@decocms/runtime 1.0.0-alpha.2 → 1.0.0-alpha.21

package/src/index.ts

@@ -1,56 +1,31 @@
 /* oxlint-disable no-explicit-any */
-import type { ExecutionContext } from "@cloudflare/workers-types";
 import { decodeJwt } from "jose";
 import type { z } from "zod";
-import {
-  getReqToken,
-  handleAuthCallback,
-  handleLogout,
-  StateParser,
-} from "./auth.ts";
-import {
-  createContractBinding,
-  createIntegrationBinding,
-  workspaceClient,
-} from "./bindings.ts";
-import { DeconfigResource } from "./bindings/deconfig/index.ts";
-import { DECO_MCP_CLIENT_HEADER } from "./client.ts";
+import { createContractBinding, createIntegrationBinding } from "./bindings.ts";
+import { type CORSOptions, handlePreflight, withCORS } from "./cors.ts";
+import { State } from "./state.ts";
 import {
   createMCPServer,
   type CreateMCPServerOptions,
   MCPServer,
-} from "./mastra.ts";
-import { MCPClient, type QueryResult } from "./mcp.ts";
-import { State } from "./state.ts";
+} from "./tools.ts";
 import type { Binding, ContractBinding, MCPBinding } from "./wrangler.ts";
 export { proxyConnectionForId } from "./bindings.ts";
+export { type CORSOptions, type CORSOrigin } from "./cors.ts";
 export {
   createMCPFetchStub,
   type CreateStubAPIOptions,
   type ToolBinder,
 } from "./mcp.ts";
-export interface WorkspaceDB {
-  query: (params: {
-    sql: string;
-    params: string[];
-  }) => Promise<{ result: QueryResult[] }>;
-}
 
 export interface DefaultEnv<TSchema extends z.ZodTypeAny = any> {
-  DECO_REQUEST_CONTEXT: RequestContext<TSchema>;
-  DECO_APP_NAME: string;
-  DECO_APP_SLUG: string;
-  DECO_APP_ENTRYPOINT: string;
-  DECO_API_URL?: string;
-  DECO_WORKSPACE: string;
-  DECO_API_JWT_PUBLIC_KEY: string;
-  DECO_APP_DEPLOYMENT_ID: string;
-  DECO_BINDINGS: string;
-  DECO_API_TOKEN: string;
-  DECO_WORKSPACE_DB: WorkspaceDB & {
-    forContext: (ctx: RequestContext) => WorkspaceDB;
-  };
+  MESH_REQUEST_CONTEXT: RequestContext<TSchema>;
+  MESH_BINDINGS: string;
+  MESH_APP_DEPLOYMENT_ID: string;
   IS_LOCAL: boolean;
+  MESH_URL?: string;
+  MESH_RUNTIME_TOKEN?: string;
+  MESH_APP_NAME?: string;
   [key: string]: unknown;
 }
 
@@ -58,7 +33,7 @@ export interface BindingsObject {
   bindings?: Binding[];
 }
 
-export const WorkersMCPBindings = {
+export const MCPBindings = {
   parse: (bindings?: string): Binding[] => {
     if (!bindings) return [];
     try {
@@ -77,11 +52,12 @@ export interface UserDefaultExport<
   TSchema extends z.ZodTypeAny = never,
   TEnv = TUserEnv & DefaultEnv<TSchema>,
 > extends CreateMCPServerOptions<TEnv, TSchema> {
-  fetch?: (
-    req: Request,
-    env: TEnv,
-    ctx: ExecutionContext,
-  ) => Promise<Response> | Response;
+  fetch?: (req: Request, env: TEnv, ctx: any) => Promise<Response> | Response;
+  /**
+   * CORS configuration options.
+   * Set to `false` to disable CORS handling entirely.
+   */
+  cors?: CORSOptions | false;
 }
 
 // 1. Map binding type to its interface
@@ -104,14 +80,13 @@ export interface User {
 
 export interface RequestContext<TSchema extends z.ZodTypeAny = any> {
   state: z.infer<TSchema>;
-  branch?: string;
   token: string;
-  workspace: string;
+  meshUrl: string;
   ensureAuthenticated: (options?: {
     workspaceHint?: string;
   }) => User | undefined;
   callerApp?: string;
-  integrationId?: string;
+  connectionId?: string;
 }
 
