@dypai-ai/mcp 1.5.24 → 1.5.26

package/src/lib/effective-workflows-runner.js

@@ -0,0 +1,115 @@
+/**
+ * Bridge to dypai-workspace/scripts/effective-workflows-cli.ts via bun.
+ * Used by validate, test-endpoint, planner/push for .flow.ts effective workflows.
+ */
+
+import { spawnSync } from "node:child_process"
+import { existsSync } from "node:fs"
+import { dirname, join, resolve as resolvePath, basename } from "node:path"
+import { fileURLToPath } from "node:url"
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+
+export function resolveProjectRootFromDypaiDir(dypaiRootDir) {
+  const resolved = resolvePath(dypaiRootDir)
+  return basename(resolved) === "dypai" ? dirname(resolved) : resolved
+}
+
+export function resolveMonorepoRoot() {
+  if (process.env.DYPAI_MONOREPO_ROOT) {
+    return resolvePath(process.env.DYPAI_MONOREPO_ROOT)
+  }
+
+  let cursor = __dirname
+  for (let i = 0; i < 10; i++) {
+    if (existsSync(join(cursor, "dypai-workspace")) && existsSync(join(cursor, "dypai-flow"))) {
+      return cursor
+    }
+    const parent = dirname(cursor)
+    if (parent === cursor) break
+    cursor = parent
+  }
+  return null
+}
+
+function parseCliStdout(stdout) {
+  const trimmed = (stdout || "").trim()
+  if (!trimmed) return { error: "effective-workflows-cli returned empty output" }
+  try {
+    return JSON.parse(trimmed)
+  } catch {
+    return { error: `effective-workflows-cli returned non-JSON output: ${trimmed.slice(0, 300)}` }
+  }
+}
+
+export function runEffectiveWorkflowsCli(projectRoot, commandArgs = []) {
+  const monorepoRoot = resolveMonorepoRoot()
+  if (!monorepoRoot) {
+    return {
+      ok: false,
+      unavailable: true,
+      warning: {
+        severity: "warn",
+        rule: "effective_workflow_runner_unavailable",
+        message: "Effective workflow runner unavailable (monorepo root not found). YAML workflows still work.",
+        fix_hint: "Set DYPAI_MONOREPO_ROOT or run MCP local from the DYPAI monorepo checkout with bun installed.",
+      },
+    }
+  }
+
+  const scriptPath = join(monorepoRoot, "dypai-workspace/scripts/effective-workflows-cli.ts")
+  if (!existsSync(scriptPath)) {
+    return {
+      ok: false,
+      unavailable: true,
+      warning: {
+        severity: "warn",
+        rule: "effective_workflow_runner_unavailable",
+        message: `Effective workflow CLI missing at ${scriptPath}.`,
+      },
+    }
+  }
+
+  const bunBin = process.env.DYPAI_BUN_BIN || "bun"
+  const args = ["run", scriptPath, ...commandArgs, "--root", resolvePath(projectRoot)]
+  const result = spawnSync(bunBin, args, {
+    encoding: "utf8",
+    cwd: monorepoRoot,
+    env: process.env,
+  })
+
+  if (result.error) {
+    return {
+      ok: false,
+      unavailable: true,
+      warning: {
+        severity: "warn",
+        rule: "effective_workflow_runner_unavailable",
+        message: `Failed to spawn ${bunBin}: ${result.error.message}`,
+        fix_hint: "Install bun or set DYPAI_BUN_BIN to a working bun executable.",
+      },
+    }
+  }
+
+  const parsed = parseCliStdout(result.stdout)
+  if (parsed.error && !parsed.diagnostics && !parsed.entries && !parsed.status) {
+    return {
+      ok: false,
+      unavailable: false,
+      error: parsed.error,
+      stderr: (result.stderr || "").trim() || undefined,
+      exitCode: result.status,
+    }
+  }
+
+  if (result.status !== 0 && !parsed.diagnostics && !parsed.entries && !parsed.status) {
+    return {
+      ok: false,
+      unavailable: false,
+      error: parsed.error || (result.stderr || "").trim() || `effective-workflows-cli exited with ${result.status}`,
+      exitCode: result.status,
+    }
+  }
+
+  return { ok: true, data: parsed }
+}

