@dypai-ai/mcp 1.2.2 → 1.2.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dypai-ai/mcp",
-  "version": "1.2.2",
+  "version": "1.2.4",
   "description": "DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps",
   "type": "module",
   "main": "src/index.js",

package/src/index.js

@@ -390,8 +390,17 @@ async function handleRequest(msg) {
         content: [{ type: "text", text: typeof result === "string" ? result : JSON.stringify(result, null, 2) }],
       })
     } catch (e) {
+      // Return a structured error so the agent can parse `success`/`error`
+      // consistently with our other "soft failure" responses (validate,
+      // test_endpoint, etc.). Still flag isError=true at the MCP level.
+      const payload = {
+        success: false,
+        error: e.message || String(e),
+        // First few stack frames help debug which file blew up.
+        stack: (e.stack || "").split("\n").slice(0, 4).join("\n"),
+      }
       return makeResponse(id, {
-        content: [{ type: "text", text: `Error: ${e.message}` }],
+        content: [{ type: "text", text: JSON.stringify(payload, null, 2) }],
         isError: true,
       })
     }

package/src/tools/bulk-upsert.js

@@ -11,6 +11,59 @@ import { readFileSync, existsSync } from "fs"
 import { basename } from "path"
 import { proxyToolCall } from "./proxy.js"
 
+/**
+ * Minimal RFC 4180-compliant CSV parser.
+ * Handles: quoted fields, embedded commas, escaped quotes (""), CRLF, embedded newlines in quoted fields.
+ * Returns an array of rows, each row an array of string fields.
+ *
+ * The previous implementation did `line.split(",")` which silently corrupted
+ * any CSV with quoted commas (e.g. `"Smith, Jr.",100`).
+ */
+function parseCsv(text) {
+  const rows = []
+  let row = []
+  let field = ""
+  let i = 0
+  let inQuotes = false
+  while (i < text.length) {
+    const c = text[i]
+    if (inQuotes) {
+      if (c === '"') {
+        if (text[i + 1] === '"') { field += '"'; i += 2; continue }
+        inQuotes = false
+        i++
+        continue
+      }
+      field += c
+      i++
+      continue
+    }
+    if (c === '"') { inQuotes = true; i++; continue }
+    if (c === ",") { row.push(field); field = ""; i++; continue }
+    if (c === "\r") {
+      // Treat CRLF as one line break
+      if (text[i + 1] === "\n") i++
+      row.push(field); rows.push(row); row = []; field = ""
+      i++
+      continue
+    }
+    if (c === "\n") {
+      row.push(field); rows.push(row); row = []; field = ""
+      i++
+      continue
+    }
+    field += c
+    i++
+  }
+  // Tail row (no trailing newline)
+  if (field.length > 0 || row.length > 0) {
+    row.push(field); rows.push(row)
+  }
+  // Drop trailing empty rows (common when the file ends with \n)
+  while (rows.length && rows[rows.length - 1].length === 1 && rows[rows.length - 1][0] === "") rows.pop()
+  return rows
+}
+
 export const bulkUpsertTool = {
   name: "bulk_upsert",
   description: `Import data from a local CSV or JSON file into a database table.
@@ -63,21 +116,20 @@ Great for seeding initial data: products, categories, config, etc.`,
     // Read and parse data
     let rows
     try {
-      const raw = readFileSync(file_path, "utf-8")
+      // Strip UTF-8 BOM if present — otherwise the first header column ends up
+      // as "\uFEFFname" instead of "name" and silently misaligns everything.
+      const raw = readFileSync(file_path, "utf-8").replace(/^\uFEFF/, "")
 
