@dypai-ai/mcp 1.5.11 → 1.5.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dypai-ai/mcp",
-  "version": "1.5.11",
+  "version": "1.5.13",
   "description": "DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps",
   "type": "module",
   "main": "src/index.js",

package/src/index.js

@@ -1121,7 +1121,7 @@ async function handleRequest(msg) {
     return makeResponse(id, {
       protocolVersion: "2024-11-05",
       capabilities: { tools: {} },
-      serverInfo: { name: "dypai", version: "1.3.1" },
+      serverInfo: { name: "dypai", version: "1.5.13" },
       instructions: SERVER_INSTRUCTIONS,
     })
   }

package/src/tools/sync/validate.js

@@ -252,7 +252,10 @@ const RUNTIME_PLACEHOLDER_OPERATOR_RE = /(\|\||&&|\?\?|[?:+*/=<>!()]|\s+\b(?:or|
 
 function unsupportedRuntimePlaceholder(expr) {
   const clean = expr.trim()
-  return expr !== clean || RUNTIME_PLACEHOLDER_OPERATOR_RE.test(clean) || !RUNTIME_PLACEHOLDER_PATH_RE.test(clean)
+  if (expr !== clean) return true
+  if (RUNTIME_PLACEHOLDER_PATH_RE.test(clean)) return false
+  if (!RUNTIME_PLACEHOLDER_OPERATOR_RE.test(clean)) return true
+  return extractRuntimePaths(clean).length === 0
 }
 
 /** Minimal Levenshtein distance, caps at 3 for "did you mean" typo suggestions. */
@@ -287,6 +290,31 @@ async function readSchemaTables(rootDir) {
   }
 }
 
+/** Parse schema.sql to extract public table columns when available. */
+async function readSchemaColumns(rootDir) {
+  try {
+    const raw = await readFile(join(rootDir, "schema.sql"), "utf8")
+    const tables = {}
+    const tableRe = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?public\.(?:"([^"]+)"|([A-Za-z_]\w*))\s*\(([\s\S]*?)\);/gi
+    let m
+    while ((m = tableRe.exec(raw)) !== null) {
+      const tableName = m[1] || m[2]
+      const body = m[3] || ""
+      const cols = new Set()
+      for (const rawLine of body.split("\n")) {
+        const line = rawLine.trim().replace(/,$/, "")
+        if (!line || /^(CONSTRAINT|PRIMARY|FOREIGN|UNIQUE|CHECK|EXCLUDE)\b/i.test(line)) continue
+        const col = /^"?([A-Za-z_]\w*)"?\s+/.exec(line)?.[1]
+        if (col) cols.add(col)
+      }
+      tables[tableName] = cols
+    }
+    return tables
+  } catch {
+    return {}
+  }
+}
+
 /** Extract referenced table names from a SQL string: `FROM public.X`, `JOIN public.X`, `INTO public.X`, `UPDATE public.X`. */
 function extractSqlTables(sql) {
   const tables = new Set()
@@ -353,6 +381,502 @@ function lookupFileMapContent(fileMap, ref) {
   return fileMap[key] || fileMap[key.replace(/^dypai\//, "")] || fileMap[`dypai/${key}`] || ""
 }
 