 // 2. Map binding type to its creator function
@@ -131,26 +106,12 @@ const creatorByType: CreatorByType = {
 const withDefaultBindings = ({
   env,
   server,
-  ctx,
   url,
 }: {
   env: DefaultEnv;
   server: MCPServer<any, any>;
-  ctx: RequestContext;
   url?: string;
 }) => {
-  const client = workspaceClient(ctx, env.DECO_API_URL);
-  const createWorkspaceDB = (ctx: RequestContext): WorkspaceDB => {
-    const client = workspaceClient(ctx, env.DECO_API_URL);
-    return {
-      query: ({ sql, params }) => {
-        return client.DATABASES_RUN_SQL({
-          sql,
-          params,
-        });
-      },
-    };
-  };
   env["SELF"] = new Proxy(
     {},
     {
@@ -169,15 +130,6 @@ const withDefaultBindings = ({
     },
   );
 
-  const workspaceDbBinding = {
-    ...createWorkspaceDB(ctx),
-    forContext: createWorkspaceDB,
-  };
-
-  env["DECO_API"] = MCPClient;
-  env["DECO_WORKSPACE_API"] = client;
-  env["DECO_WORKSPACE_DB"] = workspaceDbBinding;
-
   env["IS_LOCAL"] =
     (url?.startsWith("http://localhost") ||
       url?.startsWith("http://127.0.0.1")) ??
@@ -194,13 +146,9 @@ export class UnauthorizedError extends Error {
   }
 }
 
-const AUTH_CALLBACK_ENDPOINT = "/oauth/callback";
-const AUTH_START_ENDPOINT = "/oauth/start";
-const AUTH_LOGOUT_ENDPOINT = "/oauth/logout";
-const AUTHENTICATED = (user?: unknown, workspace?: string) => () => {
+const AUTHENTICATED = (user?: unknown) => () => {
   return {
     ...((user as User) ?? {}),
-    workspace,
   } as User;
 };
 
@@ -208,66 +156,64 @@ export const withBindings = <TEnv>({
   env: _env,
   server,
   tokenOrContext,
-  origin,
   url,
-  branch,
+  bindings: inlineBindings,
 }: {
   env: TEnv;
   server: MCPServer<TEnv, any>;
   tokenOrContext?: string | RequestContext;
-  origin?: string | null;
   url?: string;
-  branch?: string | null;
+  bindings?: Binding[];
 }): TEnv => {
-  branch ??= undefined;
   const env = _env as DefaultEnv<any>;
 
-  const apiUrl = env.DECO_API_URL ?? "https://api.decocms.com";
   let context;
   if (typeof tokenOrContext === "string") {
     const decoded = decodeJwt(tokenOrContext);
-    const workspace = decoded.aud as string;
+    // Support both new JWT format (fields directly on payload) and legacy format (nested in metadata)
+    const metadata =
+      (decoded.metadata as {
+        state?: Record<string, unknown>;
+        meshUrl?: string;
+        connectionId?: string;
+      }) ?? {};
 