       if (ext === "json") {
         const parsed = JSON.parse(raw)
         rows = Array.isArray(parsed) ? parsed : [parsed]
       } else {
-        // Parse CSV
-        const lines = raw.trim().split("\n")
-        if (lines.length < 2) return { error: "CSV must have a header row and at least one data row" }
-
-        const headers = lines[0].split(",").map(h => h.trim().replace(/^"|"$/g, ""))
-        rows = lines.slice(1).map(line => {
-          const values = line.split(",").map(v => v.trim().replace(/^"|"$/g, ""))
+        const records = parseCsv(raw)
+        if (records.length < 2) return { error: "CSV must have a header row and at least one data row" }
+        const headers = records[0].map(h => h.trim())
+        rows = records.slice(1).map(values => {
           const obj = {}
-          headers.forEach((h, i) => { obj[h] = values[i] || null })
+          headers.forEach((h, i) => { obj[h] = (values[i] === undefined || values[i] === "") ? null : values[i] })
           return obj
         })
       }
@@ -110,11 +162,16 @@ Great for seeding initial data: products, categories, config, etc.`,
     let inserted = 0
     let errors = []
 
+    // Quote a Postgres identifier safely. Doubles any embedded quotes.
+    const qIdent = (s) => `"${String(s).replace(/"/g, '""')}"`
+    const qTable = qIdent(table)
+
     // Batch in chunks of 50 rows
     const BATCH_SIZE = 50
     for (let i = 0; i < rows.length; i += BATCH_SIZE) {
       const batch = rows.slice(i, i + BATCH_SIZE)
       const batchCols = Object.keys(batch[0])
+      const quotedCols = batchCols.map(qIdent).join(", ")
       const batchValues = batch.map(row =>
         `(${batchCols.map(col => {
           const v = row[col]
@@ -126,10 +183,10 @@ Great for seeding initial data: products, categories, config, etc.`,
 
       let batchSql
       if (upsert_key && batchCols.includes(upsert_key)) {
-        const updateCols = batchCols.filter(c => c !== upsert_key).map(c => `${c} = EXCLUDED.${c}`).join(", ")
-        batchSql = `INSERT INTO ${table} (${batchCols.join(", ")}) VALUES\n${batchValues}\nON CONFLICT (${upsert_key}) DO UPDATE SET ${updateCols}`
+        const updateCols = batchCols.filter(c => c !== upsert_key).map(c => `${qIdent(c)} = EXCLUDED.${qIdent(c)}`).join(", ")
+        batchSql = `INSERT INTO ${qTable} (${quotedCols}) VALUES\n${batchValues}\nON CONFLICT (${qIdent(upsert_key)}) DO UPDATE SET ${updateCols}`
       } else {
-        batchSql = `INSERT INTO ${table} (${batchCols.join(", ")}) VALUES\n${batchValues}`
+        batchSql = `INSERT INTO ${qTable} (${quotedCols}) VALUES\n${batchValues}`
       }
 
       try {

package/src/tools/proxy.js

@@ -76,28 +76,41 @@ function mcpRequest(body) {
   })
 }
 
+// Single in-flight init promise so concurrent first-calls (e.g. push with
+// concurrency=5) don't all race to initialize and clobber each other's
+// session id mid-handshake.
+let initPromise = null
+
 async function ensureInitialized() {
   if (sessionId) return
-  try {
-    await mcpRequest({
-      jsonrpc: "2.0",
-      id: "init-proxy",
-      method: "initialize",
-      params: {
-        protocolVersion: "2024-11-05",
-        capabilities: {},
-        clientInfo: { name: "dypai-mcp-local", version: "1.0.0" },
-      },
-    })
-    // Send initialized notification
-    await mcpRequest({
-      jsonrpc: "2.0",
-      method: "notifications/initialized",
-    })
-  } catch (e) {
-    // Non-fatal — some servers don't require init
-    process.stderr.write(`MCP proxy init warning: ${e.message}\n`)
-  }
+  if (initPromise) return initPromise
+  initPromise = (async () => {
+    try {
+      await mcpRequest({
+        jsonrpc: "2.0",
+        id: "init-proxy",
+        method: "initialize",
+        params: {
+          protocolVersion: "2024-11-05",
+          capabilities: {},
+          clientInfo: { name: "dypai-mcp-local", version: "1.0.0" },
+        },
+      })
+      // Send initialized notification
+      await mcpRequest({
+        jsonrpc: "2.0",
+        method: "notifications/initialized",
+      })
+    } catch (e) {
+      // Don't swallow silently — calls right after will appear to "work"
+      // returning empty results and we'd never know init failed.
+      process.stderr.write(`MCP proxy init failed: ${e.message}\n`)
+      // Reset so a future call gets a chance to retry.
+      initPromise = null
+      throw e
+    }
+  })()
+  return initPromise
 }
 
