@dypai-ai/mcp 1.5.17 → 1.5.19

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dypai-ai/mcp",
-  "version": "1.5.17",
+  "version": "1.5.19",
   "description": "DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps",
   "type": "module",
   "main": "src/index.js",
@@ -22,7 +22,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/DYPAI-SOLUTIONS/dypai-mcp"
+    "url": "git+https://github.com/DYPAI-SOLUTIONS/dypai-mcp.git"
   },
   "homepage": "https://dypai.ai",
   "dependencies": {

package/src/index.js

@@ -836,9 +836,10 @@ synonym.
 - \`"auth defaults"\` — what auth_mode to pick when the user doesn't specify
 
 ### Integrations
-- \`"integrations guide"\` — step-by-step integration recipes (Stripe has full coverage; Telegram, Slack, WhatsApp, Resend, Google Sheets are referenced inside this doc)
-- \`"credentials reference"\` — what fields each provider needs
-- To find a specific provider: \`search_docs("integrations guide stripe")\` (combine the topic + the provider name) — semantic search will pick up the provider's section
+- \`"stripe payments"\` — **start here for any Stripe work** (credentials, checkout URL placeholders, one-time + webhook checklist)
+- \`"integrations guide"\` — step-by-step integration recipes (Stripe subscriptions; other providers referenced inside)
+- \`"credentials reference"\` — what fields each provider needs (includes stripe + stripe_webhook)
+- To find Stripe: \`search_docs("stripe payments")\` or \`search_docs("integrations guide stripe")\`
 
 ### Realtime
 - \`"realtime channels"\` — client API for WebSocket subscriptions

package/src/tools/deploy.js

@@ -26,7 +26,7 @@
  */
 
 import { createHash } from "crypto"
-import { readFileSync, readdirSync, statSync, existsSync, writeFileSync, mkdirSync } from "fs"
+import { readFileSync, readdirSync, statSync, lstatSync, existsSync, writeFileSync, mkdirSync } from "fs"
 import { join, basename, dirname, resolve } from "path"
 import { api } from "../api.js"
 
@@ -37,7 +37,8 @@ const MAX_BUNDLED_FILE = 25 * 1024 * 1024
 
 // ─── Directories to skip ────────────────────────────────────────────────────
 
-const IGNORE_DIRS = new Set([
+// Skipped at any depth in the tree — these never carry user code.
+const IGNORE_DIRS_ANYWHERE = new Set([
   "node_modules", ".git",
   // Build outputs
   "dist", "build", "out", ".output", ".vercel", ".netlify",
@@ -46,8 +47,16 @@ const IGNORE_DIRS = new Set([
   ".cache", ".turbo", ".vite", ".parcel-cache", ".wrangler",
   // Test / misc
   "coverage", "storybook-static", "__pycache__", ".idea", ".vscode",
-  // DYPAI backend metadata — handled by dypai_pull/push, not shipped to the
-  // frontend build.
+])
+
+// Skipped ONLY at the project root. `dypai/` at root holds backend metadata
+// (endpoint YAMLs, schema.sql, prompts) materialized by dypai_pull and
+// shipped via dypai_push — it must NOT enter the frontend deploy. But a
+// nested folder named `dypai/` (e.g. `src/integrations/dypai/`) is legitimate
+// user code — the SDK client setup lives there. Matching by name alone (the
+// previous behavior) silently dropped that folder and produced
+// "Could not resolve '../integrations/dypai/client'" build errors.
+const IGNORE_DIRS_AT_ROOT = new Set([
   "dypai",
 ])
 
@@ -220,7 +229,7 @@ function classifySkip(path, ext, size) {
   return null
 }
 
-function collectSource(dir) {
+export function collectSource(dir) {
   const allFiles = []
   const skipped = []
   const textByPath = new Map()
@@ -231,10 +240,18 @@ function collectSource(dir) {
     let entries
     try { entries = readdirSync(d) } catch { return }
     for (const entry of entries) {
-      if (IGNORE_DIRS.has(entry)) continue
+      if (IGNORE_DIRS_ANYWHERE.has(entry)) continue
+      if (rel === "" && IGNORE_DIRS_AT_ROOT.has(entry)) continue
       const full = join(d, entry)
       try {
-        const stat = statSync(full)
+        // lstat (not stat): a symlink should be classified as a symlink, NOT
+        // as the target it points to. Otherwise a folder like `src/sneaky →
+        // /Users/me/something` would be walked and code outside the project
+        // root would be quietly committed to the user's repo on deploy.
+        // Symlinks are skipped outright — DYPAI projects don't need them
+        // and there is no safe automatic policy for following them.
+        const stat = lstatSync(full)
+        if (stat.isSymbolicLink()) continue
         if (stat.isDirectory()) {
           if (entry.startsWith(".")) continue
           walk(full, rel ? `${rel}/${entry}` : entry)

package/src/tools/scaffold.js

@@ -6,7 +6,7 @@
  */
 
 import { writeFileSync, mkdirSync, existsSync } from "fs"
-import { join } from "path"
+import { join, dirname } from "path"
 import { api } from "../api.js"
 
