@chaaskit/server 0.1.0

package/dist/mcp/server.js

@@ -0,0 +1,335 @@
+/**
+ * MCP Server Handler
+ *
+ * Implements JSON-RPC 2.0 MCP protocol for exposing this app's tools to external clients.
+ * Supports external MCP clients like Claude Desktop, MCP Inspector, etc.
+ */
+import { getAllNativeTools, executeNativeTool } from '../tools/index.js';
+import { getConfig } from '../config/loader.js';
+import { registry } from '../registry/index.js';
+// MCP Protocol error codes (from spec)
+const MCP_ERRORS = {
+    PARSE_ERROR: -32700,
+    INVALID_REQUEST: -32600,
+    METHOD_NOT_FOUND: -32601,
+    INVALID_PARAMS: -32602,
+    INTERNAL_ERROR: -32603,
+};
+/**
+ * Convert native tools to MCP tool format
+ */
+export function nativeToolsToMCPTools() {
+    const nativeTools = getAllNativeTools();
+    return nativeTools.map((tool) => ({
+        name: tool.name,
+        description: tool.description,
+        inputSchema: {
+            type: 'object',
+            properties: tool.inputSchema.properties,
+            required: tool.inputSchema.required,
+        },
+        _meta: tool._meta,
+    }));
+}
+/**
+ * Get all tools to expose via MCP based on config
+ */
+function getExposedTools() {
+    const config = getConfig();
+    const serverConfig = config.mcp?.server;
+    if (!serverConfig?.enabled) {
+        return [];
+    }
+    const exposeTools = serverConfig.exposeTools ?? 'native';
+    if (exposeTools === 'native') {
+        return nativeToolsToMCPTools();
+    }
+    if (exposeTools === 'all') {
+        // Get native tools + any extension-registered tools
+        return nativeToolsToMCPTools();
+    }
+    if (Array.isArray(exposeTools)) {
+        // Filter to specific tools by name
+        const allTools = nativeToolsToMCPTools();
+        return allTools.filter((tool) => exposeTools.includes(tool.name));
+    }
+    return nativeToolsToMCPTools();
+}
+/**
+ * Get MCP resources from registry (extension-provided)
+ */
+async function getMCPResources() {
+    const resourcesMap = registry.getAll('mcp-resource');
+    const resources = [];
+    for (const [, resource] of resourcesMap) {
+        resources.push({
+            uri: resource.uri,
+            name: resource.name,
+            description: resource.description,
+            mimeType: resource.mimeType,
+        });
+    }
+    return resources;
+}
+/**
+ * Read an MCP resource by URI
+ */
+async function readMCPResource(uri, context) {
+    const resourcesMap = registry.getAll('mcp-resource');
+    let foundResource = undefined;
+    for (const [, resource] of resourcesMap) {
+        if (resource.uri === uri) {
+            foundResource = resource;
+            break;
+        }
+    }
+    if (!foundResource) {
+        return null;
+    }
+    try {
+        return await foundResource.read({ userId: context.userId });
+    }
+    catch (error) {
+        console.error(`[MCP Server] Error reading resource ${uri}:`, error);
+        return null;
+    }
+}
+/**
+ * Handle MCP protocol methods
+ */
+export async function handleMCPRequest(request, context) {
+    const { id, method, params } = request;
+    try {
+        switch (method) {
+            case 'initialize':
+                return handleInitialize(id, params);
+            case 'ping':
+                return handlePing(id);
+            case 'tools/list':
+                return handleToolsList(id);
+            case 'tools/call':
+                return await handleToolsCall(id, params, context);
+            case 'resources/list':
+                return await handleResourcesList(id);
+            case 'resources/read':
+                return await handleResourcesRead(id, params, context);
