@deepsql/mcp 0.5.0 → 0.8.0

package/src/commands/permissions.js

@@ -0,0 +1,149 @@
+"use strict";
+
+/**
+ * `deepsql permissions` — global role-based permission overrides.
+ *
+ *   deepsql permissions list [--role <r>] [--json]
+ *   deepsql permissions override --role <r> --permission <p> --grant|--revoke [--reason "..."]
+ *   deepsql permissions reset --role <r> --permission <p>
+ *
+ * Backed by /permissions/** (overrides require ROLE_ADMIN).
+ */
+
+const { ApiError, request } = require("../api/client");
+const { resolveSession } = require("./_session");
+
+const SUBCOMMANDS = {
+  list: cmdList,
+  override: cmdOverride,
+  reset: cmdReset,
+};
+
+async function run(opts, io = {}) {
+  const sub = opts.positional[0];
+  if (!sub) throw new Error("Usage: deepsql permissions <list|override|reset> ...");
+  const handler = SUBCOMMANDS[sub];
+  if (!handler) throw new Error(`Unknown permissions subcommand: ${sub}.`);
+  return wrap(handler)(
+    { ...opts, positional: opts.positional.slice(1) },
+    io,
+  );
+}
+
+function wrap(handler) {
+  return async (opts, io) => {
+    try {
+      return await handler(opts, io);
+    } catch (err) {
+      if (err instanceof ApiError && err.status === 403) {
+        throw new Error("Access denied — managing permissions requires ADMIN role.");
+      }
+      throw err;
+    }
+  };
+}
+
+// ─── list ──────────────────────────────────────────────────────────────────
+
+async function cmdList(opts, { stdout = process.stdout } = {}) {
+  const session = resolveSession(opts);
+  const [registry, roles, overrides] = await Promise.all([
+    request(session.baseUrl, "/permissions/registry", { token: session.token }),
+    request(session.baseUrl, "/permissions/roles", { token: session.token }),
+    request(session.baseUrl, "/permissions/overrides", { token: session.token }),
+  ]);
+
+  if (opts.json) {
+    stdout.write(`${JSON.stringify({ registry, roles, overrides }, null, 2)}\n`);
+    return;
+  }
+
+  const roleList = Array.isArray(roles) ? roles : roles?.roles || [];
+  const overrideList = Array.isArray(overrides) ? overrides : overrides?.overrides || [];
+
+  if (opts.role) {
+    const wanted = String(opts.role).toUpperCase();
+    const role = roleList.find(
+      (r) => (r.code || r.role || r.name || "").toUpperCase() === wanted,
+    );
+    if (!role) {
+      const available = roleList.map((r) => r.code || r.role || r.name).filter(Boolean).join(", ");
+      throw new Error(`Role "${opts.role}" not found. Available: ${available}.`);
+    }
+    const code = role.code || role.role || role.name;
+    stdout.write(`${code} permissions (effective):\n`);
+    const perms = role.effectivePermissions || role.permissions || [];
+    for (const p of perms) {
+      stdout.write(`  - ${typeof p === "string" ? p : p.code || p.name}\n`);
+    }
+    return;
+  }
+
+  if (overrideList.length === 0) {
+    stdout.write("No active overrides — every role has its default permissions.\n");
+  } else {
+    stdout.write("Active overrides:\n");
+    for (const o of overrideList) {
+      const role = o.role || "";
+      const perm = o.permissionCode || o.permission || "";
+      const granted = o.granted ? "GRANT" : "REVOKE";
+      const reason = o.reason ? ` — ${o.reason}` : "";
+      stdout.write(`  ${role.padEnd(12)} ${granted.padEnd(7)} ${perm}${reason}\n`);
+    }
+  }
+
+  if (roleList.length > 0) {
+    stdout.write("\nRoles:\n");
+    for (const r of roleList) {
+      const name = r.code || r.role || r.name || "?";
+      const count = (r.effectivePermissions || r.permissions || []).length;
+      stdout.write(`  ${name.padEnd(12)} ${count} permission(s)\n`);
+    }
+    stdout.write("\nUse `--role <NAME>` to see one role's full permission list.\n");
