@anton.andrusenko/shopify-mcp-admin 2.2.1 → 2.4.0

package/dist/{chunk-JU5IFCVJ.js → chunk-CJXPHNYT.js}

@@ -1,6 +1,6 @@
 import {
   log
-} from "./chunk-5QMYOO4B.js";
+} from "./chunk-CZJ7LSEO.js";
 
 // src/db/client.ts
 import { PrismaClient } from "@prisma/client";
@@ -11,10 +11,44 @@ function getPrismaClient() {
     log.debug("Creating new Prisma client instance");
     prismaInstance = new PrismaClient({
       log: process.env.DEBUG === "true" ? ["query", "info", "warn", "error"] : ["error"]
+      // Note: Connection pool settings are configured via DATABASE_URL query params:
+      // - connection_limit: Max connections in pool (default: num_cpus * 2 + 1)
+      // - pool_timeout: Seconds to wait for available connection (default: 10)
+      // - connect_timeout: Seconds to wait for initial connection (default: 5)
+      // Example: postgresql://...?connection_limit=10&pool_timeout=30&connect_timeout=10
+      //
+      // For serverless databases (Neon, Supabase), also consider:
+      // - pgbouncer=true: Required if using PgBouncer connection pooler
     });
   }
   return prismaInstance;
 }
+async function warmupDatabase() {
+  const prisma2 = getPrismaClient();
+  const maxRetries = 3;
+  const retryDelayMs = 1e3;
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    try {
+      const startTime = Date.now();
+      await prisma2.$connect();
+      await prisma2.$queryRaw`SELECT 1`;
+      const duration = Date.now() - startTime;
+      log.info(`Database warmup completed in ${duration}ms`);
+      return;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      if (attempt < maxRetries) {
+        log.warn(
+          `Database warmup attempt ${attempt}/${maxRetries} failed: ${message}, retrying in ${retryDelayMs}ms...`
+        );
+        await new Promise((resolve) => setTimeout(resolve, retryDelayMs * attempt));
+      } else {
+        log.error(`Database warmup failed after ${maxRetries} attempts: ${message}`);
+        throw error;
+      }
+    }
+  }
+}
 async function disconnectPrisma() {
   if (prismaInstance) {
     log.debug("Disconnecting Prisma client");
@@ -201,6 +235,7 @@ var sessionStore = new SessionStore();
 
 export {
   getPrismaClient,
+  warmupDatabase,
   disconnectPrisma,
   prisma,
   SessionStore,