+function stripSqlForInference(sql) {
+  return String(sql || "")
+    .replace(/--[^\n]*/g, " ")
+    .replace(/\/\*[\s\S]*?\*\//g, " ")
+    .replace(/'(?:[^']|'')*'/g, "''")
+    .replace(/\s+/g, " ")
+    .trim()
+}
+
+function isWordAt(sql, index, word) {
+  if (sql.slice(index, index + word.length).toLowerCase() !== word) return false
+  const before = index === 0 ? "" : sql[index - 1]
+  const after = sql[index + word.length] || ""
+  return !/[A-Za-z0-9_]/.test(before) && !/[A-Za-z0-9_]/.test(after)
+}
+
+function skipDoubleQuotedIdentifier(sql, index) {
+  if (sql[index] !== "\"") return index
+  for (let i = index + 1; i < sql.length; i++) {
+    if (sql[i] !== "\"") continue
+    if (sql[i + 1] === "\"") {
+      i++
+      continue
+    }
+    return i
+  }
+  return sql.length - 1
+}
+
+function skipSqlSpaces(sql, index) {
+  let i = index
+  while (i < sql.length && /\s/.test(sql[i])) i++
+  return i
+}
+
+function findMatchingParen(sql, openIndex) {
+  if (sql[openIndex] !== "(") return -1
+  let depth = 0
+  for (let i = openIndex; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") {
+      depth++
+      continue
+    }
+    if (ch === ")") {
+      depth--
+      if (depth === 0) return i
+    }
+  }
+  return -1
+}
+
+function findOuterSelectList(sqlText) {
+  const sql = stripSqlForInference(sqlText)
+  if (!sql) return null
+  let depth = 0
+  let selectStart = -1
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") depth++
+    else if (ch === ")") depth = Math.max(0, depth - 1)
+
+    if (depth !== 0) continue
+    if (selectStart < 0 && isWordAt(sql, i, "select")) {
+      selectStart = i + "select".length
+      i += "select".length - 1
+      continue
+    }
+    if (selectStart >= 0 && isWordAt(sql, i, "from")) {
+      return sql.slice(selectStart, i).trim()
+    }
+  }
+  if (selectStart >= 0) return sql.slice(selectStart).trim()
+  return null
+}
+
+function hasTopLevelLimitOne(sqlText) {
+  const sql = stripSqlForInference(sqlText)
+  let depth = 0
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") {
+      depth++
+      continue
+    }
+    if (ch === ")") {
+      depth = Math.max(0, depth - 1)
+      continue
+    }
+    if (depth !== 0 || !isWordAt(sql, i, "limit")) continue
+
+    const tail = sql.slice(skipSqlSpaces(sql, i + "limit".length))
+    return /^1(?:\D|$)/.test(tail)
+  }
+  return false
+}
+
+function hasTopLevelFetchOne(sqlText) {
+  const sql = stripSqlForInference(sqlText)
+  let depth = 0
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") {
+      depth++
+      continue
+    }
+    if (ch === ")") {
+      depth = Math.max(0, depth - 1)
+      continue
+    }
+    if (depth !== 0 || !isWordAt(sql, i, "fetch")) continue
+
+    let cursor = skipSqlSpaces(sql, i + "fetch".length)
+    if (isWordAt(sql, cursor, "first")) cursor += "first".length
+    else if (isWordAt(sql, cursor, "next")) cursor += "next".length
+    else continue
+    cursor = skipSqlSpaces(sql, cursor)
+    return /^1(?:\D|$)/.test(sql.slice(cursor))
+  }
+  return false
+}
+
+function hasTopLevelGroupBy(sqlText) {
+  const sql = stripSqlForInference(sqlText)
+  let depth = 0
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") {
+      depth++
+      continue
+    }
+    if (ch === ")") {
+      depth = Math.max(0, depth - 1)
+      continue
+    }
+    if (depth !== 0 || !isWordAt(sql, i, "group")) continue
+
+    const restStart = i + "group".length
+    const rest = sql.slice(restStart)
+    const byOffset = rest.search(/\S/)
+    if (byOffset >= 0 && isWordAt(sql, restStart + byOffset, "by")) return true
+  }
+  return false
+}
+
+function hasTopLevelSetOperation(sqlText) {
+  const sql = stripSqlForInference(sqlText)
+  let depth = 0