+            case 'notifications/initialized':
+                // Client notification - no response needed
+                return { jsonrpc: '2.0', id: null, result: {} };
+            default:
+                return {
+                    jsonrpc: '2.0',
+                    id: id ?? null,
+                    error: {
+                        code: MCP_ERRORS.METHOD_NOT_FOUND,
+                        message: `Method not found: ${method}`,
+                    },
+                };
+        }
+    }
+    catch (error) {
+        console.error(`[MCP Server] Error handling ${method}:`, error);
+        return {
+            jsonrpc: '2.0',
+            id: id ?? null,
+            error: {
+                code: MCP_ERRORS.INTERNAL_ERROR,
+                message: error instanceof Error ? error.message : 'Internal error',
+            },
+        };
+    }
+}
+/**
+ * Handle initialize method
+ */
+function handleInitialize(id, params) {
+    const config = getConfig();
+    const appName = config.app?.name || 'Chat SaaS';
+    return {
+        jsonrpc: '2.0',
+        id: id ?? null,
+        result: {
+            protocolVersion: '2024-11-05',
+            serverInfo: {
+                name: appName,
+                version: '1.0.0',
+            },
+            capabilities: {
+                tools: {},
+                resources: {},
+            },
+        },
+    };
+}
+/**
+ * Handle ping method
+ */
+function handlePing(id) {
+    return {
+        jsonrpc: '2.0',
+        id: id ?? null,
+        result: {},
+    };
+}
+/**
+ * Handle tools/list method
+ */
+function handleToolsList(id) {
+    const tools = getExposedTools();
+    return {
+        jsonrpc: '2.0',
+        id: id ?? null,
+        result: {
+            tools: tools.map((tool) => ({
+                name: tool.name,
+                description: tool.description,
+                inputSchema: tool.inputSchema,
+                _meta: tool._meta,
+            })),
+        },
+    };
+}
+/**
+ * Handle tools/call method
+ */
+async function handleToolsCall(id, params, context) {
+    if (!params?.name || typeof params.name !== 'string') {
+        return {
+            jsonrpc: '2.0',
+            id: id ?? null,
+            error: {
+                code: MCP_ERRORS.INVALID_PARAMS,
+                message: 'Missing required parameter: name',
+            },
+        };
+    }
+    const toolName = params.name;
+    const args = params.arguments || {};
+    // Check if tool is exposed
+    const exposedTools = getExposedTools();
+    const tool = exposedTools.find((t) => t.name === toolName);
+    if (!tool) {
+        return {
+            jsonrpc: '2.0',
+            id: id ?? null,
+            error: {
+                code: MCP_ERRORS.INVALID_PARAMS,
+                message: `Tool not found: ${toolName}`,
+            },
+        };
+    }
+    console.log(`[MCP Server] Executing tool: ${toolName}`);
+    // Execute the native tool
+    const result = await executeNativeTool(toolName, args, {
+        userId: context.userId,
+        threadId: undefined,
+        agentId: undefined,
+    });
+    return {
+        jsonrpc: '2.0',
+        id: id ?? null,
+        result: {
+            content: result.content,
+            isError: result.isError,
+            structuredContent: result.structuredContent,
+        },
+    };
+}
+/**
+ * Handle resources/list method
+ */
+async function handleResourcesList(id) {
+    const resources = await getMCPResources();
+    return {
+        jsonrpc: '2.0',
+        id: id ?? null,
+        result: {
+            resources,
+        },
+    };
+}
+/**
+ * Handle resources/read method
+ */
+async function handleResourcesRead(id, params, context) {