package/dist/chunk-CZJ7LSEO.js

@@ -0,0 +1,251 @@
+import {
+  configSchema,
+  isDebugEnabled
+} from "./chunk-EGGOXEIC.js";
+
+// src/config/index.ts
+var _config = null;
+function getConfig() {
+  if (_config !== null) {
+    return _config;
+  }
+  const result = configSchema.safeParse(process.env);
+  if (!result.success) {
+    const errors = result.error.errors.map((err) => {
+      const path = err.path.join(".");
+      return `  - ${path}: ${err.message}`;
+    });
+    console.error("Configuration error:");
+    console.error(errors.join("\n"));
+    process.exit(1);
+  }
+  _config = result.data;
+  return _config;
+}
+
+// src/logging/sanitize.ts
+var MAX_STRING_LENGTH = 1e3;
+var MAX_ARRAY_ITEMS = 10;
+var MAX_RECURSION_DEPTH = 5;
+var MAX_OUTPUT_BYTES = 5e3;
+var TOKEN_PATTERNS = [
+  // Shopify access tokens (shpat_xxx, shpua_xxx) - include underscores in the pattern
+  { pattern: /shpat_[a-zA-Z0-9_]+/g, replacement: "[REDACTED]" },
+  { pattern: /shpua_[a-zA-Z0-9_]+/g, replacement: "[REDACTED]" },
+  // Bearer tokens
+  { pattern: /Bearer\s+[a-zA-Z0-9_.-]+/g, replacement: "Bearer [REDACTED]" },
+  // OAuth access tokens and secrets (mcp_access_xxx, mcp_secret_xxx, mcp_client_xxx)
+  { pattern: /mcp_access_[a-zA-Z0-9_-]+/g, replacement: "[REDACTED]" },
+  { pattern: /mcp_secret_[a-zA-Z0-9_-]+/g, replacement: "[REDACTED]" },
+  { pattern: /mcp_client_[a-zA-Z0-9_-]+/g, replacement: "[REDACTED]" },
+  // Live/test API keys (sk_live_xxx, sk_test_xxx)
+  { pattern: /sk_live_[a-zA-Z0-9_-]+/g, replacement: "[REDACTED]" },
+  { pattern: /sk_test_[a-zA-Z0-9_-]+/g, replacement: "[REDACTED]" },
+  // Generic access_token and client_secret patterns
+  { pattern: /access_token[=:]\s*[a-zA-Z0-9_.-]+/gi, replacement: "access_token=[REDACTED]" },
+  { pattern: /client_secret[=:]\s*[a-zA-Z0-9_.-]+/gi, replacement: "client_secret=[REDACTED]" }
+];
+function redactTokens(text) {
+  let result = text;
+  for (const { pattern, replacement } of TOKEN_PATTERNS) {
+    result = result.replace(pattern, replacement);
+  }
+  return result;
+}
+function truncateString(text, maxLength = MAX_STRING_LENGTH) {
+  if (text.length <= maxLength) {
+    return text;
+  }
+  return `${text.substring(0, maxLength)}...[TRUNCATED]`;
+}
+function sanitizeParams(params, depth = 0) {
+  if (depth > MAX_RECURSION_DEPTH) {
+    return "[TRUNCATED]";
+  }
+  if (params === null || params === void 0) {
+    return params;
+  }
+  if (typeof params === "string") {
+    const redacted = redactTokens(params);
+    return truncateString(redacted);
+  }
+  if (typeof params !== "object") {
+    return params;
+  }
+  if (Array.isArray(params)) {
+    const limited = params.slice(0, MAX_ARRAY_ITEMS);
+    return limited.map((item) => sanitizeParams(item, depth + 1));
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(params)) {
+    result[key] = sanitizeParams(value, depth + 1);
+  }
+  return result;
+}
+function getByteSize(value) {
+  try {
+    return JSON.stringify(value).length;
+  } catch {
+    return 0;
+  }
+}
+function truncateOutput(output, maxBytes = MAX_OUTPUT_BYTES) {
+  const sanitized = sanitizeParams(output);
+  const size = getByteSize(sanitized);
+  if (size <= maxBytes) {
+    return sanitized;
+  }
+  if (typeof sanitized === "object" && sanitized !== null && !Array.isArray(sanitized)) {
+    const obj = sanitized;
+    if ("data" in obj || "errors" in obj) {
+      const result = {};
+      if (obj.errors) {
+        result.errors = obj.errors;
+      }
+      if (obj.data) {
+        result.data = "[TRUNCATED - output exceeded 5KB]";
+      }
+      if (obj.extensions && getByteSize(obj.extensions) < 200) {
+        result.extensions = obj.extensions;
+      }
+      return result;
+    }
+    return {
+      _truncated: true,
+      _message: `Output truncated: ${size} bytes exceeded ${maxBytes} byte limit`,
+      _keys: Object.keys(obj).slice(0, 10)
+    };
+  }
+  if (Array.isArray(sanitized)) {
+    return {
+      _truncated: true,
+      _message: `Array truncated: ${sanitized.length} items, ${size} bytes exceeded ${maxBytes} byte limit`,
+      _sample: sanitized.slice(0, 3)
+    };
+  }
+  return "[TRUNCATED - output exceeded 5KB]";
+}
+function sanitizeErrorMessage(error) {