package/src/promptLoader.js

@@ -0,0 +1,17 @@
+import {
+  LOCAL_SERVER_INSTRUCTIONS,
+  STUDIO_DEBUG_SERVER_INSTRUCTIONS,
+  STUDIO_WORKER_SERVER_INSTRUCTIONS,
+} from "./generated/serverInstructions.js";
+
+export function loadLocalServerInstructions() {
+  return LOCAL_SERVER_INSTRUCTIONS;
+}
+
+export function loadStudioWorkerServerInstructions() {
+  return STUDIO_WORKER_SERVER_INSTRUCTIONS;
+}
+
+export function loadStudioDebugServerInstructions() {
+  return STUDIO_DEBUG_SERVER_INSTRUCTIONS;
+}

package/src/searchDocsFilter.js

@@ -0,0 +1,47 @@
+/**
+ * Studio worker search_docs filtering — hide local-only typegen docs.
+ */
+
+export const STUDIO_EXCLUDED_DOC_FILES = new Set([
+  "docs/flow-types-codegen.md",
+]);
+
+const STUDIO_TYPEGEN_CONTENT = /\bdypai_generate_types\b|endpoints\.gen\.ts|flow-types-codegen/i;
+
+function normalizeSearchDocsPayload(result) {
+  if (typeof result === "string") {
+    try {
+      return JSON.parse(result);
+    } catch {
+      return null;
+    }
+  }
+  if (result && typeof result === "object") return result;
+  return null;
+}
+
+export function filterSearchDocsForStudio(result) {
+  const payload = normalizeSearchDocsPayload(result);
+  if (!payload || !Array.isArray(payload.chunks)) {
+    return result;
+  }
+
+  const chunks = payload.chunks.filter((chunk) => {
+    const source = String(chunk?.source_file || "");
+    if (STUDIO_EXCLUDED_DOC_FILES.has(source)) return false;
+    const blob = `${chunk?.section_title || ""}\n${chunk?.content || ""}`;
+    if (STUDIO_TYPEGEN_CONTENT.test(blob)) return false;
+    return true;
+  });
+
+  return {
+    ...payload,
+    chunks,
+    results_count: chunks.length,
+  };
+}
+
+export const __testing = {
+  STUDIO_EXCLUDED_DOC_FILES,
+  STUDIO_TYPEGEN_CONTENT,
+};