+    if (!params?.uri || typeof params.uri !== 'string') {
+        return {
+            jsonrpc: '2.0',
+            id: id ?? null,
+            error: {
+                code: MCP_ERRORS.INVALID_PARAMS,
+                message: 'Missing required parameter: uri',
+            },
+        };
+    }
+    const uri = params.uri;
+    const result = await readMCPResource(uri, context);
+    if (!result) {
+        return {
+            jsonrpc: '2.0',
+            id: id ?? null,
+            error: {
+                code: MCP_ERRORS.INVALID_PARAMS,
+                message: `Resource not found: ${uri}`,
+            },
+        };
+    }
+    // Get resource metadata
+    const resources = await getMCPResources();
+    const resourceMeta = resources.find((r) => r.uri === uri);
+    return {
+        jsonrpc: '2.0',
+        id: id ?? null,
+        result: {
+            contents: [
+                {
+                    uri,
+                    mimeType: resourceMeta?.mimeType || 'text/plain',
+                    text: result.text,
+                    blob: result.blob,
+                },
+            ],
+        },
+    };
+}
+/**
+ * Parse and validate a JSON-RPC request
+ */
+export function parseJsonRpcRequest(body) {
+    if (!body || typeof body !== 'object') {
+        return {
+            code: MCP_ERRORS.PARSE_ERROR,
+            message: 'Invalid JSON',
+        };
+    }
+    const req = body;
+    if (req.jsonrpc !== '2.0') {
+        return {
+            code: MCP_ERRORS.INVALID_REQUEST,
+            message: 'Invalid JSON-RPC version',
+        };
+    }
+    if (typeof req.method !== 'string') {
+        return {
+            code: MCP_ERRORS.INVALID_REQUEST,
+            message: 'Missing or invalid method',
+        };
+    }
+    return {
+        jsonrpc: '2.0',
+        id: req.id,
+        method: req.method,
+        params: req.params,
+    };
+}
+/**
+ * Create an error response for parse/validation errors
+ */
+export function createErrorResponse(error) {
+    return {
+        jsonrpc: '2.0',
+        id: null,
+        error,
+    };
+}
+//# sourceMappingURL=server.js.map

package/dist/mcp/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACzE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AA0BhD,uCAAuC;AACvC,MAAM,UAAU,GAAG;IACjB,WAAW,EAAE,CAAC,KAAK;IACnB,eAAe,EAAE,CAAC,KAAK;IACvB,gBAAgB,EAAE,CAAC,KAAK;IACxB,cAAc,EAAE,CAAC,KAAK;IACtB,cAAc,EAAE,CAAC,KAAK;CACd,CAAC;AAWX;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAC;IAExC,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAChC,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,UAAU;YACvC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;SACpC;QACD,KAAK,EAAE,IAAI,CAAC,KAAK;KAClB,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;GAEG;AACH,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;IAExC,IAAI,CAAC,YAAY,EAAE,OAAO,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,WAAW,GAAG,YAAY,CAAC,WAAW,IAAI,QAAQ,CAAC;IAEzD,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO,qBAAqB,EAAE,CAAC;IACjC,CAAC;IAED,IAAI,WAAW,KAAK,KAAK,EAAE,CAAC;QAC1B,oDAAoD;QACpD,OAAO,qBAAqB,EAAE,CAAC;IACjC,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,mCAAmC;QACnC,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAC;QACzC,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,qBAAqB,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe;IAG5B,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAMjC,cAAc,CAAC,CAAC;IAEnB,MAAM,SAAS,GAAkF,EAAE,CAAC;IACpG,KAAK,MAAM,CAAC,EAAE,QAAQ,CAAC,IAAI,YAAY,EAAE,CAAC;QACxC,SAAS,CAAC,IAAI,CAAC;YACb,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;SAC5B,CAAC,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