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") {
+      depth++
+      continue
+    }
+    if (ch === ")") {
+      depth = Math.max(0, depth - 1)
+      continue
+    }
+    if (depth !== 0) continue
+    if (isWordAt(sql, i, "union") || isWordAt(sql, i, "intersect") || isWordAt(sql, i, "except")) {
+      return true
+    }
+  }
+  return false
+}
+
+const AGGREGATE_FUNCTIONS = ["count", "sum", "avg", "min", "max", "json_agg", "jsonb_agg", "array_agg", "string_agg"]
+
+function isWindowAggregateCall(sql, openIndex) {
+  const closeIndex = findMatchingParen(sql, openIndex)
+  if (closeIndex < 0) return false
+
+  let cursor = skipSqlSpaces(sql, closeIndex + 1)
+  if (isWordAt(sql, cursor, "filter")) {
+    cursor = skipSqlSpaces(sql, cursor + "filter".length)
+    if (sql[cursor] === "(") {
+      const filterClose = findMatchingParen(sql, cursor)
+      if (filterClose >= 0) cursor = skipSqlSpaces(sql, filterClose + 1)
+    }
+  }
+
+  return isWordAt(sql, cursor, "over")
+}
+
+function hasOuterAggregateFunction(selectList) {
+  const sql = String(selectList || "")
+  let depth = 0
+  const activeSubqueryDepths = []
+
+  const insideSubquery = () => activeSubqueryDepths.some(d => d <= depth)
+
+  for (let i = 0; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(sql, i)
+      continue
+    }
+    if (ch === "(") {
+      depth++
+      continue
+    }
+    if (ch === ")") {
+      activeSubqueryDepths.splice(0, activeSubqueryDepths.length, ...activeSubqueryDepths.filter(d => d < depth))
+      depth = Math.max(0, depth - 1)
+      continue
+    }
+
+    if (depth > 0 && isWordAt(sql, i, "select")) {
+      activeSubqueryDepths.push(depth)
+      i += "select".length - 1
+      continue
+    }
+
+    for (const fn of AGGREGATE_FUNCTIONS) {
+      if (!isWordAt(sql, i, fn)) continue
+      const openIndex = skipSqlSpaces(sql, i + fn.length)
+      if (sql[openIndex] === "(" && !insideSubquery() && !isWindowAggregateCall(sql, openIndex)) return true
+    }
+  }
+
+  return false
+}
+
+function splitTopLevelComma(list) {
+  const parts = []
+  let depth = 0
+  let start = 0
+  for (let i = 0; i < list.length; i++) {
+    const ch = list[i]
+    if (ch === "\"") {
+      i = skipDoubleQuotedIdentifier(list, i)
+      continue
+    }
+    if (ch === "(") depth++
+    else if (ch === ")") depth = Math.max(0, depth - 1)
+    else if (ch === "," && depth === 0) {
+      parts.push(list.slice(start, i).trim())
+      start = i + 1
+    }
+  }
+  const tail = list.slice(start).trim()
+  if (tail) parts.push(tail)
+  return parts
+}
+
+function inferSelectOutputColumns(sqlText) {
+  const selectList = findOuterSelectList(sqlText)
+  if (!selectList) return { properties: null, strict: false }
+
+  const props = new Set()
+  let strict = true
+  for (const itemRaw of splitTopLevelComma(selectList)) {
+    const item = itemRaw.trim()
+    if (!item || item === "*" || /\.\*$/.test(item)) {
+      strict = false
+      continue
+    }
+
+    const asAlias = /\bas\s+"?([A-Za-z_]\w*)"?$/i.exec(item)?.[1]
+    if (asAlias) {
+      props.add(asAlias)
+      continue
+    }
+
+    const simpleColumn = /^(?:(?:"?[A-Za-z_]\w*"?\.)?)"?([A-Za-z_]\w*)"?$/.exec(item)?.[1]
+    if (simpleColumn) {
+      props.add(simpleColumn)
+      continue
+    }
+
+    const trailingAlias = /\s+"?([A-Za-z_]\w*)"?$/.exec(item)?.[1]
+    if (trailingAlias && !SQL_KEYWORDS_AFTER_FROM.has(trailingAlias.toUpperCase())) {
+      props.add(trailingAlias)
+      continue
+    }
+
+    strict = false
+  }
+
+  return { properties: props.size > 0 ? props : null, strict }
+}
+
+function inferSqlCardinality(sqlText) {
+  const sql = stripSqlForInference(sqlText)
+  if (!sql) return null
+  if (hasTopLevelLimitOne(sql) || hasTopLevelFetchOne(sql)) return "single"