 export async function proxyToolCall(toolName, args) {
@@ -129,6 +142,15 @@ export async function proxyToolCall(toolName, args) {
       if (typeof parsed === "string" && /^(Error:|Input validation error:|You don't have)/i.test(parsed)) {
         throw new Error(parsed)
       }
+      // Other remote errors come as a JSON object with success:false but no isError
+      // flag. The push pipeline was treating these as successes — promote them to
+      // throws here so the caller's try/catch sees them.
+      if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+        if (parsed.success === false || parsed.ok === false) {
+          const msg = parsed.error || parsed.message || parsed.detail || JSON.stringify(parsed).slice(0, 300)
+          throw new Error(typeof msg === "string" ? msg : JSON.stringify(msg))
+        }
+      }
       return parsed
     }
     return response.result

package/src/tools/sync/codec.js

@@ -43,14 +43,19 @@ function triggersToDb(trigger = {}) {
     http_api: { enabled: true, auth_mode: "jwt" },
     schedule: { enabled: false },
   }
-  if (trigger.http_api) {
-    out.http_api = { enabled: true, auth_mode: trigger.http_api.auth_mode || "jwt" }
+  // Accept `http_api: true` (shorthand) by treating it as `http_api: {}`.
+  // Accept `auth_mode` or `mode` for forward/backward compat with older docs.
+  const httpApi = trigger.http_api === true ? {} : trigger.http_api
+  if (httpApi) {
+    const authMode = httpApi.auth_mode || httpApi.mode || "jwt"
+    out.http_api = { enabled: true, auth_mode: authMode }
   } else if (trigger.webhook || trigger.schedule || trigger.manual) {
     // Non-HTTP trigger: disable http_api
     out.http_api = { enabled: false, auth_mode: "jwt" }
   }
   if (trigger.webhook) {
-    out.webhook = { path: trigger.webhook.path || "", enabled: true }
+    const wh = trigger.webhook === true ? {} : trigger.webhook
+    out.webhook = { path: wh.path || "", enabled: true }
   }
   if (trigger.schedule) {
     out.schedule = { ...trigger.schedule, enabled: true }
@@ -74,13 +79,25 @@ function edgesToYaml(edges = []) {
 }
 
 function edgesToDb(edges = []) {
-  return edges.map(e => {
-    const out = { source: e.from, target: e.to }
+  return (edges || []).map(e => {
+    if (!e || typeof e !== "object") return null
+    // Tolerate both YAML-canonical (`from`/`to`) and engine-style (`source`/`target`).
+    // Without this, an agent that wrote `source/target` in YAML would silently
+    // produce edges with `source: undefined`, breaking workflow execution.
+    const source = e.from ?? e.source
+    const target = e.to ?? e.target
+    if (!source || !target) {
+      throw new Error(
+        `Edge is missing source/target: ${JSON.stringify(e).slice(0, 120)}. ` +
+        `Edges must have either 'from'/'to' (canonical) or 'source'/'target' (engine-style).`
+      )
+    }
+    const out = { source, target }
     if (e.condition) out.condition = e.condition
     if (e.source_handle) out.source_handle = e.source_handle
     if (e.target_handle) out.target_handle = e.target_handle
     return out
-  })
+  }).filter(Boolean)
 }
 
