npm - @dcluttr/dclare-mcp - Versions diffs - 0.1.5 → 0.1.6 - Mend

@dcluttr/dclare-mcp 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/services/query-guardrails.js +22 -7
package/package.json +1 -1

package/dist/services/query-guardrails.js CHANGED Viewed

@@ -17,12 +17,19 @@ function buildJoinedCubeMap(dataset, allDatasets) {
     }
     return map;
 }
-function validateMember(member, allowedLocal, joinedCubes, label) {
+function validateMember(member, allowedLocal, joinedCubes, label, currentCubeName) {
     if (isJoinedMember(member)) {
         const dotIndex = member.indexOf(".");
         const cubeName = member.slice(0, dotIndex);
         const columnName = member.slice(dotIndex + 1);
         const stripped = normalizeMemberName(columnName);
+        // If the prefix matches the current cube, treat as a local member
+        if (currentCubeName && cubeName === currentCubeName) {
+            if (allowedLocal.has(stripped)) {
+                return stripped;
+            }
+            throw new AppError("INVALID_QUERY", `${label} '${member}' is not allowed for this dataset.`, 400);
+        }
         const joinedColumns = joinedCubes.get(cubeName);
         if (joinedColumns && joinedColumns.has(stripped)) {
             return `${cubeName}.${stripped}`;
@@ -41,7 +48,7 @@ export class QueryGuardrails {
         const allowedMetrics = new Set(dataset.metrics.map((metric) => metric.name));
         const allowedSegments = new Set((dataset.segments ?? []).map((segment) => segment.name));
         const joinedCubes = buildJoinedCubeMap(dataset, allDatasets ?? []);
-        const validatedDimensions = (input.dimensions ?? []).map((d) => validateMember(d, allowedColumns, joinedCubes, "Dimension"));
+        const validatedDimensions = (input.dimensions ?? []).map((d) => validateMember(d, allowedColumns, joinedCubes, "Dimension", dataset.cubeName));
         for (const metric of input.metrics ?? []) {
             const normalized = normalizeMemberName(metric);
             if (!allowedMetrics.has(normalized)) {
@@ -50,15 +57,23 @@ export class QueryGuardrails {
         }
         for (const segment of input.segments ?? []) {
             const normalized = normalizeMemberName(segment);
+            // Strip prefix if it matches current cube name
+            if (isJoinedMember(segment)) {
+                const dotIndex = segment.indexOf(".");
+                const cubeName = segment.slice(0, dotIndex);
+                if (cubeName !== dataset.cubeName) {
+                    throw new AppError("INVALID_QUERY", `Segment '${segment}' is not allowed for this dataset.`, 400);
+                }
+            }
             if (!allowedSegments.has(normalized)) {
                 throw new AppError("INVALID_QUERY", `Segment '${segment}' is not allowed for this dataset.`, 400);
             }
         }
         const validatedTimeDimensions = (input.timeDimensions ?? []).map((item) => {
-            const resolved = validateMember(item.member, allowedColumns, joinedCubes, "Time dimension");
+            const resolved = validateMember(item.member, allowedColumns, joinedCubes, "Time dimension", dataset.cubeName);
             return { ...item, member: resolved };
         });
-        const validFilters = this.validateFilters(input.filters ?? [], allowedColumns, joinedCubes);
+        const validFilters = this.validateFilters(input.filters ?? [], allowedColumns, joinedCubes, dataset.cubeName);
         const allFilters = [...validFilters];
         const order = this.validateOrder(input.order ?? [], allowedColumns, allowedMetrics, joinedCubes, dataset.cubeName);
         const normalizedSegments = (input.segments ?? []).map((segment) => normalizeMemberName(segment));
@@ -81,9 +96,9 @@ export class QueryGuardrails {
             limit
         };
     }
-    validateFilters(filters, allowedColumns, joinedCubes) {
+    validateFilters(filters, allowedColumns, joinedCubes, currentCubeName) {
         return filters.map((filter) => {
-            const resolved = validateMember(filter.member, allowedColumns, joinedCubes, "Filter member");
+            const resolved = validateMember(filter.member, allowedColumns, joinedCubes, "Filter member", currentCubeName);
             if (!Array.isArray(filter.values) || filter.values.length === 0) {
                 throw new AppError("INVALID_QUERY", `Filter '${filter.member}' must include at least one value.`, 400);
             }
@@ -98,7 +113,7 @@ export class QueryGuardrails {
         for (const item of order) {
             let member;
             try {
-                member = validateMember(item.member, allowedColumns, joinedCubes, "Order member");
+                member = validateMember(item.member, allowedColumns, joinedCubes, "Order member", cubeName);
             }
             catch {
                 const normalized = normalizeMemberName(item.member);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dcluttr/dclare-mcp",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "type": "module",
   "description": "MCP server for secure talk-to-data on Cube + ClickHouse",
   "bin": {