,GAAW,EACX,OAAyB;IAUzB,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAkB,cAAc,CAAC,CAAC;IAEtE,IAAI,aAAa,GAAgC,SAAS,CAAC;IAC3D,KAAK,MAAM,CAAC,EAAE,QAAQ,CAAC,IAAI,YAAY,EAAE,CAAC;QACxC,IAAI,QAAQ,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YACzB,aAAa,GAAG,QAAQ,CAAC;YACzB,MAAM;QACR,CAAC;IACH,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,aAAa,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAuB,EACvB,OAAyB;IAEzB,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAEvC,IAAI,CAAC;QACH,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,YAAY;gBACf,OAAO,gBAAgB,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YAEtC,KAAK,MAAM;gBACT,OAAO,UAAU,CAAC,EAAE,CAAC,CAAC;YAExB,KAAK,YAAY;gBACf,OAAO,eAAe,CAAC,EAAE,CAAC,CAAC;YAE7B,KAAK,YAAY;gBACf,OAAO,MAAM,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAEpD,KAAK,gBAAgB;gBACnB,OAAO,MAAM,mBAAmB,CAAC,EAAE,CAAC,CAAC;YAEvC,KAAK,gBAAgB;gBACnB,OAAO,MAAM,mBAAmB,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;YAExD,KAAK,2BAA2B;gBAC9B,2CAA2C;gBAC3C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;YAElD;gBACE,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,EAAE,EAAE,EAAE,IAAI,IAAI;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,UAAU,CAAC,gBAAgB;wBACjC,OAAO,EAAE,qBAAqB,MAAM,EAAE;qBACvC;iBACF,CAAC;QACN,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,MAAM,GAAG,EAAE,KAAK,CAAC,CAAC;QAC/D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,EAAE,IAAI,IAAI;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,UAAU,CAAC,cAAc;gBAC/B,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;aACnE;SACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,EAAsC,EACtC,MAAgC;IAEhC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,EAAE,IAAI,IAAI,WAAW,CAAC;IAEhD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,EAAE,IAAI,IAAI;QACd,MAAM,EAAE;YACN,eAAe,EAAE,YAAY;YAC7B,UAAU,EAAE;gBACV,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,OAAO;aACjB;YACD,YAAY,EAAE;gBACZ,KAAK,EAAE,EAAE;gBACT,SAAS,EAAE,EAAE;aACd;SACF;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,EAAsC;IACxD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,EAAE,IAAI,IAAI;QACd,MAAM,EAAE,EAAE;KACX,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,EAAsC;IAC7D,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAEhC,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,EAAE,IAAI,IAAI;QACd,MAAM,EAAE;YACN,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC1B,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;SACJ;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,EAAsC,EACtC,MAA2C,EAC3C,OAAyB;IAEzB,IAAI,CAAC,MAAM,EAAE,IAAI,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACrD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,EAAE,IAAI,IAAI;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,UAAU,CAAC,cAAc;gBAC/B,OAAO,EAAE,kCAAkC;aAC5C;SACF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;IAC7B,MAAM,IAAI,GAAI,MAAM,CAAC,SAAqC,IAAI,EAAE,CAAC;IAEjE,2BAA2B;IAC3B,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAE3D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,EAAE,IAAI,IAAI;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,UAAU,CAAC,cAAc;gBAC/B,OAAO,EAAE,mBAAmB,QAAQ,EAAE;aACvC;SACF,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,gCAAgC,QAAQ,EAAE,CAAC,CAAC;IAExD,0BAA0B;IAC1B,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,IAAI,EAAE;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,SAAS;KACnB,CAAC,CAAC;IAEH,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,EAAE,IAAI,IAAI;QACd,MAAM,EAAE;YACN,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;SAC5C;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,mBAAmB,CAChC,EAAsC;IAEtC,MAAM