@atoms-tech/atoms-mcp 0.3.0 → 0.3.2

package/dist/auth/login.js

@@ -1,413 +0,0 @@
-/**
- * OAuth 2.1 PKCE login flow for the MCP CLI.
- *
- * Flow:
- * 1. Generate PKCE code_verifier + code_challenge
- * 2. Start HTTP server on localhost:19275
- * 3. Open browser to x.atoms.tech/auth/mcp-login (or Supabase auth directly)
- * 4. User authenticates → redirect to localhost with tokens
- * 5. Store tokens in ~/.atoms/credentials.json
- */
-import { createServer } from "node:http";
-import { randomBytes, createHash } from "node:crypto";
-import { URL } from "node:url";
-import { writeCredentials } from "./token-store.js";
-import { ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY, ATOMS_APP_URL } from "../config.js";
-const CALLBACK_PORT = 19275;
-const CALLBACK_PATH = "/callback";
-/**
- * Run the interactive login flow.
- * Opens browser, waits for callback, stores tokens.
- *
- * Uses OAuth 2.1 PKCE flow with hosted consent page:
- * 1. Open browser to ATOMS consent page with code_challenge
- * 2. User reviews permissions and clicks "Authorize"
- * 3. Consent page redirects to Supabase OAuth with PKCE params
- * 4. Supabase returns authorization code to localhost callback
- * 5. Exchange code + code_verifier for session tokens
- */
-export async function login() {
-    // Generate PKCE challenge
-    const codeVerifier = randomBytes(32).toString("base64url");
-    const codeChallenge = createHash("sha256")
-        .update(codeVerifier)
-        .digest("base64url");
-    const redirectTo = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
-    // Build consent page URL — hosted on ATOMS web app
-    const authUrl = new URL(`${ATOMS_APP_URL}/auth/mcp-consent`);
-    authUrl.searchParams.set("redirect_uri", redirectTo);
-    authUrl.searchParams.set("code_challenge", codeChallenge);
-    authUrl.searchParams.set("code_challenge_method", "S256");
-    return new Promise((resolve, reject) => {
-        const server = createServer(async (req, res) => {
-            const url = new URL(req.url ?? "/", `http://localhost:${CALLBACK_PORT}`);
-            if (url.pathname !== CALLBACK_PATH) {
-                res.writeHead(404);
-                res.end("Not found");
-                return;
-            }
-            try {
-                // Check for user cancellation from consent page
-                const error = url.searchParams.get("error");
-                if (error === "access_denied") {
-                    res.writeHead(200, { "Content-Type": "text/html" });
-                    res.end(failurePage("Authorization was cancelled."));
-                    server.close();
-                    reject(new Error("Authorization cancelled by user."));
-                    return;
-                }
-                // PKCE flow: Supabase redirects with ?code=xxx in query params
-                const code = url.searchParams.get("code");
-                if (code) {
-                    // Exchange authorization code + code_verifier for tokens via REST API
-                    const tokenRes = await fetch(`${ATOMS_SUPABASE_URL}/auth/v1/token?grant_type=pkce`, {
-                        method: "POST",
-                        headers: {
-                            "Content-Type": "application/json",
-                            "apikey": ATOMS_SUPABASE_ANON_KEY,
-                        },
-                        body: JSON.stringify({
-                            auth_code: code,
-                            code_verifier: codeVerifier,
-                        }),
-                    });
-                    const tokenData = await tokenRes.json();
-                    if (!tokenRes.ok || !tokenData.access_token) {
-                        const errMsg = tokenData.error_description ?? tokenData.msg ?? "Unknown error";
-                        res.writeHead(200, { "Content-Type": "text/html" });
-                        res.end(failurePage(`Code exchange failed: ${errMsg}`));
-                        server.close();
-                        reject(new Error(`Code exchange failed: ${errMsg}`));
-                        return;
-                    }
-                    // Decode JWT to get email
-                    let email = "authenticated";
-                    try {
-                        const payload = JSON.parse(Buffer.from(tokenData.access_token.split(".")[1], "base64").toString());
-                        email = payload.email ?? email;
-                    }
-                    catch { /* ignore decode errors */ }
-                    // Verify user has an ATOMS account (belongs to at least one org)
-                    const { createClient } = await import("@supabase/supabase-js");
-                    const verifyClient = createClient(ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY, {
-                        global: {
-                            headers: { Authorization: `Bearer ${tokenData.access_token}` },
-                        },
-                    });
-                    const { data: memberships, error: memErr } = await verifyClient
-                        .from("org_members")
-                        .select("org_id")
-                        .limit(1);
-                    if (memErr || !memberships || memberships.length === 0) {