     context = {
-      state: decoded.state as Record<string, unknown>,
+      state: decoded.state ?? metadata.state,
       token: tokenOrContext,
-      integrationId: decoded.integrationId as string,
-      workspace,
-      ensureAuthenticated: AUTHENTICATED(decoded.user, workspace),
-      branch,
+      meshUrl: (decoded.meshUrl as string) ?? metadata.meshUrl,
+      connectionId: (decoded.connectionId as string) ?? metadata.connectionId,
+      ensureAuthenticated: AUTHENTICATED(decoded.user ?? decoded.sub),
     } as RequestContext<any>;
   } else if (typeof tokenOrContext === "object") {
     context = tokenOrContext;
     const decoded = decodeJwt(tokenOrContext.token);
-    const workspace = decoded.aud as string;
+    // Support both new JWT format (fields directly on payload) and legacy format (nested in metadata)
+    const metadata =
+      (decoded.metadata as {
+        state?: Record<string, unknown>;
+        meshUrl?: string;
+        connectionId?: string;
+      }) ?? {};
     const appName = decoded.appName as string | undefined;
     context.callerApp = appName;
-    context.integrationId ??= decoded.integrationId as string;
-    context.ensureAuthenticated = AUTHENTICATED(decoded.user, workspace);
+    context.connectionId ??=
+      (decoded.connectionId as string) ?? metadata.connectionId;
+    context.ensureAuthenticated = AUTHENTICATED(decoded.user ?? decoded.sub);
   } else {
     context = {
-      state: undefined,
-      token: env.DECO_API_TOKEN,
-      workspace: env.DECO_WORKSPACE,
-      branch,
-      ensureAuthenticated: (options?: { workspaceHint?: string }) => {
-        const workspaceHint = options?.workspaceHint ?? env.DECO_WORKSPACE;
-        const authUri = new URL("/apps/oauth", apiUrl);
-        authUri.searchParams.set("client_id", env.DECO_APP_NAME);
-        authUri.searchParams.set(
-          "redirect_uri",
-          new URL(AUTH_CALLBACK_ENDPOINT, origin ?? env.DECO_APP_ENTRYPOINT)
-            .href,
-        );
-        workspaceHint &&
-          authUri.searchParams.set("workspace_hint", workspaceHint);
-        throw new UnauthorizedError("Unauthorized", authUri);
+      state: {},
+      token: undefined,
+      meshUrl: undefined,
+      connectionId: undefined,
+      ensureAuthenticated: () => {
+        throw new Error("Unauthorized");
       },
-    };
+    } as unknown as RequestContext<any>;
   }
 
-  env.DECO_REQUEST_CONTEXT = context;
-  const bindings = WorkersMCPBindings.parse(env.DECO_BINDINGS);
+  env.MESH_REQUEST_CONTEXT = context;
+  const bindings = inlineBindings ?? MCPBindings.parse(env.MESH_BINDINGS);
 
   for (const binding of bindings) {
     env[binding.name] = creatorByType[binding.type](binding as any, env);
@@ -276,7 +222,6 @@ export const withBindings = <TEnv>({
   withDefaultBindings({
     env,
     server,
-    ctx: env.DECO_REQUEST_CONTEXT,
     url,
   });
 
@@ -285,29 +230,16 @@ export const withBindings = <TEnv>({
 
 export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
   userFns: UserDefaultExport<TEnv, TSchema>,
-): ExportedHandler<TEnv & DefaultEnv<TSchema>> => {
+) => {
   const server = createMCPServer<TEnv, TSchema>(userFns);
+  const corsOptions = userFns.cors;
+
   const fetcher = async (
     req: Request,
     env: TEnv & DefaultEnv<TSchema>,
-    ctx: ExecutionContext,
+    ctx: any,
   ) => {
     const url = new URL(req.url);
-    if (url.pathname === AUTH_CALLBACK_ENDPOINT) {
-      return handleAuthCallback(req, {
-        apiUrl: env.DECO_API_URL,
-        appName: env.DECO_APP_NAME,
-      });
-    }
-    if (url.pathname === AUTH_START_ENDPOINT) {
-      env.DECO_REQUEST_CONTEXT.ensureAuthenticated();
-      const redirectTo = new URL("/", url);
-      const next = url.searchParams.get("next");
-      return Response.redirect(next ?? redirectTo, 302);
-    }
-    if (url.pathname === AUTH_LOGOUT_ENDPOINT) {
-      return handleLogout(req);
-    }
     if (url.pathname === "/mcp") {
       return server.fetch(req, env, ctx);
     }
@@ -334,55 +266,40 @@ export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
       });
     }
 