+  const startsLikeRead = /^(select|with)\b/i.test(sql)
+  if (startsLikeRead && hasTopLevelSetOperation(sql)) return "many"
+  const outerSelectList = findOuterSelectList(sql)
+  const hasAggregate = outerSelectList ? hasOuterAggregateFunction(outerSelectList) : false
+  const hasGroupBy = hasTopLevelGroupBy(sql)
+  if (startsLikeRead && hasAggregate && !hasGroupBy) return "single"
+  return "many"
+}
+
+function returningColumns(returning, table, schemaColumns) {
+  if (Array.isArray(returning)) return new Set(returning.filter(v => typeof v === "string" && v !== "*"))
+  if (typeof returning === "string" && returning.trim() && returning.trim() !== "*") {
+    return new Set(returning.split(",").map(s => s.trim()).filter(Boolean))
+  }
+  if (table && schemaColumns?.[table]?.size) return new Set(schemaColumns[table])
+  return null
+}
+
+function buildNodeOutputContracts(nodes, fileMap, ctx) {
+  const contracts = new Map()
+  for (const node of nodes || []) {
+    if (!node || typeof node !== "object" || !node.id) continue
+    const nodeType = node.type ?? node.node_type
+    const params = nodeParams(node)
+
+    if (nodeType === "set_fields") {
+      const op = nodeField(node, params, "operation") || "set"
+      const fields = nodeField(node, params, "fields")
+      if (fields && typeof fields === "object" && !Array.isArray(fields)) {
+        contracts.set(node.id, {
+          type: "object",
+          properties: new Set(Object.keys(fields).map(k => k.split(".")[0])),
+          strict: op === "compose",
+        })
+      }
+      continue
+    }
+
+    if (nodeType !== "dypai_database") continue
+    const op = nodeField(node, params, "operation")
+    const table = nodeField(node, params, "table") ?? nodeField(node, params, "table_name")
+
+    if (op === "query" || op === "custom_query") {
+      const query = nodeField(node, params, "query") || lookupFileMapContent(fileMap, nodeField(node, params, "query_file"))
+      const inferred = inferSelectOutputColumns(query)
+      contracts.set(node.id, {
+        type: "array",
+        cardinality: inferSqlCardinality(query),
+        properties: inferred.properties,
+        strict: inferred.strict,
+      })
+      continue
+    }
+
+    if (op === "select") {
+      contracts.set(node.id, {
+        type: "array",
+        cardinality: "many",
+        properties: table ? ctx.schemaColumns?.[table] ?? null : null,
+        strict: Boolean(table && ctx.schemaColumns?.[table]),
+      })
+      continue
+    }
+
+    if (op === "aggregate") {
+      contracts.set(node.id, { type: "object", properties: new Set(["value"]), strict: true })
+      continue
+    }
+
+    if (op === "insert") {
+      const bulk = nodeField(node, params, "mode") === "bulk" || Array.isArray(nodeField(node, params, "data"))
+      contracts.set(node.id, {
+        type: bulk ? "array" : "object",
+        cardinality: bulk ? "many" : "single",
+        properties: table ? ctx.schemaColumns?.[table] ?? null : null,
+        strict: Boolean(table && ctx.schemaColumns?.[table]),
+      })
+      continue
+    }
+
+    if (op === "upsert") {
+      contracts.set(node.id, {
+        type: "object",
+        cardinality: "single",
+        properties: table ? ctx.schemaColumns?.[table] ?? null : null,
+        strict: Boolean(table && ctx.schemaColumns?.[table]),
+      })
+      continue
+    }
+
+    if (op === "update" || op === "delete" || op === "copy_to") {
+      contracts.set(node.id, {
+        type: "array",
+        cardinality: "many",
+        properties: table ? ctx.schemaColumns?.[table] ?? null : null,
+        strict: Boolean(table && ctx.schemaColumns?.[table]),
+      })
+      continue
+    }
+
+    if (op === "mutation") {