-                        // User authenticated with Google but has no ATOMS account
-                        res.writeHead(200, { "Content-Type": "text/html" });
-                        res.end(failurePage("No ATOMS account found for this Google account.<br><br>" +
-                            "Please sign up at <a href=\"https://x.atoms.tech\">x.atoms.tech</a> first, " +
-                            "then run this login command again."));
-                        server.close();
-                        reject(new Error("No ATOMS account found. Sign up at x.atoms.tech first."));
-                        return;
-                    }
-                    await writeCredentials({
-                        access_token: tokenData.access_token,
-                        refresh_token: tokenData.refresh_token,
-                        expires_at: Date.now() + (tokenData.expires_in ?? 3600) * 1000,
-                        user_email: email,
-                    });
-                    res.writeHead(200, { "Content-Type": "text/html" });
-                    res.end(successPage(email));
-                    server.close();
-                    resolve({ email });
-                    return;
-                }
-                // Fallback: check for tokens in hash fragment via extractor page
-                const accessToken = url.searchParams.get("access_token");
-                const refreshToken = url.searchParams.get("refresh_token");
-                const expiresIn = parseInt(url.searchParams.get("expires_in") ?? "3600", 10);
-                if (accessToken && refreshToken) {
-                    await writeCredentials({
-                        access_token: accessToken,
-                        refresh_token: refreshToken,
-                        expires_at: Date.now() + expiresIn * 1000,
-                    });
-                    res.writeHead(200, { "Content-Type": "text/html" });
-                    res.end(successPage("authenticated"));
-                    server.close();
-                    resolve({ email: "authenticated" });
-                }
-                else {
-                    // Serve a page that extracts hash fragment and POSTs back
-                    res.writeHead(200, { "Content-Type": "text/html" });
-                    res.end(extractorPage());
-                }
-            }
-            catch (err) {
-                res.writeHead(500);
-                res.end("Authentication failed");
-                server.close();
-                reject(err);
-            }
-        });
-        // Handle POST from the extractor page (hash fragment fallback)
-        server.on("request", async (req, res) => {
-            if (req.method === "POST" && req.url === "/token") {
-                let body = "";
-                req.on("data", (chunk) => { body += chunk.toString(); });
-                req.on("end", async () => {
-                    try {
-                        const data = JSON.parse(body);
-                        await writeCredentials({
-                            access_token: data.access_token,
-                            refresh_token: data.refresh_token,
-                            expires_at: Date.now() + (data.expires_in ?? 3600) * 1000,
-                            user_email: data.user_email,
-                        });
-                        res.writeHead(200, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({ ok: true }));
-                        server.close();
-                        resolve({ email: data.user_email ?? "authenticated" });
-                    }
-                    catch (err) {
-                        res.writeHead(500);
-                        res.end("Failed to store credentials");
-                        server.close();
-                        reject(err);
-                    }
-                });
-            }
-        });
-        server.listen(CALLBACK_PORT, "127.0.0.1", async () => {
-            process.stderr.write(`\nOpening browser for ATOMS login...\n`);
-            process.stderr.write(`If the browser doesn't open, visit:\n${authUrl.toString()}\n\n`);
-            try {
-                const { default: openBrowser } = await import("open");
-                await openBrowser(authUrl.toString());
-            }
-            catch {
-                process.stderr.write("Could not open browser automatically. Please open the URL above.\n");
-            }
-        });
-        // Timeout after 5 minutes
-        setTimeout(() => {
-            server.close();
-            reject(new Error("Login timed out after 5 minutes"));
-        }, 5 * 60_000);
-    });
-}
-function extractorPage() {
-    return `<!DOCTYPE html>
-<html>
-<head><title>ATOMS MCP Login</title></head>
-<body>
-  <h1>Completing login...</h1>
-  <script>
-    const hash = window.location.hash.substring(1);
-    const params = new URLSearchParams(hash);
-    const data = {
-      access_token: params.get('access_token'),
-      refresh_token: params.get('refresh_token'),
-      expires_in: params.get('expires_in'),
-      user_email: ''
-    };
-    if (data.access_token) {
-      // Decode JWT to get email
-      try {