-    if (url.pathname.startsWith(DeconfigResource.WatchPathNameBase)) {
-      return DeconfigResource.watchAPI(req, env);
-    }
     return (
       userFns.fetch?.(req, env, ctx) ||
       new Response("Not found", { status: 404 })
     );
   };
+
   return {
-    fetch: async (
-      req: Request,
-      env: TEnv & DefaultEnv<TSchema>,
-      ctx: ExecutionContext,
-    ) => {
-      const referer = req.headers.get("referer");
-      const isFetchRequest = req.headers.has(DECO_MCP_CLIENT_HEADER);
-
-      try {
-        const bindings = withBindings({
-          env,
-          server,
-          branch:
-            req.headers.get("x-deco-branch") ??
-            new URL(req.url).searchParams.get("__b"),
-          tokenOrContext: await getReqToken(req, env),
-          origin:
-            referer ?? req.headers.get("origin") ?? new URL(req.url).origin,
-          url: req.url,
-        });
-        return await State.run(
-          { req, env: bindings, ctx },
-          async () => await fetcher(req, bindings, ctx),
-        );
-      } catch (error) {
-        if (error instanceof UnauthorizedError) {
-          if (!isFetchRequest) {
-            const url = new URL(req.url);
-            error.redirectTo.searchParams.set(
-              "state",
-              StateParser.stringify({
-                next: url.searchParams.get("next") ?? referer ?? req.url,
-              }),
-            );
-            return Response.redirect(error.redirectTo, 302);
-          }
-          return new Response(null, { status: 401 });
-        }
-        throw error;
+    fetch: async (req: Request, env: TEnv & DefaultEnv<TSchema>, ctx: any) => {
+      // Handle CORS preflight (OPTIONS) requests
+      if (corsOptions !== false && req.method === "OPTIONS") {
+        const options = corsOptions ?? {};
+        return handlePreflight(req, options);
       }
+
+      const bindings = withBindings({
+        env,
+        server,
+        bindings: userFns.bindings,
+        tokenOrContext: req.headers.get("x-mesh-token") ?? undefined,
+        url: req.url,
+      });
+
+      const response = await State.run(
+        { req, env: bindings, ctx },
+        async () => await fetcher(req, bindings, ctx),
+      );
+
+      // Add CORS headers to response
+      if (corsOptions !== false) {
+        const options = corsOptions ?? {};
+        return withCORS(response, req, options);
+      }
+
+      return response;
     },
   };
 };

package/src/mcp.ts

@@ -1,170 +1,11 @@
 /* oxlint-disable no-explicit-any */
-import { z } from "zod";
-import type { MCPConnection } from "./connection.ts";
-import { createMCPClientProxy } from "./proxy.ts";
 import type { ToolBinder } from "@decocms/bindings";
-
-export interface FetchOptions extends RequestInit {
-  path?: string;
-  segments?: string[];
-}
-
-const Timings = z.object({
-  sql_duration_ms: z.number().optional(),
-});
-
-const Meta = z.object({
-  changed_db: z.boolean().optional(),
-  changes: z.number().optional(),
-  duration: z.number().optional(),
-  last_row_id: z.number().optional(),
-  rows_read: z.number().optional(),
-  rows_written: z.number().optional(),
-  served_by_primary: z.boolean().optional(),
-  served_by_region: z
-    .enum(["WNAM", "ENAM", "WEUR", "EEUR", "APAC", "OC"])
-    .optional(),
-  size_after: z.number().optional(),
-  timings: Timings.optional(),
-});
-
-const QueryResult = z.object({
-  meta: Meta.optional(),
-  results: z.array(z.unknown()).optional(),
-  success: z.boolean().optional(),
-});
-
-export type QueryResult = z.infer<typeof QueryResult>;
-
-const workspaceTools = [
-  {
-    name: "INTEGRATIONS_GET" as const,
-    inputSchema: z.object({
-      id: z.string(),
-    }),
-    outputSchema: z.object({
-      connection: z.object({}),
-    }),
-  },
-  {
-    name: "DATABASES_RUN_SQL" as const,
-    inputSchema: z.object({
-      sql: z.string().describe("The SQL query to run"),
-      params: z
-        .array(z.string())
-        .describe("The parameters to pass to the SQL query"),
-    }),
-    outputSchema: z.object({
-      result: z.array(QueryResult),
-    }),
-  },
-] satisfies ToolBinder<string, unknown, object>[];
-
-// Default fetcher instance with API_SERVER_URL and API_HEADERS
-const global = createMCPFetchStub<[]>({});
-export const MCPClient = new Proxy(
-  {} as typeof global & {
-    forWorkspace: (
-      workspace: string,
-      token?: string,
-      decoCmsApiUrl?: string,
-    ) => MCPClientFetchStub<typeof workspaceTools>;
-    forConnection: <TDefinition extends readonly ToolBinder[]>(
-      connection: MCPConnectionProvider,
-      decoCmsApiUrl?: string,
-    ) => MCPClientFetchStub<TDefinition>;
-  },
-  {
-    get(_, name) {
-      if (name === "toJSON") {
-        return null;
-      }
-
-      if (name === "forWorkspace") {
-        return (workspace: string, token?: string, decoCmsApiUrl?: string) =>
-          createMCPFetchStub<[]>({
-            workspace,
-            token,
-            decoCmsApiUrl,
-          });
-      }
-      if (name === "forConnection") {
-        return <TDefinition extends readonly ToolBinder[]>(
-          connection: MCPConnectionProvider,
-          decoCmsApiUrl?: string,
-        ) =>
-          createMCPFetchStub<TDefinition>({
-            connection,
-            decoCmsApiUrl,
-          });
-      }
-      return global[name as keyof typeof global];
-    },
-  },
-);
+export {
+  createMCPFetchStub,
+  MCPClient,
+  type CreateStubAPIOptions,
+  type MCPClientFetchStub,
+  type MCPClientStub,
+} from "@decocms/bindings/client"; // Default fetcher instance with API_SERVER_URL and API_HEADERS
 