+  }
+}
+
+// ─── override ──────────────────────────────────────────────────────────────
+
+async function cmdOverride(opts, { stdout = process.stdout } = {}) {
+  if (!opts.role) throw new Error("--role <ROLE> is required.");
+  if (!opts.permission) throw new Error("--permission <PERMISSION> is required.");
+  if (!opts.grant && !opts.revoke) {
+    throw new Error("Pass --grant or --revoke.");
+  }
+  if (opts.grant && opts.revoke) {
+    throw new Error("--grant and --revoke are mutually exclusive.");
+  }
+  const granted = !!opts.grant;
+  const session = resolveSession(opts);
+  const result = await request(session.baseUrl, "/permissions/overrides", {
+    method: "POST",
+    token: session.token,
+    json: {
+      role: String(opts.role).toUpperCase(),
+      permission: String(opts.permission).toUpperCase(),
+      granted,
+      reason: opts.reason || null,
+    },
+  });
+  stdout.write(`${result?.message || "Override applied."}\n`);
+}
+
+// ─── reset ─────────────────────────────────────────────────────────────────
+
+async function cmdReset(opts, { stdout = process.stdout } = {}) {
+  if (!opts.role) throw new Error("--role <ROLE> is required.");
+  if (!opts.permission) throw new Error("--permission <PERMISSION> is required.");
+  const session = resolveSession(opts);
+  const result = await request(session.baseUrl, "/permissions/overrides", {
+    method: "DELETE",
+    token: session.token,
+    json: {
+      role: String(opts.role).toUpperCase(),
+      permission: String(opts.permission).toUpperCase(),
+    },
+  });
+  stdout.write(`${result?.message || "Override removed."}\n`);
+}
+
+module.exports = { run };

package/src/commands/relationships.js

@@ -0,0 +1,56 @@
+"use strict";
+
+/**
+ * `deepsql relationships --connection <name> [--json]`
+ *
+ * Returns inferred and validated foreign-key relationships for a connection,
+ * with confidence scores. Wraps GET /brain/inferred-relationships/{cid}.
+ */
+
+const { request } = require("../api/client");
+const { resolveSession } = require("./_session");
+const { resolveConnectionId } = require("./_connections");
+
+async function run(opts, { stdout = process.stdout } = {}) {
+  if (!opts.connection) throw new Error("--connection <name> is required.");
+
+  const session = resolveSession(opts);
+  const connectionId = await resolveConnectionId(session, opts.connection);
+
+  const response = await request(
+    session.baseUrl,
+    `/brain/inferred-relationships/${encodeURIComponent(connectionId)}`,
+    { token: session.token },
+  );
+
+  if (opts.json) {
+    stdout.write(`${JSON.stringify(response, null, 2)}\n`);
+    return;
+  }
+
+  const list = Array.isArray(response) ? response : [];
+  if (list.length === 0) {
+    stdout.write("No relationships inferred for this connection yet.\n");
+    return;
+  }
+
+  const high = list.filter((r) => (r.confidence ?? 0) >= 0.8).length;
+  const noun = list.length === 1 ? "relationship" : "relationships";
+  const header = high > 0
+    ? `${list.length} ${noun} (${high} high-confidence):`
+    : `${list.length} ${noun}:`;
+  stdout.write(`${header}\n`);
+
+  for (const r of list) {
+    const parts = [];
+    if (r.confidence != null) parts.push(`conf=${r.confidence.toFixed(2)}`);
+    if (r.inferenceMethod) parts.push(`via ${r.inferenceMethod}`);
+    const meta = parts.length ? ` (${parts.join(", ")})` : "";
+    const status = r.validationStatus ? ` [${r.validationStatus}]` : "";
+    stdout.write(
+      `  • ${r.sourceTable}.${r.sourceColumn} → ${r.targetTable}.${r.targetColumn}${meta}${status}\n`,
+    );
+  }
+}
+
+module.exports = { run };

package/src/commands/setup.js

@@ -0,0 +1,220 @@
+"use strict";
+
+/**
+ * `deepsql setup` — post-install admin config wizard.