-        const payload = JSON.parse(atob(data.access_token.split('.')[1]));
-        data.user_email = payload.email || '';
-      } catch(e) {}
-      fetch('/token', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(data)
-      }).then(() => {
-        document.body.innerHTML = '<h1>Login successful! You can close this tab.</h1>';
-      }).catch(() => {
-        document.body.innerHTML = '<h1>Login failed. Please try again.</h1>';
-      });
-    } else {
-      document.body.innerHTML = '<h1>Login failed — no tokens received.</h1>';
-    }
-  </script>
-</body>
-</html>`;
-}
-function successPage(email) {
-    return `<!DOCTYPE html>
-<html>
-<head>
-  <title>ATOMS MCP — Authorized</title>
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
-      background: #0a0a0a;
-      color: #fafafa;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      min-height: 100vh;
-    }
-    .card {
-      background: #171717;
-      border: 1px solid #262626;
-      border-radius: 16px;
-      padding: 48px;
-      max-width: 480px;
-      width: 100%;
-      text-align: center;
-    }
-    .icon {
-      width: 56px;
-      height: 56px;
-      background: #052e16;
-      border-radius: 50%;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      margin: 0 auto 24px;
-    }
-    .icon svg { width: 28px; height: 28px; }
-    h1 {
-      font-size: 22px;
-      font-weight: 600;
-      margin-bottom: 8px;
-      color: #22c55e;
-    }
-    .email {
-      font-size: 14px;
-      color: #a3a3a3;
-      margin-bottom: 32px;
-    }
-    .permissions {
-      text-align: left;
-      background: #0a0a0a;
-      border: 1px solid #262626;
-      border-radius: 12px;
-      padding: 20px;
-      margin-bottom: 24px;
-    }
-    .permissions h3 {
-      font-size: 12px;
-      font-weight: 600;
-      color: #737373;
-      text-transform: uppercase;
-      letter-spacing: 0.05em;
-      margin-bottom: 12px;
-    }
-    .perm-item {
-      display: flex;
-      align-items: center;
-      gap: 10px;
-      padding: 6px 0;
-      font-size: 14px;
-      color: #d4d4d4;
-    }
-    .perm-item .dot {
-      width: 6px;
-      height: 6px;
-      background: #22c55e;
-      border-radius: 50%;
-      flex-shrink: 0;
-    }
-    .closing {
-      font-size: 13px;
-      color: #525252;
-    }
-    .closing span { color: #a3a3a3; font-variant-numeric: tabular-nums; }
-  </style>
-</head>
-<body>
-  <div class="card">
-    <div class="icon">
-      <svg fill="none" viewBox="0 0 24 24" stroke="#22c55e" stroke-width="2.5">
-        <path stroke-linecap="round" stroke-linejoin="round" d="M5 13l4 4L19 7"/>
-      </svg>
-    </div>
-    <h1>Authorization Granted</h1>
-    <p class="email">${email}</p>
-
-    <div class="permissions">
-      <h3>ATOMS MCP can now</h3>
-      <div class="perm-item"><span class="dot"></span> Read your projects and requirements</div>
-      <div class="perm-item"><span class="dot"></span> Create and edit requirements and test cases</div>
-      <div class="perm-item"><span class="dot"></span> Record test results (pass/fail)</div>
-      <div class="perm-item"><span class="dot"></span> Manage traceability relationships</div>
-      <div class="perm-item"><span class="dot"></span> Export coverage reports and diagrams</div>
-    </div>
-
-    <p class="closing">This tab will close in <span id="countdown">5</span>s</p>
-  </div>
-
-  <script>
-    let seconds = 5;
-    const el = document.getElementById('countdown');
-    const timer = setInterval(() => {
-      seconds--;
-      el.textContent = seconds;
-      if (seconds <= 0) {
-        clearInterval(timer);
-        window.close();
-        // If window.close() is blocked (not opened by script), update message
-        setTimeout(() => {
-          document.querySelector('.closing').textContent = 'You can close this tab now.';
-        }, 500);
-      }
-    }, 1000);
-  </script>
-</body>
-</html>`;
-}
-function failurePage(reason) {
-    return `<!DOCTYPE html>
-<html>
-<head>
-  <title>ATOMS MCP — Failed</title>
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
-      background: #0a0a0a;
-      color: #fafafa;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      min-height: 100vh;
-    }
-    .card {
-      background: #171717;
-      border: 1px solid #262626;
-      border-radius: 16px;
-      padding: 48px;
-      max-width: 480px;
-      width: 100%;
-      text-align: center;
-    }
-    .icon {
-      width: 56px;
-      height: 56px;
-      background: #450a0a;
-      border-radius: 50%;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      margin: 0 auto 24px;
-    }
-    .icon svg { width: 28px; height: 28px; }
-    h1 { font-size: 22px; font-weight: 600; margin-bottom: 16px; color: #ef4444; }
-    .reason { font-size: 14px; color: #a3a3a3; line-height: 1.6; }
-    .reason a { color: #7c3aed; text-decoration: underline; }
-  </style>
-</head>
-<body>
-  <div class="card">
-    <div class="icon">
-      <svg fill="none" viewBox="0 0 24 24" stroke="#ef4444" stroke-width="2.5">
-        <path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12"/>
-      </svg>
-    </div>
-    <h1>Authorization Failed</h1>
-    <p class="reason">${reason}</p>
-  </div>
-</body>
-</html>`;
-}