package/src/toolProfiles.js

@@ -0,0 +1,230 @@
+import {
+  loadLocalServerInstructions,
+  loadStudioDebugServerInstructions,
+  loadStudioWorkerServerInstructions,
+} from "./promptLoader.js";
+
+export const DEFAULT_MCP_PROFILE = "local";
+
+const STUDIO_WORKER_TOOLS = [
+  "bulk_upsert",
+  "dypai_test_endpoint",
+  "dypai_validate",
+  "execute_sql",
+  "generate_image_asset",
+  "get_app_credentials",
+  "get_endpoint_versions",
+  "list_ai_models",
+  "manage_database",
+  "manage_roles",
+  "manage_schedules",
+  "manage_storage",
+  "manage_users",
+  "manage_webhooks",
+  "search_docs",
+  "search_logs",
+];
+
+const STUDIO_DEBUG_TOOLS = [
+  ...STUDIO_WORKER_TOOLS,
+];
+
+/** Removed from every MCP profile (local + studio). */
+export const MCP_TOOLS_REMOVED = new Set([
+  "search_capabilities",
+  "get_capability_details",
+  "search_nodes",
+  "search_project_artifacts",
+  "fetch_project_artifact",
+  "manage_project_artifact",
+  "manage_project_access_profile",
+  "frontend_logs",
+  "search_design_patterns",
+  "search_project_templates",
+  "search_workflow_templates",
+]);
+
+/** Local-only ship/deploy tools — excluded from Studio allowlists, not from local. */
+export const STUDIO_SHIP_TOOLS = new Set([
+  "dypai_push",
+  "manage_drafts",
+  "manage_frontend",
+]);
+
+/**
+ * MCP tool surface profiles.
+ * `local` = full catalog minus MCP_TOOLS_REMOVED.
+ * Studio profiles = explicit allowlists (subset of local).
+ */
+export const MCP_TOOL_PROFILES = {
+  local: null,
+  "studio-worker": new Set(STUDIO_WORKER_TOOLS),
+  "studio-debug": new Set(STUDIO_DEBUG_TOOLS),
+};
+
+const STUDIO_FORBIDDEN_TOOL_NAMES = [
+  ...MCP_TOOLS_REMOVED,
+  ...STUDIO_SHIP_TOOLS,
+];
+
+export function isStudioProfile(profile) {
+  return profile === "studio-worker" || profile === "studio-debug";
+}
+
+export function resolveMcpProfile(env = process.env) {
+  const raw = env.DYPAI_MCP_PROFILE;
+  const profile = (typeof raw === "string" && raw.trim())
+    ? raw.trim()
+    : DEFAULT_MCP_PROFILE;
+
+  if (!Object.prototype.hasOwnProperty.call(MCP_TOOL_PROFILES, profile)) {
+    throw new Error(
+      `Unknown DYPAI_MCP_PROFILE "${profile}". Valid profiles: ${Object.keys(MCP_TOOL_PROFILES).join(", ")}`,
+    );
+  }
+
+  return profile;
+}
+
+export function isToolAllowedForProfile(toolName, profile) {
+  if (MCP_TOOLS_REMOVED.has(toolName)) return false;
+  const allowed = MCP_TOOL_PROFILES[profile];
+  if (profile === "local" || allowed === null) return true;
+  return allowed.has(toolName);
+}
+
+export function filterToolsForProfile(tools, profile) {
+  return tools.filter((tool) => isToolAllowedForProfile(tool.name, profile));
+}
+
+export function getServerInstructionsForProfile(profile) {
+  if (profile === "studio-worker") {
+    return loadStudioWorkerServerInstructions();
+  }
+  if (profile === "studio-debug") {
+    return loadStudioDebugServerInstructions();
+  }
+  return loadLocalServerInstructions();
+}
+
+export function toolNotAllowedError(toolName, profile) {
+  return `Tool "${toolName}" is not available in DYPAI_MCP_PROFILE=${profile}`;
+}
+
+export function assertToolCallAllowedForProfile(toolName, profile) {
+  if (!isToolAllowedForProfile(toolName, profile)) {
+    throw new Error(toolNotAllowedError(toolName, profile));
+  }
+}
+
+/** Test helper: verify Studio profile instructions omit forbidden tool/workflow strings. */
+export function assertStudioInstructionsSanitized(instructions, { allowDebugTools = false } = {}) {
+  for (const toolName of STUDIO_FORBIDDEN_TOOL_NAMES) {
+    if (instructions.includes(toolName)) {
+      throw new Error(`Studio instructions must not mention forbidden tool: ${toolName}`);
+    }
+  }
+
+  const withoutNegatedPublish = instructions.replace(/do not publish/gi, "");
+  if (/publish/i.test(withoutNegatedPublish)) {
+    throw new Error("Studio instructions must not mention publish outside 'do not publish'");
+  }
+
+  const withoutNegatedArtifacts = instructions.replace(/do not use artifacts[^\n]*/gi, "");
+  if (/\bartifacts?\b/i.test(withoutNegatedArtifacts)) {
+    throw new Error("Studio instructions must not promote artifacts");
+  }
+