+      const insertValue = nodeField(node, params, "insert")
+      const updateValue = nodeField(node, params, "update")
+      const deleteValue = nodeField(node, params, "delete")
+      const returning = nodeField(node, params, "returning") ?? "*"
+      const props = returningColumns(returning, table, ctx.schemaColumns)
+      if (insertValue !== undefined && insertValue !== null) {
+        const bulk = nodeField(node, params, "mode") === "bulk" || Array.isArray(insertValue)
+        const hasConflict = nodeField(node, params, "on_conflict") !== undefined
+        contracts.set(node.id, {
+          type: bulk || hasConflict ? "array" : "object",
+          cardinality: bulk ? "many" : hasConflict ? "zero_or_one" : "single",
+          properties: props,
+          strict: Boolean(props),
+        })
+      } else if (updateValue !== undefined || deleteValue === true) {
+        contracts.set(node.id, {
+          type: "array",
+          cardinality: "many",
+          properties: props,
+          strict: Boolean(props),
+        })
+      }
+    }
+  }
+  return contracts
+}
+
+function extractRuntimePaths(expr) {
+  const clean = String(expr || "").replace(/'(?:[^']|'')*'|"(?:[^"\\]|\\.)*"/g, " ")
+  const paths = []
+  const re = /\b(?:input|nodes|vars|current_user)\.[A-Za-z_][A-Za-z0-9_-]*(?:\[[0-9]+\]|\.[A-Za-z_][A-Za-z0-9_-]*)*|\bcurrent_user_id\b|\bcurrent_user_role\b/g
+  let m
+  while ((m = re.exec(clean)) !== null) paths.push(m[0])
+  if (paths.length === 0 && RUNTIME_PLACEHOLDER_PATH_RE.test(expr.trim())) paths.push(expr.trim())
+  return [...new Set(paths)]
+}
+
+function parseNodeOutputRef(path) {
+  const m = /^nodes\.([A-Za-z_][A-Za-z0-9_-]*)(.*)$/.exec(path)
+  if (!m) return null
+  const nodeId = m[1]
+  let rest = m[2] || ""
+  let indexed = false
+  if (rest.startsWith("[")) {
+    const idx = /^\[[0-9]+\]/.exec(rest)?.[0]
+    if (idx) {
+      indexed = true
+      rest = rest.slice(idx.length)
+    }
+  }
+  const prop = rest.startsWith(".") ? /^\.([A-Za-z_][A-Za-z0-9_-]*)/.exec(rest)?.[1] : null
+  return { nodeId, indexed, prop }
+}
+
+function validateNodeOutputRef({ expr, path, contract, endpoint, file, loc }) {
+  const ref = parseNodeOutputRef(path)
+  if (!ref || !ref.prop || !contract) return null
+
+  if (contract.strict && contract.properties && !contract.properties.has(ref.prop)) {
+    const known = [...contract.properties]
+    const suggestions = known.filter(k => levenshteinSmall(k, ref.prop) <= 2).slice(0, 3)
+    return {
+      severity: "warn",
+      rule: "node_output_property_unknown",
+      endpoint, file, loc,
+      message: `\${${expr}} references '${ref.prop}', but node '${ref.nodeId}' is inferred to output: ${known.join(", ") || "(no known properties)"}.`,
+      fix_hint: suggestions.length
+        ? `Did you mean: ${suggestions.join(", ")}?`
+        : `Use one of: ${known.join(", ") || "(none)"}. If this is a dynamic SQL shape, verify with dypai_test_endpoint.`,
+    }
+  }
+
+  if (contract.type === "array" && contract.cardinality === "many" && !ref.indexed) {
+    return {
+      severity: "warn",
+      rule: "node_output_many_direct_property",
+      endpoint, file, loc,
+      message: `\${${expr}} reads property '${ref.prop}' directly from node '${ref.nodeId}', but that node is inferred to return many rows.`,
+      fix_hint: `Use \${nodes.${ref.nodeId}} for the full array, or \${nodes.${ref.nodeId}[0].${ref.prop}} if you intentionally want the first row.`,
+    }
+  }
+
+  return null
+}
+
 function collectMissingTableCandidates(ctx, referencedTables, endpoint, file) {
   if (!ctx.schemaTables) return
   for (const table of referencedTables) {
@@ -377,6 +901,7 @@ function validateEndpoint(entry, ctx) {
 