package/dist/auth/refresh.d.ts

@@ -1,16 +0,0 @@
-/**
- * JWT refresh logic for MCP server startup.
- *
- * On each MCP session start, we check if the access_token is expired
- * and use the refresh_token to get a new one from Supabase.
- */
-/**
- * Get a valid access token, refreshing if needed.
- * Returns { access_token, user_id, email } or throws.
- */
-export declare function getValidToken(): Promise<{
-    access_token: string;
-    refresh_token: string;
-    user_id: string;
-    email: string;
-}>;

package/dist/auth/refresh.js

@@ -1,81 +0,0 @@
-/**
- * JWT refresh logic for MCP server startup.
- *
- * On each MCP session start, we check if the access_token is expired
- * and use the refresh_token to get a new one from Supabase.
- */
-import { createClient } from "@supabase/supabase-js";
-import { readCredentials, writeCredentials } from "./token-store.js";
-import { ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY } from "../config.js";
-/**
- * Get a valid access token, refreshing if needed.
- * Returns { access_token, user_id, email } or throws.
- */
-export async function getValidToken() {
-    // Priority 1: Environment variable (for CI/CD, headless)
-    const envToken = process.env.ATOMS_ACCESS_TOKEN;
-    if (envToken) {
-        const payload = decodeJwtPayload(envToken);
-        return {
-            access_token: envToken,
-            refresh_token: "",
-            user_id: payload.sub,
-            email: payload.email ?? "",
-        };
-    }
-    // Priority 2: Stored credentials
-    const creds = await readCredentials();
-    if (!creds) {
-        throw new Error("Not authenticated. Run 'npx @atoms-tech/atoms-mcp login' to connect your ATOMS account.");
-    }
-    // Check if token is still valid (with 60s buffer)
-    if (creds.expires_at > Date.now() + 60_000) {
-        const payload = decodeJwtPayload(creds.access_token);
-        return {
-            access_token: creds.access_token,
-            refresh_token: creds.refresh_token,
-            user_id: payload.sub,
-            email: payload.email ?? creds.user_email ?? "",
-        };
-    }
-    // Token expired — refresh it
-    process.stderr.write("[atoms-mcp] Refreshing access token...\n");
-    const supabase = createClient(ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY);
-    const { data, error } = await supabase.auth.refreshSession({
-        refresh_token: creds.refresh_token,
-    });
-    if (error || !data.session) {
-        throw new Error(`Token refresh failed: ${error?.message ?? "No session returned"}. ` +
-            "Re-run 'npx @atoms-tech/atoms-mcp login'.");
-    }
-    const session = data.session;
-    // Update stored credentials
-    await writeCredentials({
-        access_token: session.access_token,
-        refresh_token: session.refresh_token,
-        expires_at: Date.now() + (session.expires_in ?? 3600) * 1000,
-        user_email: session.user?.email,
-    });
-    return {
-        access_token: session.access_token,
-        refresh_token: session.refresh_token,
-        user_id: session.user?.id ?? "",
-        email: session.user?.email ?? "",
-    };
-}
-/**
- * Decode JWT payload without verification (Supabase already verified it).
- */
-function decodeJwtPayload(jwt) {
-    const parts = jwt.split(".");
-    if (parts.length !== 3)