+  if (/\bcapabilit(y|ies)\b/i.test(instructions)) {
+    throw new Error("Studio instructions must not mention capabilities");
+  }
+  if (/node catalog|node-catalog/i.test(instructions)) {
+    throw new Error("Studio instructions must not mention node catalog");
+  }
+  if (/responseCardinality/i.test(instructions)) {
+    throw new Error("Studio instructions must not mention responseCardinality");
+  }
+  if (/\bdypai_push\b/.test(instructions)) {
+    throw new Error("Studio instructions must not mention dypai_push");
+  }
+  if (/\bmanage_drafts\b/.test(instructions)) {
+    throw new Error("Studio instructions must not mention manage_drafts");
+  }
+  if (/\bmanage_frontend\b/.test(instructions)) {
+    throw new Error("Studio instructions must not mention manage_frontend");
+  }
+  const withoutNegatedProjectLifecycle = instructions.replace(
+    /do not call[^\n]*(?:create_project|list_projects|dypai_pull)[^\n]*/gi,
+    "",
+  );
+  if (/\bcreate_project\b/.test(withoutNegatedProjectLifecycle)) {
+    throw new Error("Studio instructions must not mention create_project");
+  }
+  if (/\blist_projects\b/.test(withoutNegatedProjectLifecycle)) {
+    throw new Error("Studio instructions must not mention list_projects");
+  }
+  if (/\bdypai_pull\b/.test(withoutNegatedProjectLifecycle)) {
+    throw new Error("Studio instructions must not mention dypai_pull");
+  }
+  if (/deploy frontend/i.test(instructions)) {
+    throw new Error("Studio instructions must not mention deploy frontend");
+  }
+  if (/search_design_patterns|design patterns catalog/i.test(instructions)) {
+    throw new Error("Studio instructions must not mention design patterns catalog");
+  }
+
+  const withoutNegatedYaml = instructions.replace(/do not create yaml endpoints?/gi, "");
+  if (/yaml endpoints?/i.test(withoutNegatedYaml)) {
+    throw new Error("Studio instructions must not promote YAML endpoint authoring");
+  }
+
+  if (!/DYPAI Studio worker/i.test(instructions)) {
+    throw new Error("Studio instructions must mention DYPAI Studio worker");
+  }
+  if (!/dypai\/flows\/\*\.flow\.ts/i.test(instructions)) {
+    throw new Error("Studio instructions must mention dypai/flows/*.flow.ts");
+  }
+  if (!/workflow templates|search_docs\("flow ts"\)/i.test(instructions)) {
+    throw new Error("Studio instructions must mention workflow templates or search_docs flow guidance");
+  }
+  if (!/\bdypai_validate\b/.test(instructions)) {
+    throw new Error("Studio instructions must mention dypai_validate");
+  }
+  if (!/do not publish/i.test(instructions)) {
+    throw new Error("Studio instructions must contain 'do not publish'");
+  }
+  if (!/do not ship/i.test(instructions)) {
+    throw new Error("Studio instructions must contain 'do not ship'");
+  }
+  if (!/orchestrator will sync|orchestrator runs|orchestrator owns|orchestrator updates|regenerate endpoint types/i.test(instructions)) {
+    throw new Error("Studio instructions must describe orchestrator sync/build/validate");
+  }
+
+  const withoutNegatedTypegen = instructions.replace(
+    /endpoint typescript types are handled by studio[^\n]*/gi,
+    "",
+  );
+  if (/\bdypai_generate_types\b/.test(withoutNegatedTypegen)) {
+    throw new Error("Studio instructions must not mention dypai_generate_types");
+  }
+  if (/\bendpoints\.gen\.ts\b/.test(withoutNegatedTypegen)) {
+    throw new Error("Studio instructions must not mention endpoints.gen.ts");
+  }
+
+}
+
+/** Test helper: local profile doctrine in instructions. */
+export function assertLocalDoctrine(instructions) {
+  if (!/dypai\/flows\/\*\.flow\.ts/i.test(instructions)) {
+    throw new Error("local instructions must mention dypai/flows/*.flow.ts");
+  }
+  if (!/Do not create new YAML endpoints/i.test(instructions)) {
+    throw new Error("local instructions must discourage new YAML endpoints");
+  }
+  if (!/search_docs\("flow ts"\)|search_docs\("workflow patterns"\)/i.test(instructions)) {
+    throw new Error("local instructions must mention search_docs for flow/workflow guidance");
+  }
+  if (!/capability-brief|capability-catalog/i.test(instructions)) {
+    throw new Error("local instructions must point to on-disk capability files");
+  }
+}