,SAAS,GAAG,MAAM,eAAe,EAAE,CAAC;IAE1C,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,EAAE,IAAI,IAAI;QACd,MAAM,EAAE;YACN,SAAS;SACV;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,mBAAmB,CAChC,EAAsC,EACtC,MAA2C,EAC3C,OAAyB;IAEzB,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,EAAE,IAAI,IAAI;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,UAAU,CAAC,cAAc;gBAC/B,OAAO,EAAE,iCAAiC;aAC3C;SACF,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;IACvB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEnD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,EAAE,IAAI,IAAI;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,UAAU,CAAC,cAAc;gBAC/B,OAAO,EAAE,uBAAuB,GAAG,EAAE;aACtC;SACF,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,SAAS,GAAG,MAAM,eAAe,EAAE,CAAC;IAC1C,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;IAE1D,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,EAAE,IAAI,IAAI;QACd,MAAM,EAAE;YACN,QAAQ,EAAE;gBACR;oBACE,GAAG;oBACH,QAAQ,EAAE,YAAY,EAAE,QAAQ,IAAI,YAAY;oBAChD,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;iBAClB;aACF;SACF;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAa;IAC/C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO;YACL,IAAI,EAAE,UAAU,CAAC,WAAW;YAC5B,OAAO,EAAE,cAAc;SACxB,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAA+B,CAAC;IAE5C,IAAI,GAAG,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;QAC1B,OAAO;YACL,IAAI,EAAE,UAAU,CAAC,eAAe;YAChC,OAAO,EAAE,0BAA0B;SACpC,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACnC,OAAO;YACL,IAAI,EAAE,UAAU,CAAC,eAAe;YAChC,OAAO,EAAE,2BAA2B;SACrC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,GAAG,CAAC,EAAwC;QAChD,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,MAAM,EAAE,GAAG,CAAC,MAA6C;KAC1D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAmB;IACrD,OAAO;QACL,OAAO,EAAE,KAAK;QACd,EAAE,EAAE,IAAI;QACR,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/middleware/apiKeyAuth.js

@@ -0,0 +1,136 @@
+import bcrypt from 'bcryptjs';
+import { db } from '@chaaskit/db';
+import { HTTP_STATUS } from '@chaaskit/shared';
+import { getConfig } from '../config/loader.js';
+/**
+ * Check if a path matches a pattern.
+ * Supports:
+ * - Exact match: "/api/threads"
+ * - Single segment wildcard: "/api/threads/*" matches "/api/threads/123" but not "/api/threads/123/messages"
+ * - Multi-segment wildcard: "/api/threads/**" matches "/api/threads/123" and "/api/threads/123/messages"
+ */
+function matchesPattern(path, pattern) {
+    // Exact match
+    if (pattern === path) {
+        return true;
+    }
+    // Handle ** (matches any depth)
+    if (pattern.endsWith('/**')) {
+        const prefix = pattern.slice(0, -3);
+        return path === prefix || path.startsWith(prefix + '/');
+    }
+    // Handle * (matches single segment)
+    if (pattern.endsWith('/*')) {
+        const prefix = pattern.slice(0, -2);
+        if (!path.startsWith(prefix + '/')) {
+            return false;
+        }
+        const remainder = path.slice(prefix.length + 1);
+        // Should not contain another slash (single segment only)
+        return !remainder.includes('/');
+    }
+    return false;
+}
+/**
+ * Check if the request path is allowed for API key access.
+ */
+function isEndpointAllowed(path, allowedEndpoints) {
+    for (const pattern of allowedEndpoints) {
+        if (matchesPattern(path, pattern)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Middleware to authenticate requests using API keys.
+ * Should be used before requireAuth in the middleware chain.
+ *
+ * API key access is restricted to endpoints listed in config.api.allowedEndpoints.
+ * If no endpoints are configured, API keys cannot be used for any endpoint.