 export type { ToolBinder };
-
-export const isStreamableToolBinder = (
-  toolBinder: ToolBinder,
-): toolBinder is ToolBinder<string, any, any, true> => {
-  return toolBinder.streamable === true;
-};
-export type MCPClientStub<TDefinition extends readonly ToolBinder[]> = {
-  [K in TDefinition[number] as K["name"]]: K extends ToolBinder<
-    string,
-    infer TInput,
-    infer TReturn
-  >
-    ? (params: TInput, init?: RequestInit) => Promise<TReturn>
-    : never;
-};
-
-export type MCPClientFetchStub<TDefinition extends readonly ToolBinder[]> = {
-  [K in TDefinition[number] as K["name"]]: K["streamable"] extends true
-    ? K extends ToolBinder<string, infer TInput, any, true>
-      ? (params: TInput, init?: RequestInit) => Promise<Response>
-      : never
-    : K extends ToolBinder<string, infer TInput, infer TReturn, any>
-      ? (params: TInput, init?: RequestInit) => Promise<Awaited<TReturn>>
-      : never;
-};
-
-export type MCPConnectionProvider = MCPConnection;
-
-export interface MCPClientRaw {
-  callTool: (tool: string, args: unknown) => Promise<unknown>;
-  listTools: () => Promise<
-    {
-      name: string;
-      inputSchema: any;
-      outputSchema?: any;
-      description: string;
-    }[]
-  >;
-}
-export type JSONSchemaToZodConverter = (jsonSchema: any) => z.ZodTypeAny;
-export interface CreateStubAPIOptions {
-  mcpPath?: string;
-  decoCmsApiUrl?: string;
-  workspace?: string;
-  token?: string;
-  connection?: MCPConnectionProvider;
-  streamable?: Record<string, boolean>;
-  debugId?: () => string;
-  getErrorByStatusCode?: (
-    statusCode: number,
-    message?: string,
-    traceId?: string,
-    errorObject?: unknown,
-  ) => Error;
-  supportsToolName?: boolean;
-}
-
-export function createMCPFetchStub<TDefinition extends readonly ToolBinder[]>(
-  options?: CreateStubAPIOptions,
-): MCPClientFetchStub<TDefinition> {
-  return createMCPClientProxy<MCPClientFetchStub<TDefinition>>({
-    ...(options ?? {}),
-  });
-}

package/src/proxy.ts

@@ -1,17 +1,8 @@
 /* oxlint-disable no-explicit-any */
-import type { ToolExecutionContext as _ToolExecutionContext } from "@mastra/core";
 import { convertJsonSchemaToZod } from "zod-from-json-schema";
 import { MCPConnection } from "./connection.ts";
 import { createServerClient } from "./mcp-client.ts";
 import type { CreateStubAPIOptions } from "./mcp.ts";
-import { WELL_KNOWN_API_HOSTNAMES } from "./well-known.ts";
-
-const getWorkspace = (workspace?: string) => {
-  if (workspace && workspace.length > 0 && !workspace.includes("/")) {
-    return `/shared/${workspace}`;
-  }
-  return workspace ?? "";
-};
 
 const safeParse = (content: string) => {
   try {
@@ -33,36 +24,13 @@ const toolsMap = new Map<
   >
 >();
 