+ *
+ * Org name and LLM config are set at install time (env vars / install script /
+ * bootstrap link), so the CLI wizard only covers what's left after that:
+ *
+ *   1. Optionally configure SMTP / email (PUT /admin/settings/email +
+ *      POST /admin/settings/email/test).
+ *   2. Optionally configure Slack — bot token, signing secret, optional app
+ *      token for Socket Mode (PUT /admin/settings/slack). The backend masks
+ *      existing tokens (GET only returns *Configured booleans), so leaving a
+ *      token field blank means "keep current value."
+ *   3. Mark setup complete (POST /setup/complete) so the web-UI first-run
+ *      banner clears. Skipped if already complete or with --skip-complete.
+ *
+ * The wizard is idempotent — re-running picks up current values where the
+ * backend exposes them and prefills the prompts.
+ */
+
+const { ApiError, request } = require("../api/client");
+const { resolveSession } = require("./_session");
+const ui = require("../ui/prompts");
+
+async function run(opts, { stdout = process.stdout, stderr = process.stderr } = {}) {
+  const session = resolveSession(opts);
+  const log = (msg) => stderr.write(`[deepsql] ${msg}\n`);
+
+  log("Checking setup status…");
+  const status = await request(session.baseUrl, "/setup/status", { token: session.token });
+  if (!status?.hasOrganizationInfo || !status?.hasLlmConfig) {
+    stderr.write(
+      "[deepsql] Note: organization or LLM config is not set. Those are configured at install time " +
+        "(env vars, install script, or bootstrap link), not by this wizard.\n",
+    );
+  }
+
+  await stepEmail(session, opts, log);
+  await stepSlack(session, opts, log);
+
+  if (!opts.skipComplete && !status?.setupComplete) {
+    await request(session.baseUrl, "/setup/complete", {
+      method: "POST",
+      token: session.token,
+      json: {},
+    });
+    log("Setup marked complete.");
+  } else if (status?.setupComplete) {
+    log("Setup was already complete.");
+  }
+  stdout.write("Done.\n");
+}
+
+// ─── email ─────────────────────────────────────────────────────────────────
+
+async function stepEmail(session, opts, log) {
+  if (opts.skipEmail) {
+    log("Skipping SMTP setup (--skip-email).");
+    return;
+  }
+  const want = await ui.confirm({
+    message: "Configure SMTP / email now?",
+    default: true,
+  });
+  if (!want) {
+    log("Skipped SMTP.");
+    return;
+  }
+
+  let current = {};
+  try {
+    current = await request(session.baseUrl, "/admin/settings/email", { token: session.token });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 403) {
+      log("Cannot configure SMTP: requires ADMIN role on the calling token.");
+      return;
+    }
+    throw err;
+  }
+
+  const host = await ui.input({ message: "SMTP host:", default: current?.host || "smtp.gmail.com" });
+  const port = Number(
+    await ui.input({ message: "SMTP port:", default: String(current?.port || 587), required: true }),
+  );
+  const username = await ui.input({ message: "SMTP username:", default: current?.username || "" });
+  const password = await ui.password({ message: "SMTP password / app password:" });
+  const fromAddress = await ui.input({
+    message: "From address:",
+    default: current?.fromAddress || username,
+  });
+  const fromName = await ui.input({
+    message: "From name:",
+    default: current?.fromName || "DeepSQL",
+    required: false,
+  });
+  const startTls = await ui.confirm({ message: "Use STARTTLS?", default: current?.startTls ?? true });
+
+  const body = { host, port, username, password, fromAddress, fromName, startTls };
+  await request(session.baseUrl, "/admin/settings/email", {
+    method: "PUT",
+    token: session.token,
+    json: body,
+  });
+  log("SMTP saved.");
+
+  const sendTest = await ui.confirm({ message: "Send a test email now?", default: true });