package/src/tools/generate-image.js

@@ -0,0 +1,187 @@
+/**
+ * generate_image_asset — local orchestration around the cloud image generator.
+ *
+ * The cloud MCP (`dypai-mcp-cloud`) does the heavy work: calls OpenRouter,
+ * uploads to DYPAI's temporary R2 bucket, returns a signed URL + metadata.
+ *
+ * This local file adds ONE optional capability: if the agent passes
+ * `target_path`, we download the image from the signed URL and save it to
+ * the local filesystem. This keeps the common case ("create a hero image at
+ * public/hero.png") in one tool call instead of two (generate → download).
+ *
+ * If `target_path` is omitted we just forward the cloud response untouched —
+ * the calling agent decides what to do with the URL (embed, save elsewhere,
+ * stream, etc.).
+ *
+ * Path safety: `target_path` is always resolved RELATIVE to process.cwd()
+ * (where the agent invoked the MCP). Absolute paths and paths escaping cwd
+ * are rejected. We also enforce that the destination extension matches the
+ * generated image type.
+ */
+
+import { mkdir, writeFile } from "node:fs/promises"
+import { dirname, extname, isAbsolute, join, relative, resolve } from "node:path"
+import { Buffer } from "node:buffer"
+import { proxyToolCall } from "./proxy.js"
+
+// Extensions the cloud tool can return. Source of truth lives in
+// `dypai-mcp-cloud/.../images_sdk/handlers.py:_DATA_URL_PATTERN`.
+const ALLOWED_IMAGE_EXTENSIONS = new Set([".png", ".jpg", ".jpeg", ".webp"])
+
+const MAX_DOWNLOAD_BYTES = 16 * 1024 * 1024
+const DOWNLOAD_TIMEOUT_MS = 60_000
+
+function isValidTargetPath(input) {
+  if (typeof input !== "string") return false
+  const trimmed = input.trim()
+  if (!trimmed) return false
+  if (trimmed.includes("\0")) return false
+  return true
+}
+
+/**
+ * Resolve target_path to an absolute path inside cwd. Reject anything
+ * pointing outside the working directory (path traversal, absolute paths
+ * to other folders).
+ */
+function resolveTargetPath(input) {
+  const cwd = process.cwd()
+  // Reject absolute paths outright. The agent should write inside the
+  // project it's working in — not /tmp, not /etc.
+  if (isAbsolute(input)) {
+    throw new Error(
+      `target_path must be relative to the project (no absolute paths). Got: ${input}`,
+    )
+  }
+  const absolute = resolve(cwd, input)
+  const rel = relative(cwd, absolute)
+  if (rel.startsWith("..") || isAbsolute(rel)) {
+    throw new Error(`target_path escapes the project directory: ${input}`)
+  }
+  return absolute
+}
+
+/**
+ * If target_path ends with '/' the agent wants us to pick a filename. We
+ * derive one from the cloud's object_key (which already includes a uuid
+ * and the right extension). This mirrors the convention `manage_storage`
+ * upload uses for missing object_name.
+ */
+function finalizeTargetPath(input, objectKey, extensionFromMime) {
+  const looksLikeDirectory = input.endsWith("/") || input.endsWith("\\")
+  if (looksLikeDirectory) {
+    const objectBasename = objectKey.split("/").pop() || `image${extensionFromMime}`
+    return resolveTargetPath(join(input, objectBasename))
+  }
+  return resolveTargetPath(input)
+}
+
+function assertExtensionMatches(targetAbsolute, extensionFromMime) {
+  const targetExt = extname(targetAbsolute).toLowerCase()
+  if (!targetExt) {
+    throw new Error(
+      `target_path must include an extension (one of ${[...ALLOWED_IMAGE_EXTENSIONS].join(", ")}). Got: ${targetAbsolute}`,
+    )
+  }
+  if (!ALLOWED_IMAGE_EXTENSIONS.has(targetExt)) {
+    throw new Error(`Unsupported target_path extension: ${targetExt}`)
+  }
+  // .jpg and .jpeg are interchangeable for our purposes.
+  const normalize = (ext) => (ext === ".jpeg" ? ".jpg" : ext)
+  if (normalize(targetExt) !== normalize(extensionFromMime)) {
+    throw new Error(
+      `target_path extension ${targetExt} does not match generated image type ${extensionFromMime}. ` +
+        `Either change target_path or omit it and let the tool pick a path.`,
+    )
+  }
+}
+
+function extensionFromMime(mime) {
+  if (!mime || typeof mime !== "string") return ".png"
