@dypai-ai/mcp 1.5.4 → 1.5.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dypai-ai/mcp",
-  "version": "1.5.4",
+  "version": "1.5.6",
   "description": "DYPAI MCP Server — AI agent toolkit for building and deploying full-stack apps",
   "type": "module",
   "main": "src/index.js",

package/src/index.js

@@ -115,6 +115,7 @@ const REMOTE_TOOLS = [
   // ── Project ───────────────────────────────────────────────────────────────
   { name: "list_projects", description: "Lists all projects you have access to across your organizations. Returns project id, name, description, organization, subscription plan, and status. Use this as the first step to discover which projects are available, then pass project_id to other tools.", inputSchema: { type: "object", properties: { organization_id: { type: "string", description: "Optional. Filter projects by organization UUID." } }, required: [] } },
   { name: "get_project", description: "Gets detailed information about a specific project. Returns project name, description, organization, plan, status, engine URL, frontend slug, and timestamps.", inputSchema: { type: "object", properties: { project_id: { type: "string" } }, required: ["project_id"] } },
+  { name: "list_ai_models", description: "List only the DYPAI Managed AI models that are active for a project. Returns the project-gated OpenRouter model catalog, monthly included AI credits, monthly hard cap, RPM limit, max output tokens, active/available counts, and the exact node parameters to use. Call this before creating or editing an AI Agent node with DYPAI Managed models. Agents must not invent or use inactive model ids. Use provider='openrouter' and do NOT set credential_id; DYPAI uses the platform OpenRouter key and bills usage to the organization.", inputSchema: { type: "object", properties: { project_id: { type: "string", description: "Project UUID whose plan and Model Gateway settings determine the active Managed AI catalog." } }, required: ["project_id"] } },
   { name: "create_project", description: "Create a new DYPAI project (free plan). Creates a full project with database, engine, GitHub repo, and frontend hosting. BLOCKS by default until provisioning finishes (~60s typical, 120s max) — when it returns, the project_id is ready to use with execute_sql, endpoint tools, etc. Pass wait_until_ready:false for batch flows.\n\nName collision: if another project in the same org already uses the name (case-insensitive), returns {error:'name_taken', existing_project_id, suggestions:[...]}. Pick a different name or use the existing project.\n\nIMPORTANT: before calling, check for a matching template with `search_project_templates`. Passing a `template_slug` drops in a ready-made schema + endpoints + UI that cover 70% of common app types. Only create a blank project if nothing matches.", inputSchema: { type: "object", properties: { name: { type: "string", description: "Project name (e.g. 'My Veterinary App')" }, organization_id: { type: "string", description: "Optional. Uses default org if omitted." }, description: { type: "string" }, template_slug: { type: "string", description: "RECOMMENDED. Project template slug to start from (e.g. 'clinic', 'gym', 'waitlist', 'blank'). Always call search_project_templates first to find the best match." }, wait_until_ready: { type: "boolean", description: "If true (default), blocks until provisioning completes and the project is ready for all operations. If false, returns immediately with status='provisioning' — caller must poll get_project before using.", default: true } }, required: ["name"] } },
   { name: "get_app_credentials", description: "Lists available credentials in the current application. Returns API keys, anon key, service role key, and engine URL needed for SDK configuration.", inputSchema: { type: "object", properties: { project_id: { type: "string" } }, required: [] } },
 
@@ -166,7 +167,7 @@ const REMOTE_TOOLS = [
   // and fail to learn the contract. Mirrors the validation the remote does.
   {
     name: "manage_users",
-    description: `Manage authenticated users (better-auth backed).
+    description: `Manage authenticated users.
 
 Operations:
 - list:         Paginated user listing. Optional: search, limit (1-100, default 20), offset, sort_by, sort_order.
@@ -177,14 +178,14 @@ Operations:
 - delete:       Permanently remove a user (user_id).
 - ban / unban:  Block / unblock login (user_id; ban supports ban_reason and ban_expires_in seconds).
 
