlerWithContext,
+  deriveDefaultAnnotations,
+  disableTool,
+  enableTool,
+  getAllRegisteredToolNames,
+  getRegisteredTools,
+  getToolByName,
+  getToolCount,
+  getToolNames,
+  gidSchema,
+  imageIdSchema,
+  inventoryItemIdSchema,
+  isToolEnabled,
+  isToolRegistered,
+  isValidToolName,
+  localeCodeSchema,
+  locationIdSchema,
+  marketIdSchema,
+  pageIdSchema,
+  productIdSchema,
+  redirectIdSchema,
+  registerAllTools,
+  registerContextAwareTool,
+  registerTool,
+  resetToolEnabledState,
+  setToolListChangedCallback,
+  validateInput,
+  validateToolName,
+  variantIdSchema,
+  webPresenceIdSchema,
+  wrapToolHandler
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@anton.andrusenko/shopify-mcp-admin",
-  "version": "2.1.2",
+  "version": "2.3.0",
   "description": "MCP server for Shopify Admin API - enables AI agents to manage Shopify stores with 79 tools for products, inventory, collections, content, SEO, metafields, markets & translations",
   "type": "module",
   "main": "./dist/index.js",
@@ -22,6 +22,7 @@
     "typecheck": "tsc --noEmit",
     "test": "vitest --run",
     "test:watch": "vitest",
+    "test:react": "vitest --run --config vitest.react.config.ts",
     "test:coverage": "vitest run --coverage",
     "test:integration": "vitest run tests/integration/*.test.ts --testTimeout=60000",
     "test:e2e": "playwright test",
@@ -35,7 +36,9 @@
     "ci": "npm run lint && npm run typecheck && npm run test && npm run build",
     "version:patch": "npm version patch --no-git-tag-version",
     "version:minor": "npm version minor --no-git-tag-version",
-    "version:major": "npm version major --no-git-tag-version"
+    "version:major": "npm version major --no-git-tag-version",
+    "seed:oauth": "npx tsx scripts/seed-oauth-test-data.ts",
+    "db:studio": "npx prisma studio"
   },
   "keywords": [
     "shopify",
@@ -82,6 +85,7 @@
     "@radix-ui/react-dropdown-menu": "^2.1.16",
     "@radix-ui/react-hover-card": "^1.1.15",
     "@radix-ui/react-label": "^2.1.8",
+    "@radix-ui/react-popover": "^1.1.15",
     "@radix-ui/react-progress": "^1.1.8",
     "@radix-ui/react-scroll-area": "^1.2.10",
     "@radix-ui/react-select": "^2.2.6",
@@ -94,18 +98,21 @@
     "@sentry/node": "^10.29.0",
     "@shopify/shopify-api": "^11.14.1",
     "@tanstack/react-query": "^5.90.11",
+    "@tanstack/react-table": "^8.21.3",
     "bcrypt": "^5.1.1",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "cmdk": "^1.1.1",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
+    "date-fns": "^4.1.0",
     "express": "^5.1.0",
     "express-rate-limit": "^8.2.1",
     "lucide-react": "^0.555.0",
     "pino": "^9.14.0",
     "prom-client": "^15.1.3",
     "react": "^19.2.1",
+    "react-day-picker": "^9.13.0",
     "react-dom": "^19.2.1",
     "react-hook-form": "^7.67.0",
     "react-router-dom": "^7.10.0",
@@ -120,6 +127,9 @@
     "@biomejs/biome": "^1.9.4",
     "@playwright/test": "^1.57.0",
     "@tailwindcss/vite": "^4.1.17",
+    "@testing-library/jest-dom": "^6.9.1",
+    "@testing-library/react": "^16.3.1",
+    "@testing-library/user-event": "^14.6.1",
     "@types/bcrypt": "^5.0.2",
     "@types/cookie-parser": "^1.4.10",
     "@types/cors": "^2.8.19",
@@ -131,6 +141,7 @@
     "@vitejs/plugin-react": "^5.1.1",
     "@vitest/coverage-v8": "^3.2.4",
     "autoprefixer": "^10.4.22",
+    "jsdom": "^27.3.0",
     "pino-pretty": "^11.3.0",
     "postcss": "^8.5.6",
     "prisma": "^6.0.0",

package/dist/chunk-DCQTHXKI.js DELETED Viewed

@@ -1,124 +0,0 @@
-import {
