@ateam-ai/mcp 0.3.29 → 0.3.31

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ateam-ai/mcp",
-  "version": "0.3.29",
+  "version": "0.3.31",
   "mcpName": "io.github.ariekogan/ateam-mcp",
   "description": "A-Team MCP Server — build, validate, and deploy multi-agent solutions from any AI environment",
   "type": "module",

package/src/api.js

@@ -65,9 +65,20 @@ export function setSessionCredentials(sessionId, { tenant, apiKey, apiUrl, expli
     const parsed = parseApiKey(apiKey);
     if (parsed.tenant) resolvedTenant = parsed.tenant;
   }
+  // Fail loudly — silent fallback to "main" previously let malformed API keys
+  // or missing tenant args silently pivot all operations onto the wrong tenant.
+  // Matches the pattern we killed in ADAS connectors (memory-mcp, docs-index-mcp,
+  // nutrition-mcp) — `|| "default"` was the #1 source of cross-tenant leaks.
+  if (!resolvedTenant) {
+    throw new Error(
+      `setSessionCredentials: tenant could not be resolved for session ${sessionId} ` +
+      `(tenant arg ${tenant ? "present" : "missing"}, apiKey ${apiKey ? "present but malformed (expected adas_<tenant>_<hex>)" : "absent"}). ` +
+      `Refusing to fall back to a default tenant.`
+    );
+  }
   const existing = sessions.get(sessionId);
   sessions.set(sessionId, {
-    tenant: resolvedTenant || "main",
+    tenant: resolvedTenant,
     apiKey,
     apiUrl: apiUrl || existing?.apiUrl || null,
     authExplicit: explicit || existing?.authExplicit || false,
@@ -77,7 +88,7 @@ export function setSessionCredentials(sessionId, { tenant, apiKey, apiUrl, expli
   });
   const urlNote = apiUrl ? `, url: ${apiUrl}` : "";
   const masterNote = masterKey ? ", MASTER MODE" : "";
-  console.log(`[Auth] Credentials set for session ${sessionId} (tenant: ${resolvedTenant || "main"}${explicit ? ", explicit" : ""}${urlNote}${masterNote})`);
+  console.log(`[Auth] Credentials set for session ${sessionId} (tenant: ${resolvedTenant}${explicit ? ", explicit" : ""}${urlNote}${masterNote})`);
 }
 
 /**
@@ -121,7 +132,18 @@ export function getCredentials(sessionId) {
     const parsed = parseApiKey(apiKey);
     if (parsed.tenant) tenant = parsed.tenant;
   }
-  return { tenant: tenant || "main", apiKey };
+  // If apiKey is present but tenant couldn't be derived, the key is malformed.
+  // Previously fell back to "main" — this silently routed credentials to the
+  // wrong tenant. Now we fail loudly.
+  if (apiKey && !tenant) {
+    throw new Error(
+      `getCredentials: apiKey is present (env ADAS_API_KEY) but tenant could not be resolved ` +
+      `(missing ADAS_TENANT env and apiKey is malformed — expected format adas_<tenant>_<hex>). ` +
+      `Refusing to fall back to a default tenant.`
+    );
+  }
+  // No apiKey at all = unauthenticated; return nulls (callers check apiKey.length).
+  return { tenant: tenant || null, apiKey };
 }
 
 /**
@@ -186,7 +208,7 @@ export function clearSession(sessionId) {
 /** Bind a session to its OAuth bearer token. Called from seedCredentials. */
 export function bindSessionBearer(sessionId, bearerToken) {
   sessionBearers.set(sessionId, bearerToken);
-  console.log(`[Auth] Bearer bound for session ${sessionId} (bearer: ${bearerToken.substring(0, 25)}...)`);
+  console.log(`[Auth] Bearer bound for session ${sessionId}`);
 }
 
 /** Store ateam_auth override for this user (by bearer). Called from tools.js. */
@@ -300,11 +322,20 @@ export function getSessionStats() {
 function headers(sessionId) {
   const session = sessionId ? sessions.get(sessionId) : null;
 