-NOTE: user IDs are TEXT (better-auth nanoids like "G1LIBXsbMLxUrs99ebCaL9X4auxW26AC"), NOT UUIDs.`,
+NOTE: user IDs are TEXT alphanumeric strings (~32 chars, like "G1LIBXsbMLxUrs99ebCaL9X4auxW26AC"), NOT UUIDs. They live in auth."user".id.`,
     inputSchema: {
       type: "object",
       properties: {
         project_id:        { type: "string", description: "Project UUID. Required for user tokens; auto-detected for project tokens." },
         operation:         { type: "string", enum: ["list", "get", "create", "set_password", "update_role", "delete", "ban", "unban"] },
         // Fields used by various operations
-        user_id:           { type: "string", description: "User ID (TEXT, better-auth nanoid). Required for: get, set_password, update_role, delete, ban, unban." },
+        user_id:           { type: "string", description: "User ID (TEXT alphanumeric, NOT a UUID; from auth.\"user\".id). Required for: get, set_password, update_role, delete, ban, unban." },
         email:             { type: "string", description: "User email. Required for: create." },
         password:          { type: "string", description: "User password (min 6 chars). Required for: create, set_password." },
         name:              { type: "string", description: "Display name. Optional for: create." },
@@ -477,7 +478,7 @@ const SERVER_INSTRUCTIONS = `You are building full-stack applications on the DYP
 - ❌ *"¿Prefieres Tailwind o CSS Modules?"*
 - ❌ Asking "which framework" unless the user explicitly says *"I want to compare platforms"* or *"what are my options"*.
 
-These are ALL dead signals: Next.js is already what DYPAI scaffolds. The DB is already PostgreSQL (via DYPAI engine). Auth is already better-auth (built in). Tailwind is already in the templates. Prisma / ORMs are not used — you write SQL directly in workflow endpoints.
+These are ALL dead signals: Next.js is already what DYPAI scaffolds. The DB is already PostgreSQL (via DYPAI engine). Auth is built in. Tailwind is already in the templates. Prisma / ORMs are not used — you write SQL directly in workflow endpoints.
 
 ## What to do when the user says "I want to build X"
 
@@ -861,7 +862,7 @@ Mental translations: "edge function" → workflow with one code node; "cron" →
 
 ## Common app recipes (one-liners)
 
-- **Auth-gated CRUD**: table with \`user_id UUID\`, jwt endpoints, SQL always filters by \`\${current_user_id}\`, frontend \`<ProtectedRoute>\`.
+- **Auth-gated CRUD**: table with \`user_id TEXT\` (auth IDs are TEXT, not UUID), jwt endpoints, SQL always filters by \`\${current_user_id}\`, frontend \`<ProtectedRoute>\`.
 - **Admin panel**: endpoints with \`allowed_roles: [admin]\`. Same SQL, no user filter (admin sees all). Promote via \`manage_users(update_role)\`.
 - **AI chat**: single endpoint with \`agent\` node + \`memory_key: "chat:\${current_user_id}"\`. Frontend \`dypai.api.stream()\`.
 - **Payments (Stripe)**: \`stripe\` node for ops. Webhook endpoint with \`trigger.webhook\` + \`stripe_webhook: true\` (auto-verifies signature).
@@ -889,7 +890,7 @@ SDK is pre-configured at \`src/lib/dypai.ts\` (or \`src/dypai.ts\`). Import \`dy
 
 - \`bulk_upsert\` — CSV/JSON → table. Seed data.
 - \`manage_domain\` — custom domains. \`add\` returns CNAME to configure. \`verify\` rechecks DNS/SSL. → \`search_docs("manage domain")\`.
-- \`manage_users\` / \`manage_roles\` — app-level RBAC (better-auth). Create/ban/assign roles.
+- \`manage_users\` / \`manage_roles\` — app-level RBAC. Create/ban/assign roles.
 - \`manage_schedules\` / \`manage_webhooks\` — pause/resume/history. To change the DEFINITION, edit the YAML and push.
 - \`manage_storage\` — buckets + objects. \`upload_file\` reads local path, signs URL, PUTs, registers. Max 100MB/file. → \`search_docs("file storage")\`.
 - \`manage_drafts\` — universal draft/publish. \`list\` before \`publish\` so the user sees what's shipping. \`discard\` to throw away. Always pair with \`dypai_test_endpoint(mode:'draft')\` before publish.