 // ─── Public codec ───────────────────────────────────────────────────────────
@@ -147,7 +164,44 @@ export function deserializeEndpoint(doc, mapsCtx) {
   const readFile = mapsCtx.readFile || (() => "")
 
   const nodes = (doc.workflow?.nodes || []).map(clean => {
-    const { id, type, variable, return: isReturn, ...params } = clean
+    // Tolerate both YAML-canonical `type` and engine-style `node_type`. The
+    // canonical form is `type`, but agents writing YAML by hand sometimes use
+    // `node_type` because that's what the engine returns. We accept either,
+    // but FAIL LOUD if neither is present — silently sending undefined to the
+    // engine causes accepted-but-not-created ghost endpoints (the bug from 1.2.2).
+    if (!clean || typeof clean !== "object") {
+      throw new Error(`workflow.nodes contains a non-object entry in endpoint '${doc.name}'.`)
+    }
+    // Tolerate both YAML-canonical (`type`, `return`) and engine-style
+    // (`node_type`, `is_return`) for the keys that have a "renamed" form.
+    // Anything still in `rest` after this is treated as a node parameter
+    // (inline form). This is the layer that prevents silent data loss when
+    // an agent mixes the two conventions.
+    const {
+      id,
+      type: typeA, node_type: typeB,
+      variable,
+      return: isReturnA, is_return: isReturnB,
+      parameters: explicitParams,
+      ...rest
+    } = clean
+    const type = typeA || typeB
+    const isReturn = isReturnA || isReturnB
+    if (!id) {
+      throw new Error(
+        `A node in endpoint '${doc.name}' is missing 'id'. Every node needs a unique id within the workflow.`
+      )
+    }
+    if (!type) {
+      throw new Error(
+        `Node '${id}' in endpoint '${doc.name}' is missing 'type'. ` +
+        `Each node in workflow.nodes must declare a node type, e.g. \`type: dypai_database\`. ` +
+        `(Both 'type' and 'node_type' are accepted.)`
+      )
+    }
+    // Params: prefer an explicit `parameters:` object, otherwise fall back to
+    // the inline shape (everything that isn't id/type/variable/return is a param).
+    const params = explicitParams && typeof explicitParams === "object" ? explicitParams : rest
     const nodeCtx = {
       ...mapsCtx,
       endpointName: doc.name,
@@ -172,13 +226,17 @@ export function deserializeEndpoint(doc, mapsCtx) {
 
   return {
     name: doc.name,
-    method: doc.method || "GET",
+    // Engine expects uppercase HTTP methods. Normalize so YAML can use any case.
+    method: String(doc.method || "GET").toUpperCase(),
     description: doc.description || null,
     workflow_code,
     input: doc.input || null,
     output: doc.output || null,
     allowed_roles: doc.allowed_roles || [],
-    is_tool: !!doc.tool,
+    // Accept both `tool: true` (canonical) and `is_tool: true` (engine-style).
+    // Without this, an agent that wrote `is_tool` in YAML would silently get
+    // a non-tool endpoint and `allowed_roles` would not be enforced as expected.
+    is_tool: !!(doc.tool || doc.is_tool),
     tool_description: doc.tool_description || null,
     group_id: doc.group && mapsCtx.groupNameToId ? (mapsCtx.groupNameToId[doc.group] || null) : null,
   }

package/src/tools/sync/diff.js

@@ -52,6 +52,14 @@ export const dypaiDiffTool = {
       }
     }
 
+    if (!remote || !remote.mapsCtx) {
+      return {
+        success: false,
+        phase: "fetch_remote",
+        error: "Remote state could not be fetched (mapsCtx missing). Check your DYPAI_TOKEN and project_id.",
+      }
+    }
+
     const plan = computePlan(local, remote, remote.mapsCtx, {
       deleteOrphans: delete_orphans,
       stateSnapshot,