   const inputProps = doc.input?.properties || {}
   const nodeIds = new Set((doc.workflow?.nodes || []).map(n => n.id))
+  const outputContracts = buildNodeOutputContracts(doc.workflow?.nodes || [], fileMap, ctx)
 
   const jwt = ruleUsesJwt(doc.trigger)
 
@@ -409,6 +934,7 @@ function validateEndpoint(entry, ctx) {
   for (const { source, loc, value } of sources) {
     // --- Placeholder checks ---
     for (const expr of extractPlaceholders(value)) {
+      const runtimePaths = extractRuntimePaths(expr)
       if (unsupportedRuntimePlaceholder(expr)) {
         diagnostics.push({
           severity: "error",
@@ -423,10 +949,10 @@ function validateEndpoint(entry, ctx) {
         continue
       }
 
-      // Normalize to the runtime path after rejecting expression syntax above.
-      // This keeps the downstream schema checks focused on the referenced
-      // input/node path instead of trying to interpret template logic.
-      const e = stripExprTail(expr)
+      // Normalize every runtime path we can find in this placeholder. Expressions
+      // such as `${nodes.x.stock >= input.qty}` are valid at runtime, so validate
+      // each referenced path instead of rejecting the whole expression.
+      for (const e of runtimePaths) {
 
       // ${input.X} or ${input.X.Y}
       // Only validate against the input schema if one is declared; DYPAI allows
@@ -462,6 +988,16 @@ function validateEndpoint(entry, ctx) {
           if (!missingNodeRefs.has(nodeId)) {
             missingNodeRefs.set(nodeId, { loc, expr })
           }
+        } else {
+          const outputDiag = validateNodeOutputRef({
+            expr,
+            path: e,
+            contract: outputContracts.get(nodeId),
+            endpoint: name,
+            file,
+            loc,
+          })
+          if (outputDiag) diagnostics.push(outputDiag)
         }
       }
 
@@ -477,6 +1013,7 @@ function validateEndpoint(entry, ctx) {
           })
         }
       }
+      }
     }
 
     // NOTE: SQL table extraction used to live here (anywhere a string looked
@@ -1241,10 +1778,11 @@ export async function runValidation(rootDir, projectId) {
   const config = await readLocalConfig(rootDir)
   const targetProjectId = projectId || config?.project_id || null
 
-  const [local, remote, schemaTables, nodeCatalog] = await Promise.all([
+  const [local, remote, schemaTables, schemaColumns, nodeCatalog] = await Promise.all([
     readLocalState(rootDir),
     fetchRemoteState(targetProjectId),
     readSchemaTables(rootDir),
+    readSchemaColumns(rootDir),
     loadNodeCatalog(rootDir),
   ])
 
@@ -1261,6 +1799,7 @@ export async function runValidation(rootDir, projectId) {
     remoteCredentials,
     toolEndpoints,
     schemaTables,
+    schemaColumns,
     catalog: nodeCatalog.schemas,
     knownTypes: nodeCatalog.knownTypes,
     fileByName: Object.fromEntries(Object.values(local.byName).map(e => [e.doc.name, `endpoints/${e.file || `${e.doc.name}.yaml`}`])),
@@ -1370,6 +1909,15 @@ export async function runValidation(rootDir, projectId) {
   }
 }
 
+export const __testing = {
+  buildNodeOutputContracts,
+  extractRuntimePaths,
+  inferSelectOutputColumns,
+  inferSqlCardinality,
+  unsupportedRuntimePlaceholder,
+  validateNodeOutputRef,
+}
+
 export const dypaiValidateTool = {
   name: "dypai_validate",
   description: