@dypai-ai/mcp 1.5.16 → 1.5.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dypai-ai/mcp",
-  "version": "1.5.16",
+  "version": "1.5.18",
   "description": "DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps",
   "type": "module",
   "main": "src/index.js",

package/src/tools/deploy.js

@@ -26,7 +26,7 @@
  */
 
 import { createHash } from "crypto"
-import { readFileSync, readdirSync, statSync, existsSync, writeFileSync, mkdirSync } from "fs"
+import { readFileSync, readdirSync, statSync, lstatSync, existsSync, writeFileSync, mkdirSync } from "fs"
 import { join, basename, dirname, resolve } from "path"
 import { api } from "../api.js"
 
@@ -37,7 +37,8 @@ const MAX_BUNDLED_FILE = 25 * 1024 * 1024
 
 // ─── Directories to skip ────────────────────────────────────────────────────
 
-const IGNORE_DIRS = new Set([
+// Skipped at any depth in the tree — these never carry user code.
+const IGNORE_DIRS_ANYWHERE = new Set([
   "node_modules", ".git",
   // Build outputs
   "dist", "build", "out", ".output", ".vercel", ".netlify",
@@ -46,8 +47,16 @@ const IGNORE_DIRS = new Set([
   ".cache", ".turbo", ".vite", ".parcel-cache", ".wrangler",
   // Test / misc
   "coverage", "storybook-static", "__pycache__", ".idea", ".vscode",
-  // DYPAI backend metadata — handled by dypai_pull/push, not shipped to the
-  // frontend build.
+])
+
+// Skipped ONLY at the project root. `dypai/` at root holds backend metadata
+// (endpoint YAMLs, schema.sql, prompts) materialized by dypai_pull and
+// shipped via dypai_push — it must NOT enter the frontend deploy. But a
+// nested folder named `dypai/` (e.g. `src/integrations/dypai/`) is legitimate
+// user code — the SDK client setup lives there. Matching by name alone (the
+// previous behavior) silently dropped that folder and produced
+// "Could not resolve '../integrations/dypai/client'" build errors.
+const IGNORE_DIRS_AT_ROOT = new Set([
   "dypai",
 ])
 
@@ -220,7 +229,7 @@ function classifySkip(path, ext, size) {
   return null
 }
 
-function collectSource(dir) {
+export function collectSource(dir) {
   const allFiles = []
   const skipped = []
   const textByPath = new Map()
@@ -231,10 +240,18 @@ function collectSource(dir) {
     let entries
     try { entries = readdirSync(d) } catch { return }
     for (const entry of entries) {
-      if (IGNORE_DIRS.has(entry)) continue
+      if (IGNORE_DIRS_ANYWHERE.has(entry)) continue
+      if (rel === "" && IGNORE_DIRS_AT_ROOT.has(entry)) continue
       const full = join(d, entry)
       try {
-        const stat = statSync(full)
+        // lstat (not stat): a symlink should be classified as a symlink, NOT
+        // as the target it points to. Otherwise a folder like `src/sneaky →
+        // /Users/me/something` would be walked and code outside the project
+        // root would be quietly committed to the user's repo on deploy.
+        // Symlinks are skipped outright — DYPAI projects don't need them
+        // and there is no safe automatic policy for following them.
+        const stat = lstatSync(full)
+        if (stat.isSymbolicLink()) continue
         if (stat.isDirectory()) {
           if (entry.startsWith(".")) continue
           walk(full, rel ? `${rel}/${entry}` : entry)

package/src/tools/scaffold.js

@@ -6,7 +6,7 @@
  */
 
 import { writeFileSync, mkdirSync, existsSync } from "fs"
-import { join } from "path"
+import { join, dirname } from "path"
 import { api } from "../api.js"
 
 export const scaffoldTool = {
@@ -70,7 +70,7 @@ Use only visible Studio catalog template slugs; do not invent legacy slugs.`,
           name: directory.split("/").pop() || "my-app",
           private: true, version: "0.0.1", type: "module",
           scripts: { dev: "vite", build: "vite build", preview: "vite preview" },
-          dependencies: { "@dypai-ai/client-sdk": "latest", react: "^19.0.0", "react-dom": "^19.0.0" },
+          dependencies: { "@dypai-ai/client-sdk": "1.11.0", react: "^19.0.0", "react-dom": "^19.0.0" },
           devDependencies: { "@vitejs/plugin-react": "^4.3.0", vite: "^6.0.0", typescript: "^5.6.0", "@types/react": "^19.0.0", "@types/react-dom": "^19.0.0" },
         }, null, 2) },
         { path: "vite.config.ts", content: `import { defineConfig } from 'vite'\nimport react from '@vitejs/plugin-react'\n\nexport default defineConfig({ plugins: [react()] })\n` },
@@ -116,12 +116,13 @@ Use only visible Studio catalog template slugs; do not invent legacy slugs.`,
     // SDK client helper (lib/dypai.ts)
     files.push({ path: "src/lib/dypai.ts", content: `import { createClient } from "@dypai-ai/client-sdk";\n\nexport const dypai = createClient(import.meta.env.VITE_DYPAI_URL);\n` })
 
-    // Write files to disk
+    // Write files to disk. Use `dirname()` rather than slicing on "/" — on
+    // Windows the path separator is "\" so the slice approach produced a
+    // garbage parent dir and the writeFileSync below failed with ENOENT.
     let created = 0
     for (const file of files) {
       const fullPath = join(directory, file.path)
-      const dir = fullPath.substring(0, fullPath.lastIndexOf("/"))
-      mkdirSync(dir, { recursive: true })
+      mkdirSync(dirname(fullPath), { recursive: true })
       writeFileSync(fullPath, file.content)
       created++
     }

package/src/tools/sync/pull.js

@@ -503,6 +503,28 @@ function renderYaml(doc) {
   })
 }
 
+/**
+ * Build the state.json payload, restricted to endpoints that were actually
+ * written to disk during this pull. The push planner uses this snapshot to
+ * detect remote drift since pull (compares remote.updated_at against
+ * snapshot.updated_at per endpoint). Including endpoints that failed to
+ * serialize would create a phantom "we have a fresh copy of this" claim and
+ * silently mask real conflicts on those rows.
+ *
+ * Exported for unit testing.
+ */
+export function buildStateSnapshot({ endpoints, successfullyPulledIds, projectId, now = new Date() }) {
+  return {
+    pulled_at: now.toISOString(),
+    project_id: projectId,
+    endpoints: Object.fromEntries(
+      endpoints
+        .filter(e => successfullyPulledIds.has(e.id))
+        .map(e => [e.name, { id: e.id, updated_at: e.updated_at }])
+    ),
+  }
+}
+
 // schema.sql dump lives in ./schema-dump.js (shared with execute_sql auto-refresh)
 
 export const dypaiPullTool = {
@@ -668,6 +690,15 @@ export const dypaiPullTool = {
       filesWritten.push("realtime.yaml")
     }
 
+    // Track which endpoints survived serialization → only those go into
+    // state.json. Including failed ones would lie to the push planner about
+    // what's locally in sync with remote (the conflict detector compares
+    // remote.updated_at against the snapshot per endpoint, and a phantom
+    // snapshot row for an endpoint that never made it to disk hides a real
+    // conflict). Tracked by row id so endpoint renames at the same name
+    // can't accidentally inherit a stale snapshot.
+    const successfullyPulled = new Set()
+
     for (const rawRow of endpoints) {
       const row = hydrateRow(rawRow)
       try {
@@ -702,6 +733,7 @@ export const dypaiPullTool = {
 
         await writeFileEnsured(join(outDir, relPath), content)
         filesWritten.push(relPath)
+        successfullyPulled.add(row.id)
       } catch (e) {
         errors.push({ endpoint: row.name, error: e.message })
       }
@@ -756,13 +788,11 @@ export const dypaiPullTool = {
     await writeFile(configPath, configYaml, "utf8")
 
     // .dypai/state.json: GITIGNORED — per-endpoint updated_at for conflict detection.
-    const state = {
-      pulled_at: new Date().toISOString(),
-      project_id: resolvedProjectId,
-      endpoints: Object.fromEntries(
-        endpoints.map(e => [e.name, { id: e.id, updated_at: e.updated_at }])
-      ),
-    }
+    const state = buildStateSnapshot({
+      endpoints,
+      successfullyPulledIds: successfullyPulled,
+      projectId: resolvedProjectId,
+    })
     await writeFileEnsured(join(outDir, ".dypai", "state.json"), JSON.stringify(state, null, 2) + "\n")
 
     // Codegen removed from v1. If we reintroduce it, this is where it wires in.

package/src/tools/sync/validate.js

@@ -316,6 +316,53 @@ async function readSchemaColumns(rootDir) {
 }
 
 /** Extract referenced table names from a SQL string: `FROM public.X`, `JOIN public.X`, `INTO public.X`, `UPDATE public.X`. */
+function skipSqlBalancedParens(sql, start) {
+  let depth = 0
+  for (let i = start; i < sql.length; i++) {
+    const ch = sql[i]
+    if (ch === "\"") {
+      i++
+      while (i < sql.length && sql[i] !== "\"") i++
+      continue
+    }
+    if (ch === "(") depth++
+    else if (ch === ")") {
+      depth--
+      if (depth === 0) return i + 1
+    }
+  }
+  return sql.length
+}
+
+function extractSqlCteNames(cleanSql) {
+  const names = new Set()
+  const withMatch = /^\s*WITH\s+(?:RECURSIVE\s+)?/i.exec(cleanSql)
+  if (!withMatch) return names
+  let i = withMatch[0].length
+  while (i < cleanSql.length) {
+    while (/\s|,/.test(cleanSql[i] || "")) i++
+    const nameMatch = /^"?([A-Za-z_][A-Za-z0-9_]*)"?/.exec(cleanSql.slice(i))
+    if (!nameMatch) break
+    const cteName = nameMatch[1]
+    if (SQL_KEYWORDS_AFTER_FROM.has(cteName.toUpperCase())) break
+    i += nameMatch[0].length
+    while (/\s/.test(cleanSql[i] || "")) i++
+    if (cleanSql[i] === "(") {
+      i = skipSqlBalancedParens(cleanSql, i)
+      while (/\s/.test(cleanSql[i] || "")) i++
+    }
+    if (!/^AS\b/i.test(cleanSql.slice(i))) break
+    i += 2
+    while (/\s/.test(cleanSql[i] || "")) i++
+    if (cleanSql[i] !== "(") break
+    names.add(cteName)
+    i = skipSqlBalancedParens(cleanSql, i)
+    while (/\s/.test(cleanSql[i] || "")) i++
+    if (cleanSql[i] !== ",") break
+  }
+  return names
+}
+
 function extractSqlTables(sql) {
   const tables = new Set()
   if (typeof sql !== "string" || sql.length === 0) return tables
@@ -325,6 +372,7 @@ function extractSqlTables(sql) {
     .replace(/--[^\n]*/g, " ")
     .replace(/\/\*[\s\S]*?\*\//g, " ")
     .replace(/'(?:[^']|'')*'/g, "''")
+  const cteNames = extractSqlCteNames(clean)
   // Single regex that captures BOTH a possible schema and the table name,
   // optionally preceded by `ONLY` (Postgres inheritance modifier). Splitting
   // schema/table into separate groups makes filtering by schema trivial.
@@ -339,6 +387,7 @@ function extractSqlTables(sql) {
     // when the regex was greedy enough (defensive — the optional `ONLY` above
     // already handles the common case).
     if (SQL_KEYWORDS_AFTER_FROM.has(tableName.toUpperCase())) continue
+    if (cteNames.has(tableName)) continue
     // Only validate tables in the user-managed `public` schema. System
     // schemas (auth, system, ext, pg_catalog, information_schema) are
     // managed by the engine and not present in dypai/schema.sql.