-        throw new Error("Invalid JWT format");
-    const padded = parts[1]
-        .replace(/-/g, "+")
-        .replace(/_/g, "/")
-        .padEnd(parts[1].length + ((4 - (parts[1].length % 4)) % 4), "=");
-    const payload = JSON.parse(Buffer.from(padded, "base64").toString("utf-8"));
-    if (!payload.sub)
-        throw new Error("JWT missing 'sub' claim");
-    return payload;
-}

package/dist/auth/token-store.d.ts

@@ -1,33 +0,0 @@
-/**
- * Token storage for MCP auth credentials.
- *
- * Stores access_token + refresh_token in ~/.atoms/credentials.json
- * with file permissions 0600 (owner read/write only).
- */
-export interface StoredCredentials {
-    access_token: string;
-    refresh_token: string;
-    expires_at: number;
-    user_email?: string;
-    supabase_url?: string;
-}
-/**
- * Read stored credentials. Returns null if not found or invalid.
- */
-export declare function readCredentials(): Promise<StoredCredentials | null>;
-/**
- * Write credentials to disk with secure permissions.
- */
-export declare function writeCredentials(creds: StoredCredentials): Promise<void>;
-/**
- * Check if stored credentials exist and are not expired.
- */
-export declare function hasValidCredentials(): Promise<boolean>;
-/**
- * Delete stored credentials (logout).
- */
-export declare function clearCredentials(): Promise<void>;
-/**
- * Get the credentials file path (for user-facing messages).
- */
-export declare function getCredentialsPath(): string;

package/dist/auth/token-store.js

@@ -1,60 +0,0 @@
-/**
- * Token storage for MCP auth credentials.
- *
- * Stores access_token + refresh_token in ~/.atoms/credentials.json
- * with file permissions 0600 (owner read/write only).
- */
-import { readFile, writeFile, mkdir, unlink } from "node:fs/promises";
-import { homedir } from "node:os";
-import { join } from "node:path";
-const ATOMS_DIR = join(homedir(), ".atoms");
-const CREDENTIALS_FILE = join(ATOMS_DIR, "credentials.json");
-/**
- * Read stored credentials. Returns null if not found or invalid.
- */
-export async function readCredentials() {
-    try {
-        const content = await readFile(CREDENTIALS_FILE, "utf-8");
-        const creds = JSON.parse(content);
-        if (!creds.access_token || !creds.refresh_token)
-            return null;
-        return creds;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Write credentials to disk with secure permissions.
- */
-export async function writeCredentials(creds) {
-    await mkdir(ATOMS_DIR, { recursive: true, mode: 0o700 });
-    await writeFile(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), { mode: 0o600 });
-}
-/**
- * Check if stored credentials exist and are not expired.
- */
-export async function hasValidCredentials() {
-    const creds = await readCredentials();
-    if (!creds)
-        return false;
-    // Consider expired if less than 60 seconds remaining
-    return creds.expires_at > Date.now() + 60_000;
-}
-/**
- * Delete stored credentials (logout).
- */
-export async function clearCredentials() {
-    try {
-        await unlink(CREDENTIALS_FILE);
-    }
-    catch {
-        // File doesn't exist — already logged out
-    }
-}
-/**
- * Get the credentials file path (for user-facing messages).
- */
-export function getCredentialsPath() {
-    return CREDENTIALS_FILE;
-}