-  log
-} from "./chunk-QXLLD2A7.js";
-// src/middleware/mcp-auth.ts
-var MCP_AUTH_ERROR_CODES = {
-  AUTH_REQUIRED: -32001,
-  // Missing authentication
-  AUTH_INVALID: -32002,
-  // Invalid API key format or key
-  AUTH_REVOKED: -32003,
-  // API key has been revoked
-  AUTH_FORBIDDEN: -32004
-  // Tenant suspended or no access
-};
-function createJsonRpcError(code, message, hint) {
-  const error = {
-    jsonrpc: "2.0",
-    error: {
-      code,
-      message
-    },
-    id: null
-  };
-  if (hint) {
-    error.error.data = { hint };
-  }
-  return error;
-}
-function parseBearerToken(authHeader) {
-  if (!authHeader) {
-    return null;
-  }
-  const parts = authHeader.split(" ");
-  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
-    return null;
-  }
-  const token = parts[1];
-  if (!token || token.trim() === "") {
-    return null;
-  }
-  return token;
-}
-async function validateMcpApiKey(authHeader, apiKeyService, prisma) {
-  const token = parseBearerToken(authHeader);
-  if (!token) {
-    return {
-      valid: false,
-      error: "Authentication required",
-      httpStatus: 401
-    };
-  }
-  const validationResult = await apiKeyService.validate(token);
-  if (!validationResult.valid) {
-    const isRevoked = validationResult.error?.includes("revoked");
-    return {
-      valid: false,
-      error: validationResult.error || "Invalid API key",
-      httpStatus: isRevoked ? 403 : 401
-    };
-  }
-  const tenant = validationResult.tenant;
-  const tenantShops = await prisma.tenantShop.findMany({
-    where: {
-      tenantId: tenant.tenantId,
-      uninstalledAt: null
-      // Only active shops
-    },
-    select: {
-      shopDomain: true,
-      scopes: true
-    }
-  });
-  const allowedShops = tenantShops.map((shop) => shop.shopDomain);
-  const mcpTenantContext = {
-    tenantId: tenant.tenantId,
-    email: tenant.email,
-    defaultShop: validationResult.shop,
-    allowedShops
-  };
-  return {
-    valid: true,
-    tenant: mcpTenantContext
-  };
-}
-function createMcpAuthMiddleware(options) {
-  const { apiKeyService, prisma, isRemote } = options;
-  return async (req, res, next) => {
-    if (!isRemote) {
-      log.debug("[mcp-auth] Local mode: skipping API key validation");
-      next();
-      return;
-    }
-    const authResult = await validateMcpApiKey(req.headers.authorization, apiKeyService, prisma);
-    if (!authResult.valid) {
-      log.debug(`[mcp-auth] Auth failed: ${authResult.error}`);
-      let errorCode;
-      let hint;
-      if (authResult.httpStatus === 401) {
-        errorCode = authResult.error === "Authentication required" ? MCP_AUTH_ERROR_CODES.AUTH_REQUIRED : MCP_AUTH_ERROR_CODES.AUTH_INVALID;
-        hint = "Include Authorization: Bearer sk_live_xxx header";
-      } else {
-        errorCode = authResult.error?.includes("revoked") ? MCP_AUTH_ERROR_CODES.AUTH_REVOKED : MCP_AUTH_ERROR_CODES.AUTH_FORBIDDEN;
-        hint = "API key has been revoked or tenant is inactive";
-      }
-      res.status(authResult.httpStatus || 401).json(createJsonRpcError(errorCode, authResult.error || "Authentication failed", hint));
-      return;
-    }
-    req.mcpTenantContext = authResult.tenant;
-    log.debug(
-      `[mcp-auth] Auth successful for tenant: ${authResult.tenant?.tenantId?.substring(0, 8)}...`
-    );
-    next();
-  };
-}
-var MCP_AUTH_ERRORS = MCP_AUTH_ERROR_CODES;
-export {
-  createJsonRpcError,
-  parseBearerToken,
-  validateMcpApiKey,
-  createMcpAuthMiddleware,
-  MCP_AUTH_ERRORS
-};