-  // Master mode: use shared secret auth (x-adas-token) instead of API key
+  // Master mode: use shared secret auth (x-adas-token) instead of API key.
+  // A master-mode session MUST have an active tenant (set via ateam_auth or
+  // switchTenant). Silent fallback to "main" previously masked configuration
+  // bugs and could pivot a master-key caller onto the wrong tenant.
   if (session?.masterKey) {
+    if (!session.tenant) {
+      throw new Error(
+        `headers: master-mode session ${sessionId} has no active tenant — ` +
+        `caller must select a tenant via ateam_auth or switchTenant before making requests.`
+      );
+    }
     const h = { "Content-Type": "application/json" };
     h["x-adas-token"] = session.masterKey;
-    h["X-ADAS-TENANT"] = session.tenant || "main";
+    h["X-ADAS-TENANT"] = session.tenant;
     return h;
   }
 

package/src/http.js

@@ -36,10 +36,19 @@ const transports = {};
 // MCP paths — Claude.ai uses "/" (connector URL), others may use "/mcp"
 const MCP_PATHS = ["/", "/mcp"];
 
-// Recently exchanged tokens — for auto-injection into MCP requests.
-// Key: token string, Value: { token, createdAt }
-const recentTokens = new Map();
-const TOKEN_TTL = 60 * 60 * 1000; // 60 minutes
+// Recently exchanged OAuth tokens — for auto-injection into MCP requests that
+// follow the /token exchange within the same user's OAuth→MCP handshake window.
+//
+// ⚠️ SECURITY: This cache is scoped by CLIENT IP. A previous version keyed by
+// token value and used `getNewestToken()` for injection — in multi-user HTTP
+// mode (e.g., mcp.ateam-ai.com), that caused cross-user auth bypass: if User A
+// completed OAuth and then User B sent an unauth'd MCP request, User B was
+// injected with User A's token. IP-scoping prevents that: injection only
+// happens for the same client IP that completed the token exchange.
+//
+// Key: client IP string, Value: { token, createdAt }
+const recentTokensByIp = new Map();
+const TOKEN_TTL = 5 * 60 * 1000; // 5 minutes — OAuth→MCP handshake window only
 
 export function startHttpServer(port = 3100) {
   const app = express();
@@ -50,7 +59,7 @@ export function startHttpServer(port = 3100) {
     const url = req.originalUrl || req.url;
     const start = Date.now();
     const auth = req.headers.authorization;
-    console.log(`[HTTP] >>> ${req.method} ${url}${auth ? ` Auth: ${auth.substring(0, 30)}...` : ""}${MCP_PATHS.includes(url.split("?")[0]) ? ` Accept: ${req.headers.accept || "(none)"}` : ""}`);
+    console.log(`[HTTP] >>> ${req.method} ${url}${auth ? " Auth: [Bearer ...]" : ""}${MCP_PATHS.includes(url.split("?")[0]) ? ` Accept: ${req.headers.accept || "(none)"}` : ""}`);
     res.on("finish", () => {
       console.log(`[HTTP] <<< ${req.method} ${url} → ${res.statusCode} (${Date.now() - start}ms)`);
     });
@@ -103,14 +112,17 @@ export function startHttpServer(port = 3100) {
       const origJson = res.json.bind(res);
       res.json = (data) => {
         if (data && data.access_token && res.statusCode >= 200 && res.statusCode < 300) {
-          recentTokens.set(data.access_token, {
+          // IP-scoped cache: only the same client IP can consume this token
+          // via auto-injection. Prevents cross-user token leakage in shared HTTP mode.
+          const ip = req.ip || "unknown";
+          recentTokensByIp.set(ip, {
             token: data.access_token,
             createdAt: Date.now(),
           });
-          console.log(`[Auth] Cached token from /token response (${recentTokens.size} active)`);
+          console.log(`[Auth] Cached OAuth token for ip=${ip} (${recentTokensByIp.size} active IPs)`);
           // Prune expired
-          for (const [k, v] of recentTokens) {
-            if (Date.now() - v.createdAt > TOKEN_TTL) recentTokens.delete(k);
+          for (const [k, v] of recentTokensByIp) {
+            if (Date.now() - v.createdAt > TOKEN_TTL) recentTokensByIp.delete(k);
           }
         }
         return origJson(data);
@@ -127,21 +139,27 @@ export function startHttpServer(port = 3100) {
   }
 
   // ─── Token auto-injection middleware ────────────────────────────
-  // If a request has no Authorization header but we have a recently
-  // exchanged token, inject it. Simple cache lookup — never blocks.
+  // If a request has no Authorization header, check if THIS CLIENT IP recently
+  // completed /token exchange. If so, inject that IP's cached token. Prevents
+  // cross-user token leakage (fix for mcp-audit finding #1, round 009).
   const autoInjectToken = (req, _res, next) => {
     if (req.headers.authorization) return next();
-    const token = getNewestToken();
-    if (token) {
-      req.headers.authorization = `Bearer ${token}`;
-      const idx = req.rawHeaders.findIndex((h) => h.toLowerCase() === "authorization");
-      if (idx !== -1) {
-        req.rawHeaders[idx + 1] = `Bearer ${token}`;
-      } else {
-        req.rawHeaders.push("Authorization", `Bearer ${token}`);
-      }
-      console.log(`[Auth] Auto-injected token into ${req.method} ${req.originalUrl || req.url}`);
+    const ip = req.ip || "unknown";
+    const entry = recentTokensByIp.get(ip);
+    if (!entry) return next();
+    if (Date.now() - entry.createdAt > TOKEN_TTL) {
+      recentTokensByIp.delete(ip);
+      return next();
+    }
+    const token = entry.token;
+    req.headers.authorization = `Bearer ${token}`;
+    const idx = req.rawHeaders.findIndex((h) => h.toLowerCase() === "authorization");
+    if (idx !== -1) {
+      req.rawHeaders[idx + 1] = `Bearer ${token}`;
+    } else {
+      req.rawHeaders.push("Authorization", `Bearer ${token}`);
     }
+    console.log(`[Auth] Auto-injected IP-scoped token for ip=${ip} into ${req.method} ${req.originalUrl || req.url}`);
     next();
   };
 
@@ -358,15 +376,10 @@ export function startHttpServer(port = 3100) {
   });
 }
 
-/** Returns the most recently issued non-expired token, or null. */
-function getNewestToken() {
-  let newest = null;
-  for (const [, entry] of recentTokens) {
-    if (Date.now() - entry.createdAt > TOKEN_TTL) continue;
-    if (!newest || entry.createdAt > newest.createdAt) newest = entry;
-  }
-  return newest?.token || null;
-}
+// getNewestToken() removed — replaced by IP-scoped lookup in autoInjectToken.
+// Global "newest token" injection caused cross-user auth bypass in multi-user
+// HTTP deployments. IP scoping restores the intended semantics (same browser
+// that completed OAuth gets its token injected on the follow-up MCP request).
 
 /**
  * Seed session credentials from the OAuth bearer token.

package/src/stub.js

@@ -68,7 +68,7 @@ class StubOAuthProvider {
   async challengeForAuthorizationCode(_client, code) {
     const entry = this.codes.get(code);
     console.log(
-      `[Stub] challengeForAuthorizationCode: code=${code?.substring(0, 8)}... found=${!!entry} codes=${this.codes.size}`
+      `[Stub] challengeForAuthorizationCode: found=${!!entry} codes=${this.codes.size}`
     );
     if (!entry) throw new Error("Invalid code");
     return entry.params.codeChallenge;
@@ -77,7 +77,7 @@ class StubOAuthProvider {
   async exchangeAuthorizationCode(client, code) {
     const entry = this.codes.get(code);
     console.log(
-      `[Stub] exchangeAuthorizationCode: code=${code?.substring(0, 8)}... found=${!!entry} client=${client?.client_id?.substring(0, 8)}...`
+      `[Stub] exchangeAuthorizationCode: found=${!!entry} clientId=${client?.client_id ? "[present]" : "[absent]"}`
     );
     if (!entry) throw new Error("Invalid code");
     this.codes.delete(code);
@@ -85,7 +85,7 @@ class StubOAuthProvider {
     const token = entry.token;
     this.tokens.set(token, { clientId: client.client_id });
 