package/src/tools/sync/planner.js

@@ -232,8 +232,17 @@ export async function readLocalState(rootDir) {
  * This is what we'd send to update_endpoint.
  */
 export function localToCanonical(entry, mapsCtx) {
+  if (!entry || !entry.doc) {
+    throw new Error("localToCanonical: entry must have a `doc` field (parsed YAML).")
+  }
+  if (!mapsCtx || typeof mapsCtx !== "object") {
+    throw new Error(
+      "localToCanonical: mapsCtx required to resolve credential/group/tool references. " +
+      "If you see this, fetchRemoteState probably returned an empty/failed response."
+    )
+  }
   const { doc, fileMap } = entry
-  const ctx = { ...mapsCtx, readFile: (p) => fileMap[p] ?? "" }
+  const ctx = { ...mapsCtx, readFile: (p) => (fileMap || {})[p] ?? "" }
   return deserializeEndpoint(doc, ctx)
 }
 

package/src/tools/sync/push.js

@@ -61,26 +61,52 @@ function endpointPayload(row) {
   return p
 }
 
+/**
+ * Treat a remote tool response as a definite success only when it has at
+ * least one of the markers we expect from a real mutation. Anything else
+ * (empty object, error string masquerading as data, missing id) becomes
+ * an error so the push doesn't lie to the agent.
+ */
+function assertMutationOK(result, op, name) {
+  if (!result || typeof result !== "object") {
+    throw new Error(`${op} ${name}: empty response from remote (got ${JSON.stringify(result).slice(0, 120)})`)
+  }
+  if (result.error) {
+    throw new Error(`${op} ${name}: ${typeof result.error === "string" ? result.error : JSON.stringify(result.error)}`)
+  }
+  // Successful create returns { id, name } or { ok: true }; update/delete return
+  // { message } or { ok: true }. If none of these markers are present the call
+  // probably failed silently.
+  const hasMarker = result.id || result.ok === true || result.message || result.endpoint_id || result.success === true
+  if (!hasMarker) {
+    throw new Error(`${op} ${name}: response missing success markers — ${JSON.stringify(result).slice(0, 200)}`)
+  }
+  return result
+}
+
 async function applyCreate(canonicalRow, projectId) {
-  return proxyToolCall("create_endpoint", {
+  const res = await proxyToolCall("create_endpoint", {
     ...(projectId ? { project_id: projectId } : {}),
     ...endpointPayload(canonicalRow),
   })
+  return assertMutationOK(res, "create", canonicalRow.name)
 }
 
 async function applyUpdate(canonicalRow, endpointId, projectId) {
-  return proxyToolCall("update_endpoint", {
+  const res = await proxyToolCall("update_endpoint", {
     ...(projectId ? { project_id: projectId } : {}),
     endpoint_id: endpointId,
     updates: endpointPayload(canonicalRow),
   })
+  return assertMutationOK(res, "update", canonicalRow.name)
 }
 
 async function applyDelete(endpointId, projectId) {
-  return proxyToolCall("delete_endpoint", {
+  const res = await proxyToolCall("delete_endpoint", {
     ...(projectId ? { project_id: projectId } : {}),
     endpoint_id: endpointId,
   })
+  return assertMutationOK(res, "delete", endpointId)
 }
 
 // ─── Realtime policies sync ────────────────────────────────────────────────
@@ -282,6 +308,14 @@ export const dypaiPushTool = {
       }
     }
 