+  if (sendTest) {
+    const recipient = await ui.input({
+      message: "Test recipient (your email):",
+      default: fromAddress,
+      required: true,
+    });
+    try {
+      await request(session.baseUrl, "/admin/settings/email/test", {
+        method: "POST",
+        token: session.token,
+        json: { recipient },
+      });
+      log(`Test email sent to ${recipient}.`);
+    } catch (err) {
+      log(`Test send failed: ${err.message}. Settings saved anyway.`);
+    }
+  }
+}
+
+// ─── slack ─────────────────────────────────────────────────────────────────
+
+async function stepSlack(session, opts, log) {
+  if (opts.skipSlack) {
+    log("Skipping Slack setup (--skip-slack).");
+    return;
+  }
+  const want = await ui.confirm({
+    message: "Configure Slack (digests + bot replies) now?",
+    default: false,
+  });
+  if (!want) {
+    log("Skipped Slack.");
+    return;
+  }
+
+  let current = {};
+  try {
+    current = await request(session.baseUrl, "/admin/settings/slack", { token: session.token });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 403) {
+      log("Cannot configure Slack: requires ADMIN role on the calling token.");
+      return;
+    }
+    throw err;
+  }
+
+  const enabled = await ui.confirm({
+    message: "Enable Slack integration?",
+    default: current?.enabled ?? true,
+  });
+  const socketModeEnabled = await ui.confirm({
+    message:
+      "Use Socket Mode? (Easier for self-hosted — no public webhook needed; requires an App-level token.)",
+    default: current?.socketModeEnabled ?? true,
+  });
+  const deepsqlBotUsername = await ui.input({
+    message: "Bot display name in Slack:",
+    default: current?.deepsqlBotUsername || "DeepSQL",
+  });
+
+  // The backend only echoes *Configured booleans for tokens, so we never have
+  // the existing values to pre-fill. A blank entry means "keep current."
+  const tokenHint = (label, configuredFlag) =>
+    configuredFlag ? `${label} (leave blank to keep current):` : `${label}:`;
+
+  const botToken = await ui.password({
+    message: tokenHint("Bot token (xoxb-…)", current?.botTokenConfigured),
+  });
+  const signingSecret = await ui.password({
+    message: tokenHint("Signing secret", current?.signingSecretConfigured),
+  });
+  const appToken = socketModeEnabled
+    ? await ui.password({
+        message: tokenHint("App-level token (xapp-…)", current?.appTokenConfigured),
+      })
+    : "";
+
+  // Build the PUT body. Empty token strings are intentionally omitted so the
+  // service treats them as "keep current"; non-blank values overwrite.
+  const body = {
+    enabled,
+    socketModeEnabled,
+    deepsqlBotUsername,
+  };
+  if (botToken && botToken.trim()) body.botToken = botToken.trim();
+  if (signingSecret && signingSecret.trim()) body.signingSecret = signingSecret.trim();
+  if (appToken && appToken.trim()) body.appToken = appToken.trim();
+
+  // Reject the case where the user is enabling Slack for the first time but
+  // gave us no tokens — saving would leave the integration broken.
+  const noBot = !current?.botTokenConfigured && !body.botToken;
+  const noSecret = !current?.signingSecretConfigured && !body.signingSecret;
+  const noAppToken = socketModeEnabled && !current?.appTokenConfigured && !body.appToken;
+  if (enabled && (noBot || noSecret || noAppToken)) {
+    const missing = [
+      noBot && "bot token",
+      noSecret && "signing secret",
+      noAppToken && "app-level token",
+    ]
+      .filter(Boolean)
+      .join(", ");
+    throw new Error(`Slack is enabled but missing: ${missing}. Aborting before save.`);
+  }
+
+  await request(session.baseUrl, "/admin/settings/slack", {
+    method: "PUT",
+    token: session.token,
+    json: body,
+  });
+  log("Slack saved.");
+}
+
+module.exports = { run };