-    console.log(`[Stub] Exchanged code for token: ${token.substring(0, 30)}...`);
+    console.log(`[Stub] Exchanged code for token: [redacted]`);
     return {
       access_token: token,
       refresh_token: `rt_${token}`,
@@ -127,7 +127,7 @@ app.set("trust proxy", 1);
 app.use((req, res, next) => {
   const url = req.originalUrl || req.url;
   const auth = req.headers.authorization;
-  console.log(`[Stub] >>> ${req.method} ${url}${auth ? ` Auth: ${auth.substring(0, 30)}...` : ""}`);
+  console.log(`[Stub] >>> ${req.method} ${url}${auth ? " Auth: [Bearer ...]" : ""}`);
   res.on("finish", () => {
     console.log(`[Stub] <<< ${req.method} ${url} → ${res.statusCode}`);
   });
@@ -147,7 +147,7 @@ function getNewestToken() {
   for (const [key, entry] of recentTokens) {
     const ageMs = now - entry.createdAt;
     if (ageMs > TOKEN_TTL) {
-      console.log(`[Stub] Token ${key.substring(0, 20)}... expired (age: ${Math.round(ageMs / 1000)}s)`);
+      console.log(`[Stub] A token expired (age: ${Math.round(ageMs / 1000)}s)`);
       continue;
     }
     if (!newest || entry.createdAt > newest.createdAt) newest = entry;
@@ -175,7 +175,7 @@ app.use("/token", (req, res, next) => {
         token: data.access_token,
         createdAt: Date.now(),
       });
-      console.log(`[Stub] ✅ Cached token from /token response (${recentTokens.size} active): ${data.access_token.substring(0, 25)}...`);
+      console.log(`[Stub] ✅ Cached token from /token response (${recentTokens.size} active)`);
       // Clean up old tokens
       for (const [k, v] of recentTokens) {
         if (Date.now() - v.createdAt > TOKEN_TTL) recentTokens.delete(k);
@@ -195,7 +195,7 @@ app.use("/token", (req, res, next) => {
             token: data.access_token,
             createdAt: Date.now(),
           });
-          console.log(`[Stub] ✅ Cached token from /token send (${recentTokens.size} active): ${data.access_token.substring(0, 25)}...`);
+          console.log(`[Stub] ✅ Cached token from /token send (${recentTokens.size} active)`);
         }
       } catch (_) {}
     }

package/src/tools.js

@@ -391,6 +391,26 @@ export const tools = [
       required: ["solution_id"],
     },
   },
+  {
+    name: "ateam_delete_skill",
+    core: true,
+    description:
+      "Delete a single skill from a deployed solution. Removes the skill from A-Team Core (kills the running MCP process, unregisters from skill registry, deletes from Mongo), removes the skill from solution.skills[] and solution.linked_skills, and deletes the skill's files from Builder FS. Use this to drop a skill without tearing down the whole solution.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        solution_id: {
+          type: "string",
+          description: "The solution ID (e.g. 'personal-adas')",
+        },
+        skill_id: {
+          type: "string",
+          description: "The skill ID to remove (e.g. 'linkedin-agent')",
+        },
+      },
+      required: ["solution_id", "skill_id"],
+    },
+  },
   {
     name: "ateam_delete_connector",
     core: true,
@@ -1148,6 +1168,7 @@ const TENANT_TOOLS = new Set([
   "ateam_update",
   "ateam_redeploy",
   "ateam_delete_solution",
+  "ateam_delete_skill",
   "ateam_delete_connector",
   "ateam_upload_connector",
   "ateam_solution_chat",
@@ -1387,11 +1408,19 @@ const handlers = {
     if (!api_key) {
       return { ok: false, message: "Provide either api_key or master_key." };
     }
-    // Auto-extract tenant from key if not provided
+    // Auto-extract tenant from key if not provided.
+    // Fail loudly if neither the explicit tenant arg nor a parseable apiKey
+    // yields a tenant — previously fell back to "main" silently.
     let resolvedTenant = tenant;
     if (!resolvedTenant) {
       const parsed = parseApiKey(api_key);
-      resolvedTenant = parsed.tenant || "main";
+      resolvedTenant = parsed.tenant;
+    }
+    if (!resolvedTenant) {
+      return {
+        ok: false,
+        message: `Could not resolve tenant from api_key (expected format: adas_<tenant>_<32hex>). Pass the "tenant" arg explicitly, or check that your API key is well-formed.`,
+      };
     }
     // Normalize URL: strip trailing slash
     const apiUrl = url ? url.replace(/\/+$/, "") : undefined;
@@ -2224,6 +2253,9 @@ const handlers = {
   ateam_delete_solution: async ({ solution_id }, sid) =>
     del(`/deploy/solutions/${solution_id}`, sid),
 
+  ateam_delete_skill: async ({ solution_id, skill_id }, sid) =>
+    del(`/deploy/solutions/${solution_id}/skills/${skill_id}`, sid),
+
   ateam_delete_connector: async ({ solution_id, connector_id }, sid) =>
     del(`/deploy/solutions/${solution_id}/connectors/${connector_id}`, sid),