+    if (!remote || !remote.mapsCtx) {
+      return {
+        success: false,
+        phase: "fetch_remote",
+        error: "Remote state could not be fetched (mapsCtx missing). Check your DYPAI_TOKEN and project_id.",
+      }
+    }
+
     const plan = computePlan(local, remote, remote.mapsCtx, {
       deleteOrphans: delete_orphans,
       stateSnapshot,

package/src/tools/sync/test-endpoint.js

@@ -157,13 +157,20 @@ export const dypaiTestEndpointTool = {
     let mapsCtx
     try {
       const remote = await fetchRemoteState(targetProjectId)
-      mapsCtx = remote.mapsCtx
+      mapsCtx = remote?.mapsCtx
     } catch (e) {
       return {
         success: false,
         error: `Could not fetch remote state to resolve credential/tool references: ${e.message}`,
       }
     }
+    if (!mapsCtx) {
+      return {
+        success: false,
+        error: "Remote state returned without mapsCtx — cannot resolve credential/tool references.",
+        hint: "Check your DYPAI_TOKEN and that the project_id is correct.",
+      }
+    }
 
     // Deserialize the local YAML to the engine-shaped workflow_code
     const deserCtx = { ...mapsCtx, readFile: (p) => fileMap[p] ?? "" }

package/src/tools/sync/transforms.js

@@ -142,6 +142,11 @@ export const NODE_FIELD_TRANSFORMS = [
 // ─── Engine ────────────────────────────────────────────────────────────────
 
 function applyTransforms(input, direction, ctx, nodeType) {
+  // Defensive: an agent passing null parameters or non-objects shouldn't crash
+  // 6 functions deep. Treat as empty params instead.
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    return {}
+  }
   let result = { ...input }
   for (const t of NODE_FIELD_TRANSFORMS) {
     if (t.appliesWhen && !t.appliesWhen(nodeType)) continue

package/src/tools/sync/validate.js

@@ -133,13 +133,15 @@ async function loadNodeCatalog(rootDir) {
     const parsed = JSON.parse(raw)
     const schemas = {}
     const knownTypes = new Set()
+    const isNonEmptyObj = (o) => o && typeof o === "object" && !Array.isArray(o) && Object.keys(o).length > 0
     for (const [nodeType, data] of Object.entries(parsed.nodes || {})) {
+      if (!data || typeof data !== "object") continue
       knownTypes.add(nodeType)
       schemas[nodeType] = {
         label: data.label,
         description: data.description,
-        inputs: data.inputs && Object.keys(data.inputs).length ? data.inputs : null,
-        outputs: data.outputs && Object.keys(data.outputs).length ? data.outputs : null,
+        inputs: isNonEmptyObj(data.inputs) ? data.inputs : null,
+        outputs: isNonEmptyObj(data.outputs) ? data.outputs : null,
       }
     }
     return { schemas, knownTypes, missing: false }
@@ -341,14 +343,27 @@ function validateEndpoint(entry, ctx) {
 
   // --- Per-node catalog-based validation (unknown type, missing/unknown params) ---
   for (const node of doc.workflow?.nodes || []) {
+    if (!node || typeof node !== "object") continue
+    // Tolerate both `type` and `node_type` (the codec accepts either).
+    const nodeType = node.type ?? node.node_type
+    if (!nodeType) {
+      diagnostics.push({
+        severity: "error",
+        rule: "missing_node_type",
+        endpoint: name, file, loc: `workflow.nodes[${node.id || "?"}]`,
+        message: `Node '${node.id || "(no id)"}' is missing 'type'.`,
+        fix_hint: "Add `type: <node_type>` to this node. Use `dypai_pull` to refresh `node-catalog.json` for the list of valid types.",
+      })
+      continue
+    }
     // node_type exists in catalog?
-    if (ctx.knownTypes.size && !ctx.knownTypes.has(node.type)) {
-      const suggestions = [...ctx.knownTypes].filter(t => levenshteinSmall(t, node.type) <= 2).slice(0, 3)
+    if (ctx.knownTypes.size && !ctx.knownTypes.has(nodeType)) {
+      const suggestions = [...ctx.knownTypes].filter(t => levenshteinSmall(t, nodeType) <= 2).slice(0, 3)
       diagnostics.push({
         severity: "error",
         rule: "unknown_node_type",
         endpoint: name, file, loc: `workflow.nodes[${node.id}].type`,
-        message: `Node type '${node.type}' is not registered.`,
+        message: `Node type '${nodeType}' is not registered.`,
         fix_hint: suggestions.length
           ? `Did you mean: ${suggestions.join(", ")}?`
           : `Run dypai_pull to refresh node-catalog.json. Or call search_nodes to discover.`,
@@ -357,7 +372,7 @@ function validateEndpoint(entry, ctx) {
     }
 