+ */
+export async function apiKeyAuth(req, res, next) {
+    try {
+        const authHeader = req.headers.authorization;
+        const config = getConfig();
+        const keyPrefix = config.api?.keyPrefix || 'sk-';
+        // Check if this looks like an API key
+        const isApiKeyAuth = authHeader?.startsWith(`Bearer ${keyPrefix}`);
+        if (!isApiKeyAuth) {
+            return next(); // Not an API key, let other auth handle it
+        }
+        // It's an API key - check if this endpoint is allowed
+        const allowedEndpoints = config.api?.allowedEndpoints || [];
+        if (allowedEndpoints.length === 0) {
+            res.status(HTTP_STATUS.FORBIDDEN).json({
+                error: 'API key access is not enabled for any endpoints'
+            });
+            return;
+        }
+        if (!isEndpointAllowed(req.path, allowedEndpoints)) {
+            res.status(HTTP_STATUS.FORBIDDEN).json({
+                error: 'API key access is not allowed for this endpoint'
+            });
+            return;
+        }
+        const apiKey = authHeader.slice(7); // Remove "Bearer "
+        // Find keys by prefix and check hash
+        // The stored keyPrefix is: configuredPrefix + 6 random chars
+        const storedPrefixLength = keyPrefix.length + 6;
+        const searchPrefix = apiKey.slice(0, storedPrefixLength);
+        const candidates = await db.apiKey.findMany({
+            where: { keyPrefix: searchPrefix },
+            include: {
+                user: {
+                    select: {
+                        id: true,
+                        email: true,
+                        name: true,
+                        avatarUrl: true,
+                        isAdmin: true,
+                        emailVerified: true,
+                        plan: true,
+                        credits: true,
+                        messagesThisMonth: true,
+                        themePreference: true,
+                    },
+                },
+                team: true,
+            },
+        });
+        for (const candidate of candidates) {
+            if (await bcrypt.compare(apiKey, candidate.keyHash)) {
+                // Check expiration
+                if (candidate.expiresAt && candidate.expiresAt < new Date()) {
+                    res.status(HTTP_STATUS.UNAUTHORIZED).json({ error: 'API key expired' });
+                    return;
+                }
+                // If team-scoped, verify user is still a member
+                if (candidate.teamId) {
+                    const membership = await db.teamMember.findFirst({
+                        where: { userId: candidate.userId, teamId: candidate.teamId },
+                    });
+                    if (!membership) {
+                        res.status(HTTP_STATUS.UNAUTHORIZED).json({ error: 'API key invalid - no longer a team member' });
+                        return;
+                    }
+                }
+                // Update lastUsedAt (fire and forget)
+                db.apiKey.update({
+                    where: { id: candidate.id },
+                    data: { lastUsedAt: new Date() },
+                }).catch(() => { });
+                req.user = candidate.user;
+                // Set team context for team-scoped keys
+                req.apiKeyTeamId = candidate.teamId || undefined;
+                return next();
+            }
+        }
+        // No valid key found
+        res.status(HTTP_STATUS.UNAUTHORIZED).json({ error: 'Invalid API key' });
+    }
+    catch (error) {
+        next(error);
+    }
+}
+//# sourceMappingURL=apiKeyAuth.js.map

package/dist/middleware/apiKeyAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKeyAuth.js","sourceRoot":"","sources":["../../src/middleware/apiKeyAuth.ts"],"names":[],"mappings":"AACA,OAAO,MAAM,MAAM,UAAU,CAAC;AAC9B,OAAO,EAAE,EAAE,EAAE,MAAM,cAAc,CAAC;AAClC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD;;;;;;GAMG;AACH,SAAS,cAAc,CAAC,IAAY,EAAE,OAAe;IACnD,cAAc;IACd,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,oCAAoC;IACpC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAChD,yDAAyD;QACzD,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,IAAY,EAAE,gBAA0B;IACjE,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAI,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,EAAE,SAAS,IAAI,KAAK,CAAC;QAEjD,sCAAsC;QACtC,MAAM,YAAY,GAAG,UAAU,EAAE,UAAU,CAAC,UAAU,SAAS,EAAE,CAAC,CAAC;QAEnE,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,EAAE,CAAC,CAAE,2CAA2C;QAC7D,CAAC;QAED,sDAAsD;QACtD,MAAM,gBAAgB,GAAG,MAAM,CAAC,GAAG,EAAE,gBAAgB,IAAI,EAAE,CAAC;QAE5D,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;gBACrC,KAAK,EAAE,iDAAiD;aACzD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,EAAE,gBAAgB,CAAC,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;gBACrC,KAAK,EAAE,iDAAiD;aACzD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,UAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAE,mBAAmB;QAEzD,qCAAqC;QACrC,6DAA6D;QAC7D,MAAM,kBAAkB,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;QAChD,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC;YAC1C,KAAK,EAAE,EAAE,SAAS,EAAE,YAAY,EAAE;YAClC,OAAO,EAAE;gBACP,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,IAAI;wBACX,IAAI,EAAE,IAAI;wBACV,SAAS,EAAE,IAAI;wBACf,OAAO,EAAE,IAAI;wBACb,aAAa,EAAE,IAAI;wBACnB,IAAI,EAAE,IAAI;wBACV,OAAO,EAAE,IAAI;wBACb,iBAAiB,EAAE,IAAI;wBACvB,eAAe,EAAE,IAAI;qBACtB;iBACF;gBACD,IAAI,EAAE,IAAI;aACX;SACF,CAAC,CAAC;QAEH,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpD,mBAAmB;gBACnB,IAAI,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;oBAC5D,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;oBACxE,OAAO;gBACT,CAAC;gBAED,gDAAgD;gBAChD,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;oBACrB,MAAM,UAAU,GAAG,MAAM,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;wBAC/C,KAAK,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE;qBAC9D,CAAC,CAAC;oBACH,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;wBAClG,OAAO;oBACT,CAAC;gBACH,CAAC;gBAED,sCAAsC;gBACtC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;oBACf,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,CAAC,EAAE,EAAE;oBAC3B,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE;iBACjC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;gBAEnB,GAAG,CAAC,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;gBAC1B,wCAAwC;gBACxC,GAAG,CAAC,YAAY,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;gBACjD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;QAED,qBAAqB;QACrB,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/middleware/auth.js

@@ -0,0 +1,192 @@
+import jwt from 'jsonwebtoken';
+import { db } from '@chaaskit/db';
+import { AppError } from './errorHandler.js';
+import { HTTP_STATUS } from '@chaaskit/shared';
+import { getConfig } from '../config/loader.js';
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+export function generateToken(userId, email) {
+    return jwt.sign({ userId, email }, JWT_SECRET, { expiresIn: '7d' });
+}
+export function verifyToken(token) {
+    return jwt.verify(token, JWT_SECRET);
+}
+export async function requireAuth(req, res, next) {
+    try {
+        // If user is already authenticated (e.g., by apiKeyAuth middleware), skip JWT validation
+        if (req.user) {
+            next();
+            return;
+        }
+        const config = getConfig();
+        // Check for token in Authorization header or cookie
+        const authHeader = req.headers.authorization;
+        const cookieToken = req.cookies?.token;
+        const token = authHeader?.startsWith('Bearer ')
+            ? authHeader.slice(7)
+            : cookieToken;
+        if (!token) {
+            // Allow unauthenticated access if configured
+            if (config.auth.allowUnauthenticated) {
+                next();
+                return;
+            }
+            throw new AppError(HTTP_STATUS.UNAUTHORIZED, 'Authentication required');
+        }
+        const payload = verifyToken(token);
+        const user = await db.user.findUnique({
+            where: { id: payload.userId },
+            select: {
+                id: true,
+                email: true,
+                name: true,
+                avatarUrl: true,
+                isAdmin: true,
+                emailVerified: true,
+                plan: true,
+                credits: true,
+                messagesThisMonth: true,
+                themePreference: true,
+            },
+        });
+        if (!user) {
+            throw new AppError(HTTP_STATUS.UNAUTHORIZED, 'User not found');
+        }
+        req.user = user;
+        next();
+    }
+    catch (error) {
+        if (error instanceof AppError) {