package/dist/config.d.ts

@@ -1,18 +0,0 @@
-/**
- * ATOMS MCP Server — Public client configuration.
- *
- * These are PUBLISHABLE values — identical to the ones embedded in the
- * ATOMS.tech React frontend bundle (NEXT_PUBLIC_SUPABASE_*).
- *
- * The anon key is NOT a secret. It only grants access to Supabase's API
- * gateway. All data access is gated by Row Level Security (RLS) policies
- * which require a valid user JWT. Without authentication, these values
- * grant zero data access.
- *
- * This is the standard pattern used by Supabase, Firebase, and Clerk
- * for client-side applications.
- */
-export declare const ATOMS_SUPABASE_URL = "https://gmebjyhomsbvhrxffzre.supabase.co";
-export declare const ATOMS_SUPABASE_ANON_KEY = "sb_publishable_b49MUAB8XCrQiF7x5b9lUA_w1aplSBH";
-/** ATOMS web app URL — hosts the MCP consent page */
-export declare const ATOMS_APP_URL: string;

package/dist/config.js

@@ -1,18 +0,0 @@
-/**
- * ATOMS MCP Server — Public client configuration.
- *
- * These are PUBLISHABLE values — identical to the ones embedded in the
- * ATOMS.tech React frontend bundle (NEXT_PUBLIC_SUPABASE_*).
- *
- * The anon key is NOT a secret. It only grants access to Supabase's API
- * gateway. All data access is gated by Row Level Security (RLS) policies
- * which require a valid user JWT. Without authentication, these values
- * grant zero data access.
- *
- * This is the standard pattern used by Supabase, Firebase, and Clerk
- * for client-side applications.
- */
-export const ATOMS_SUPABASE_URL = "https://gmebjyhomsbvhrxffzre.supabase.co";
-export const ATOMS_SUPABASE_ANON_KEY = "sb_publishable_b49MUAB8XCrQiF7x5b9lUA_w1aplSBH";
-/** ATOMS web app URL — hosts the MCP consent page */
-export const ATOMS_APP_URL = process.env.ATOMS_APP_URL ?? "https://x.atoms.tech";

package/dist/db/client.d.ts

@@ -1,29 +0,0 @@
-/**
- * Supabase client factory for the MCP server.
- *
- * Creates a user-scoped client with JWT — RLS enforced automatically.
- * Never uses service role key (all queries respect user permissions).
- */
-import { type SupabaseClient } from "@supabase/supabase-js";
-/**
- * Get or create an authenticated Supabase client.
- * Auto-refreshes JWT when expired. All queries run with user's RLS permissions.
- */
-export declare function getClient(): Promise<SupabaseClient>;
-/**
- * Get the authenticated user's ID. Must call getClient() first.
- */
-export declare function getUserId(): string;
-/**
- * Get the authenticated user's email.
- */
-export declare function getUserEmail(): string;
-/**
- * Reset the cached client (for token refresh).
- */
-export declare function resetClient(): void;
-/**
- * Check if the user has write access to a project.
- * Returns the user's org role, or throws a descriptive error.
- */
-export declare function requireWriteAccess(client: SupabaseClient, projectId: string): Promise<string>;