 export const scaffoldTool = {
@@ -70,7 +70,7 @@ Use only visible Studio catalog template slugs; do not invent legacy slugs.`,
           name: directory.split("/").pop() || "my-app",
           private: true, version: "0.0.1", type: "module",
           scripts: { dev: "vite", build: "vite build", preview: "vite preview" },
-          dependencies: { "@dypai-ai/client-sdk": "latest", react: "^19.0.0", "react-dom": "^19.0.0" },
+          dependencies: { "@dypai-ai/client-sdk": "1.11.0", react: "^19.0.0", "react-dom": "^19.0.0" },
           devDependencies: { "@vitejs/plugin-react": "^4.3.0", vite: "^6.0.0", typescript: "^5.6.0", "@types/react": "^19.0.0", "@types/react-dom": "^19.0.0" },
         }, null, 2) },
         { path: "vite.config.ts", content: `import { defineConfig } from 'vite'\nimport react from '@vitejs/plugin-react'\n\nexport default defineConfig({ plugins: [react()] })\n` },
@@ -116,12 +116,13 @@ Use only visible Studio catalog template slugs; do not invent legacy slugs.`,
     // SDK client helper (lib/dypai.ts)
     files.push({ path: "src/lib/dypai.ts", content: `import { createClient } from "@dypai-ai/client-sdk";\n\nexport const dypai = createClient(import.meta.env.VITE_DYPAI_URL);\n` })
 
-    // Write files to disk
+    // Write files to disk. Use `dirname()` rather than slicing on "/" — on
+    // Windows the path separator is "\" so the slice approach produced a
+    // garbage parent dir and the writeFileSync below failed with ENOENT.
     let created = 0
     for (const file of files) {
       const fullPath = join(directory, file.path)
-      const dir = fullPath.substring(0, fullPath.lastIndexOf("/"))
-      mkdirSync(dir, { recursive: true })
+      mkdirSync(dirname(fullPath), { recursive: true })
       writeFileSync(fullPath, file.content)
       created++
     }

package/src/tools/sync/pull.js

@@ -503,6 +503,28 @@ function renderYaml(doc) {
   })
 }
 
+/**
+ * Build the state.json payload, restricted to endpoints that were actually
+ * written to disk during this pull. The push planner uses this snapshot to
+ * detect remote drift since pull (compares remote.updated_at against
+ * snapshot.updated_at per endpoint). Including endpoints that failed to
+ * serialize would create a phantom "we have a fresh copy of this" claim and
+ * silently mask real conflicts on those rows.
+ *
+ * Exported for unit testing.
+ */
+export function buildStateSnapshot({ endpoints, successfullyPulledIds, projectId, now = new Date() }) {
+  return {
+    pulled_at: now.toISOString(),
+    project_id: projectId,
+    endpoints: Object.fromEntries(
+      endpoints
+        .filter(e => successfullyPulledIds.has(e.id))
+        .map(e => [e.name, { id: e.id, updated_at: e.updated_at }])
+    ),
+  }
+}
+
 // schema.sql dump lives in ./schema-dump.js (shared with execute_sql auto-refresh)
 
 export const dypaiPullTool = {
@@ -668,6 +690,15 @@ export const dypaiPullTool = {
       filesWritten.push("realtime.yaml")
     }
 
+    // Track which endpoints survived serialization → only those go into
+    // state.json. Including failed ones would lie to the push planner about
+    // what's locally in sync with remote (the conflict detector compares
+    // remote.updated_at against the snapshot per endpoint, and a phantom
+    // snapshot row for an endpoint that never made it to disk hides a real
+    // conflict). Tracked by row id so endpoint renames at the same name
+    // can't accidentally inherit a stale snapshot.
+    const successfullyPulled = new Set()
+
     for (const rawRow of endpoints) {
       const row = hydrateRow(rawRow)
       try {
@@ -702,6 +733,7 @@ export const dypaiPullTool = {
 
         await writeFileEnsured(join(outDir, relPath), content)
         filesWritten.push(relPath)
+        successfullyPulled.add(row.id)
       } catch (e) {
         errors.push({ endpoint: row.name, error: e.message })
       }
@@ -756,13 +788,11 @@ export const dypaiPullTool = {
     await writeFile(configPath, configYaml, "utf8")
 
     // .dypai/state.json: GITIGNORED — per-endpoint updated_at for conflict detection.
-    const state = {
-      pulled_at: new Date().toISOString(),
-      project_id: resolvedProjectId,
-      endpoints: Object.fromEntries(
-        endpoints.map(e => [e.name, { id: e.id, updated_at: e.updated_at }])
-      ),
-    }
+    const state = buildStateSnapshot({
+      endpoints,
+      successfullyPulledIds: successfullyPulled,
+      projectId: resolvedProjectId,
+    })
     await writeFileEnsured(join(outDir, ".dypai", "state.json"), JSON.stringify(state, null, 2) + "\n")
 
     // Codegen removed from v1. If we reintroduce it, this is where it wires in.

package/src/tools/sync/validate.js

@@ -1564,6 +1564,19 @@ function validateEndpoint(entry, ctx) {
     }
   }
 
+  const webhookCred = doc.trigger?.webhook?.credential
+  if (webhookCred && !ctx.remoteCredentials.has(webhookCred)) {
+    diagnostics.push({
+      severity: "error",
+      rule: "credential_not_found",
+      endpoint: name, file, loc: "trigger.webhook.credential",
+      message: `credential '${webhookCred}' is not defined remotely.`,
+      fix_hint: ctx.remoteCredentials.size
+        ? `Available: ${[...ctx.remoteCredentials].join(", ")}. For Stripe webhooks use type stripe_webhook, recommended name stripe-webhook.`
+        : "Create stripe-webhook (type stripe_webhook) in the dashboard. See search_docs('stripe payments').",
+    })
+  }
+
   // ── Edge sanity: catch typos in workflow.edges before runtime ────────────
   // The engine silently skips edges whose `from`/`to` doesn't resolve to a
   // node id, which manifests as "node never ran" — extremely hard to debug.