-/**
- * Determines if a given URL supports tool names in the path.
- * Our APIs (api.decocms.com, api.deco.chat, localhost) support /tool/${toolName} routing.
- * Third-party APIs typically don't support this pattern.
- */
-function supportsToolNameInPath(url: string): boolean {
-  try {
-    // Our main APIs that support /tool/${toolName} routing
-    return WELL_KNOWN_API_HOSTNAMES.includes(new URL(url).hostname);
-  } catch {
-    return false;
-  }
-}
-
 /**
  * The base fetcher used to fetch the MCP from API.
  */
 export function createMCPClientProxy<T extends Record<string, unknown>>(
-  options?: CreateStubAPIOptions,
+  options: CreateStubAPIOptions,
 ): T {
-  const mcpPath = options?.mcpPath ?? "/mcp";
-
-  const connection: MCPConnection = options?.connection || {
-    type: "HTTP",
-    token: options?.token,
-    url: new URL(
-      `${getWorkspace(options?.workspace)}${mcpPath}`,
-      options?.decoCmsApiUrl ?? `https://api.decocms.com`,
-    ).href,
-  };
+  const connection: MCPConnection = options.connection;
 
   return new Proxy<T>({} as T, {
     get(_, name) {
@@ -81,28 +49,9 @@ export function createMCPClientProxy<T extends Record<string, unknown>>(
         // Create a connection with the tool name in the URL path for better logging
         // Only modify connections that have a URL property (HTTP, SSE, Websocket)
         // Use automatic detection based on URL, with optional override
-        let toolConnection = connection;
-        const shouldAddToolName =
-          options?.supportsToolName ??
-          ("url" in connection &&
-            typeof connection.url === "string" &&
-            supportsToolNameInPath(connection.url));
-
-        if (
-          shouldAddToolName &&
-          "url" in connection &&
-          typeof connection.url === "string"
-        ) {
-          toolConnection = {
-            ...connection,
-            url: connection.url.endsWith("/")
-              ? `${connection.url}tool/${String(name)}`
-              : `${connection.url}/tool/${String(name)}`,
-          };
-        }
 
         const { client, callStreamableTool } = await createServerClient(
-          { connection: toolConnection },
+          { connection },
           undefined,
           extraHeaders,
         );

package/src/state.ts

@@ -1,7 +1,6 @@
 import { AsyncLocalStorage } from "node:async_hooks";
-import { z } from "zod";
-import type { AppContext } from "./mastra.ts";
-import { createTool } from "./mastra.ts";
+import { DefaultEnv } from "./index.ts";
+import type { AppContext } from "./tools.ts";
 
 const asyncLocalStorage = new AsyncLocalStorage<AppContext | undefined>();
 
@@ -9,36 +8,9 @@ export const State = {
   getStore: () => {
     return asyncLocalStorage.getStore();
   },
-  run: <TEnv, R, TArgs extends unknown[]>(
+  run: <TEnv extends DefaultEnv, R, TArgs extends unknown[]>(
     ctx: AppContext<TEnv>,
     f: (...args: TArgs) => R,
     ...args: TArgs
   ): R => asyncLocalStorage.run(ctx, f, ...args),
 };
-
-export interface ValidationPayload {
-  state: unknown;
-}
-
-export const createStateValidationTool = (stateSchema?: z.ZodTypeAny) => {
-  return createTool({
-    id: "DECO_CHAT_STATE_VALIDATION",
-    description: "Validate the state of the OAuth flow",
-    inputSchema: z.object({
-      state: z.unknown(),
-    }),
-    outputSchema: z.object({
-      valid: z.boolean(),
-    }),
-    execute: (ctx) => {
-      if (!stateSchema) {
-        return Promise.resolve({ valid: true });
-      }
-      const parsed = stateSchema.safeParse(ctx.context.state);
-      return Promise.resolve({
-        valid: parsed.success,
-        reason: parsed.error?.message,
-      });
-    },
-  });
-};