+  if (error instanceof Error) {
+    return truncateString(redactTokens(error.message), 500);
+  }
+  if (typeof error === "string") {
+    return truncateString(redactTokens(error), 500);
+  }
+  return "Unknown error";
+}
+
+// src/utils/logger.ts
+function sanitizeLogMessage(message) {
+  return redactTokens(message);
+}
+function sanitizeObject(obj, seen = /* @__PURE__ */ new WeakSet()) {
+  if (typeof obj === "string") {
+    return sanitizeLogMessage(obj);
+  }
+  if (obj === null || typeof obj !== "object") {
+    return obj;
+  }
+  if (seen.has(obj)) {
+    return "[Circular]";
+  }
+  seen.add(obj);
+  if (Array.isArray(obj)) {
+    return obj.map((item) => sanitizeObject(item, seen));
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    result[key] = sanitizeObject(value, seen);
+  }
+  return result;
+}
+function safeStringify(data) {
+  try {
+    const seen = /* @__PURE__ */ new WeakSet();
+    return JSON.stringify(data, (_key, value) => {
+      if (typeof value === "object" && value !== null) {
+        if (seen.has(value)) {
+          return "[Circular]";
+        }
+        seen.add(value);
+      }
+      return value;
+    });
+  } catch {
+    return "[Unable to stringify]";
+  }
+}
+var log = {
+  /**
+   * Debug level logging - only outputs when DEBUG=1 or DEBUG=true
+   *
+   * @param msg - Debug message
+   * @param data - Optional data object to include (JSON-stringified)
+   */
+  debug: (msg, data) => {
+    if (isDebugEnabled(process.env.DEBUG)) {
+      const sanitizedMsg = sanitizeLogMessage(msg);
+      if (data) {
+        const sanitizedData = sanitizeObject(data);
+        const dataStr = safeStringify(sanitizedData);
+        console.error(`[DEBUG] ${sanitizedMsg} ${dataStr}`);
+      } else {
+        console.error(`[DEBUG] ${sanitizedMsg}`);
+      }
+    }
+  },
+  /**
+   * Info level logging
+   *
+   * @param msg - Info message
+   * @param data - Optional data object to include (JSON-stringified)
+   */
+  info: (msg, data) => {
+    const sanitizedMsg = sanitizeLogMessage(msg);
+    if (data) {
+      const sanitizedData = sanitizeObject(data);
+      const dataStr = safeStringify(sanitizedData);
+      console.error(`[INFO] ${sanitizedMsg} ${dataStr}`);
+    } else {
+      console.error(`[INFO] ${sanitizedMsg}`);
+    }
+  },
+  /**
+   * Warning level logging
+   *
+   * @param msg - Warning message
+   * @param data - Optional data object to include (JSON-stringified)
+   */
+  warn: (msg, data) => {
+    const sanitizedMsg = sanitizeLogMessage(msg);
+    if (data) {
+      const sanitizedData = sanitizeObject(data);
+      const dataStr = safeStringify(sanitizedData);
+      console.error(`[WARN] ${sanitizedMsg} ${dataStr}`);
+    } else {
+      console.error(`[WARN] ${sanitizedMsg}`);
+    }
+  },
+  /**
+   * Error level logging
+   *
+   * @param msg - Error message
+   * @param err - Optional Error object (stack trace shown when DEBUG enabled)
+   */
+  error: (msg, err) => {
+    console.error(`[ERROR] ${sanitizeLogMessage(msg)}`);
+    if (err && isDebugEnabled(process.env.DEBUG)) {
+      console.error(sanitizeLogMessage(err.stack || err.message));
+    }
+  }
+};
+
+export {
+  getConfig,
+  redactTokens,
+  sanitizeParams,
+  truncateOutput,
+  sanitizeErrorMessage,
+  sanitizeLogMessage,
+  log
+};

package/dist/{chunk-PQKNBYJN.js → chunk-H36XQ6QK.js}

@@ -1,6 +1,6 @@
 import {
   log
-} from "./chunk-5QMYOO4B.js";
+} from "./chunk-CZJ7LSEO.js";
 
 // src/middleware/mcp-auth.ts
 import { createHash } from "crypto";
@@ -170,10 +170,13 @@ async function validateOAuthAccessToken(token, prisma) {
     email: accessToken.tenant.email,
     // No apiKeyId for OAuth tokens
     defaultShop,
-    allowedShops
+    allowedShops,
+    // OAuth client attribution (Story 16.2, AC-16.2.10)
+    oauthClientId: accessToken.client?.id,
+    oauthClientName: accessToken.client?.clientName
   };
   log.debug(
-    `[mcp-auth] OAuth access token validated for tenant: ${accessToken.tenantId.substring(0, 8)}...`
+    `[mcp-auth] OAuth access token validated for tenant: ${accessToken.tenantId.substring(0, 8)}... (client: ${accessToken.client?.clientName || "unknown"})`
   );
   return {
     valid: true,