+            next(error);
+            return;
+        }
+        next(new AppError(HTTP_STATUS.UNAUTHORIZED, 'Invalid token'));
+    }
+}
+export async function optionalAuth(req, res, next) {
+    try {
+        // If user is already authenticated (e.g., by apiKeyAuth middleware), skip JWT validation
+        if (req.user) {
+            next();
+            return;
+        }
+        const authHeader = req.headers.authorization;
+        const cookieToken = req.cookies?.token;
+        const token = authHeader?.startsWith('Bearer ')
+            ? authHeader.slice(7)
+            : cookieToken;
+        if (!token) {
+            next();
+            return;
+        }
+        const payload = verifyToken(token);
+        const user = await db.user.findUnique({
+            where: { id: payload.userId },
+            select: {
+                id: true,
+                email: true,
+                name: true,
+                avatarUrl: true,
+                isAdmin: true,
+                emailVerified: true,
+                plan: true,
+                credits: true,
+                messagesThisMonth: true,
+                themePreference: true,
+            },
+        });
+        if (user) {
+            req.user = user;
+        }
+        next();
+    }
+    catch {
+        // Invalid token, continue without auth
+        next();
+    }
+}
+export async function requireAdmin(req, res, next) {
+    if (!req.user) {
+        next(new AppError(HTTP_STATUS.UNAUTHORIZED, 'Authentication required'));
+        return;
+    }
+    const config = getConfig();
+    const adminEmails = config.admin?.emails || [];
+    // Check if user's email is in the admin list
+    const isConfigAdmin = adminEmails.some((email) => email.toLowerCase() === req.user.email.toLowerCase());
+    // Also check the database isAdmin flag for backward compatibility
+    if (!isConfigAdmin && !req.user.isAdmin) {
+        next(new AppError(HTTP_STATUS.FORBIDDEN, 'Admin access required'));
+        return;
+    }
+    next();
+}
+import { isEmailEnabled } from '../services/email/index.js';
+/**
+ * Check if email verification is required for the current user.
+ * Returns true if user needs verification, false otherwise.
+ */
+function shouldBlockUnverifiedUser(req) {
+    const config = getConfig();
+    // No user = nothing to verify
+    if (!req.user) {
+        return false;
+    }
+    // Feature not enabled
+    if (!config.auth.emailVerification?.enabled) {
+        return false;
+    }
+    // Email provider not configured (graceful degradation)
+    if (!isEmailEnabled()) {
+        return false;
+    }
+    // User is already verified
+    if (req.user.emailVerified) {
+        return false;
+    }
+    // User needs verification
+    return true;
+}
+/**
+ * Middleware that requires the user to have a verified email.
+ * Skips the check if email verification is not enabled or email provider is not configured.
+ * Use after requireAuth middleware.
+ */
+export async function requireVerifiedEmail(req, res, next) {
+    if (!req.user) {
+        next(new AppError(HTTP_STATUS.UNAUTHORIZED, 'Authentication required'));
+        return;
+    }
+    if (shouldBlockUnverifiedUser(req)) {
+        res.status(HTTP_STATUS.FORBIDDEN).json({
+            error: 'Email not verified',
+            code: 'EMAIL_NOT_VERIFIED',
+            message: 'Please verify your email address to continue',
+        });
+        return;
+    }
+    next();
+}
+/**
+ * Middleware that checks email verification for optional auth routes.
+ * If user is authenticated but not verified, blocks the request.
+ * If user is not authenticated, allows the request (for allowUnauthenticated mode).
+ * Use after optionalAuth middleware.
+ */
+export async function optionalVerifiedEmail(req, res, next) {
+    // If no user, allow (unauthenticated access may be allowed)
+    if (!req.user) {
+        next();
+        return;
+    }
+    // If user exists but needs verification, block
+    if (shouldBlockUnverifiedUser(req)) {
+        res.status(HTTP_STATUS.FORBIDDEN).json({
+            error: 'Email not verified',
+            code: 'EMAIL_NOT_VERIFIED',
+            message: 'Please verify your email address to continue',
+        });
+        return;
+    }
+    next();
+}
+//# sourceMappingURL=auth.js.map