     // Schema-based parameter validation (only when we have a schema for this node_type)
-    const schema = ctx.catalog[node.type]
+    const schema = ctx.catalog[nodeType]
     if (schema?.inputs?.properties) {
       const { properties, required = [] } = schema.inputs
       // Ignore node metadata keys (id, type, variable, return, credential, *_file) — they're not "params"
@@ -377,7 +392,7 @@ function validateEndpoint(entry, ctx) {
               severity: "warn",
               rule: "missing_required_param",
               endpoint: name, file, loc: `workflow.nodes[${node.id}]`,
-              message: `Node '${node.id}' (type '${node.type}') may be missing parameter '${req}'.`,
+              message: `Node '${node.id}' (type '${nodeType}') may be missing parameter '${req}'.`,
               fix_hint: `Schema lists required: [${required.join(", ")}]. Verify this param is actually needed for your operation.`,
             })
           }
@@ -393,7 +408,7 @@ function validateEndpoint(entry, ctx) {
             severity: "warn",
             rule: "unknown_param",
             endpoint: name, file, loc: `workflow.nodes[${node.id}].${key}`,
-            message: `Node '${node.id}' (type '${node.type}') has unknown parameter '${key}'.`,
+            message: `Node '${node.id}' (type '${nodeType}') has unknown parameter '${key}'.`,
             fix_hint: suggestions.length
               ? `Did you mean: ${suggestions.join(", ")}?`
               : `Valid params: ${knownKeys.slice(0, 8).join(", ")}${knownKeys.length > 8 ? "…" : ""}`,
@@ -438,6 +453,7 @@ function validateEndpoint(entry, ctx) {
 
   // --- Credential references ---
   for (const node of doc.workflow?.nodes || []) {
+    if (!node || typeof node !== "object") continue
     const cred = node.credential
     if (cred && !ctx.remoteCredentials.has(cred)) {
       diagnostics.push({
@@ -452,7 +468,8 @@ function validateEndpoint(entry, ctx) {
     }
 
     // Agent tool references
-    if (node.type === "agent" && Array.isArray(node.tools)) {
+    const nodeType = node.type ?? node.node_type
+    if (nodeType === "agent" && Array.isArray(node.tools)) {
       for (const toolName of node.tools) {
         if (!ctx.toolEndpoints.has(toolName)) {
           diagnostics.push({
@@ -556,12 +573,23 @@ export const dypaiValidateTool = {
   },
   async execute({ project_id, root_dir = "./dypai" } = {}) {
     const rootDir = resolvePath(process.cwd(), root_dir)
-    const result = await runValidation(rootDir, project_id)
-    return {
-      ...result,
-      hint: result.success
-        ? undefined
-        : `${result.summary.errors} error(s) would cause runtime failures. Fix them, or push with skip_validation: true to override (not recommended).`,
+    try {
+      const result = await runValidation(rootDir, project_id)
+      return {
+        ...result,
+        hint: result.success
+          ? undefined
+          : `${result.summary.errors} error(s) would cause runtime failures. Fix them, or push with skip_validation: true to override (not recommended).`,
+      }
+    } catch (e) {
+      // Surface the real stack so failures during validation don't look like
+      // a generic "undefined.length" mystery to the agent.
+      return {
+        success: false,
+        error: `Validation crashed: ${e.message}`,
+        stack: (e.stack || "").split("\n").slice(0, 5).join("\n"),
+        hint: "This is a bug in the local MCP. Report the stack above; in the meantime you can pass skip_validation: true to dypai_push to bypass.",
+      }
     }
   },
 }