+  const lower = mime.toLowerCase()
+  if (lower === "image/jpeg" || lower === "image/jpg") return ".jpg"
+  if (lower === "image/webp") return ".webp"
+  return ".png"
+}
+
+async function downloadImage(signedUrl) {
+  const controller = new AbortController()
+  const timer = setTimeout(() => controller.abort(), DOWNLOAD_TIMEOUT_MS)
+  try {
+    const response = await fetch(signedUrl, { signal: controller.signal })
+    if (!response.ok) {
+      throw new Error(`Failed to download generated image: HTTP ${response.status}`)
+    }
+    const buf = Buffer.from(await response.arrayBuffer())
+    if (buf.byteLength > MAX_DOWNLOAD_BYTES) {
+      throw new Error(`Downloaded image is too large (${buf.byteLength} bytes)`)
+    }
+    return buf
+  } finally {
+    clearTimeout(timer)
+  }
+}
+
+/**
+ * Main entry. `arguments` matches the cloud tool's schema PLUS the optional
+ * local-only `target_path`. We forward everything else verbatim — the cloud
+ * tool ignores unknown keys, so this stays forward-compatible if the cloud
+ * tool grows new params.
+ */
+export async function generateImageAsset(args = {}) {
+  const targetPathInput = typeof args.target_path === "string" ? args.target_path.trim() : ""
+  const wantsLocalSave = Boolean(targetPathInput)
+
+  if (wantsLocalSave && !isValidTargetPath(targetPathInput)) {
+    throw new Error("target_path is not a valid filesystem path")
+  }
+
+  // Strip the local-only param before proxying so the cloud schema validator
+  // doesn't complain about unknown keys.
+  const cloudArgs = { ...args }
+  delete cloudArgs.target_path
+
+  const cloudResult = await proxyToolCall("generate_image_asset", cloudArgs)
+
+  // If the cloud returned an error envelope, surface it as-is.
+  if (cloudResult?.ok === false) {
+    return cloudResult
+  }
+
+  if (!cloudResult?.image_url || typeof cloudResult.image_url !== "string") {
+    throw new Error("generate_image_asset cloud response missing image_url")
+  }
+
+  // Case A: agent didn't ask for a local save → forward URL + metadata. The
+  // calling agent picks: embed via URL, save somewhere else, etc.
+  if (!wantsLocalSave) {
+    return {
+      ...cloudResult,
+      saved_to: null,
+      note: cloudResult.note
+        || `Image hosted at a temporary URL; download or persist it within ${cloudResult.expires_in_seconds || "the expiration window"} seconds if you need to keep it.`,
+    }
+  }
+
+  // Case B: agent asked for a local save. Resolve the target, download the
+  // image once, write it to disk.
+  const extension = extensionFromMime(cloudResult.mime_type)
+  const targetAbsolute = finalizeTargetPath(
+    targetPathInput,
+    cloudResult.object_key || "image",
+    extension,
+  )
+  assertExtensionMatches(targetAbsolute, extension)
+
+  const imageBytes = await downloadImage(cloudResult.image_url)
+
+  await mkdir(dirname(targetAbsolute), { recursive: true })
+  await writeFile(targetAbsolute, imageBytes)
+
+  return {
+    ...cloudResult,
+    saved_to: relative(process.cwd(), targetAbsolute) || targetAbsolute,
+    saved_absolute_path: targetAbsolute,
+    note: `Image saved to ${relative(process.cwd(), targetAbsolute)}. The cloud URL also remains valid until ${cloudResult.expires_at || "expiration"}.`,
+  }
+}

package/src/tools/manage-database.js

@@ -445,9 +445,9 @@ async function executeScript({ project_id, sql, timeout_seconds }) {
 export const manageDatabaseTool = {
   name: "manage_database",
   description:
-    "Database operations beyond a single SQL statement. Use `execute_sql` for " +
-    "ad-hoc single-statement queries; this tool covers migrations, introspection, " +
-    "and multi-statement transactional scripts.\n\n" +
+    "Database operations beyond ad-hoc SQL. Use `execute_sql` for reads/writes " +
+    "and safe multi-statement bootstrap scripts; this tool covers versioned " +
+    "migrations and introspection.\n\n" +
     "Operations:\n" +
     "- apply_migration:    Apply dypai/migrations/<file>.sql with tracking + idempotency.\n" +
     "                      Same file twice → no-op. Modified file → checksum_mismatch.\n" +