package/src/tools/proxy.js

@@ -16,6 +16,70 @@ const MCP_ENDPOINT = `${MCP_BASE}/mcp`
 
 let sessionId = null
 
+function extractLastSseData(text) {
+  const events = text.split(/\r?\n\r?\n/).filter(Boolean)
+  for (let i = events.length - 1; i >= 0; i--) {
+    const dataLines = events[i]
+      .split(/\r?\n/)
+      .filter((line) => line.startsWith("data:"))
+      .map((line) => line.replace(/^data:\s?/, ""))
+      .filter((line) => line && line !== "[DONE]")
+    if (dataLines.length) return dataLines.join("\n")
+  }
+  return null
+}
+
+function decodeTransportValue(value) {
+  let current = value
+  for (let i = 0; i < 5; i++) {
+    if (typeof current !== "string") return current
+    const trimmed = current.trim()
+    const sseData = extractLastSseData(trimmed)
+    const candidate = sseData || trimmed
+    try {
+      current = JSON.parse(candidate)
+    } catch {
+      return current
+    }
+  }
+  return current
+}
+
+function normalizeJsonRpcResponse(response) {
+  let current = decodeTransportValue(response)
+
+  for (let i = 0; i < 5; i++) {
+    if (!current || typeof current !== "object") return current
+
+    // Some HTTP/SSE transports get wrapped as { result: "<jsonrpc...>" } after
+    // a fallback parse path. Unwrap that so callers always see the real MCP
+    // JSON-RPC response instead of a stringified envelope.
+    if (
+      Object.keys(current).length === 1
+      && typeof current.result === "string"
+    ) {
+      const decoded = decodeTransportValue(current.result)
+      if (decoded !== current.result) {
+        current = decoded
+        continue
+      }
+    }
+
+    if (
+      current.result
+      && typeof current.result === "object"
+      && current.result.jsonrpc
+    ) {
+      current = current.result
+      continue
+    }
+
+    return current
+  }
+
+  return current
+}
+
 function mcpRequest(body) {
   const token = process.env.DYPAI_TOKEN || ""
 
@@ -50,18 +114,9 @@ function mcpRequest(body) {
       res.on("end", () => {
         if (res.statusCode >= 200 && res.statusCode < 300) {
           // Handle SSE responses (text/event-stream)
-          if (buf.includes("data: ")) {
-            const lines = buf.split("\n").filter(l => l.startsWith("data: "))
-            const lastData = lines[lines.length - 1]
-            if (lastData) {
-              try {
-                resolve(JSON.parse(lastData.replace("data: ", "")))
-              } catch {
-                resolve({ result: buf })
-              }
-            } else {
-              resolve({ result: buf })
-            }
+          const sseData = extractLastSseData(buf)
+          if (sseData) {
+            try { resolve(JSON.parse(sseData)) } catch { resolve({ result: sseData }) }
           } else {
             try { resolve(JSON.parse(buf)) } catch { resolve({ result: buf }) }
           }
@@ -116,7 +171,7 @@ async function ensureInitialized() {
 export async function proxyToolCall(toolName, args) {
   await ensureInitialized()
 
-  const response = await mcpRequest({
+  const response = normalizeJsonRpcResponse(await mcpRequest({
     jsonrpc: "2.0",
     id: `proxy-${Date.now()}`,
     method: "tools/call",
@@ -124,7 +179,7 @@ export async function proxyToolCall(toolName, args) {
       name: toolName,
       arguments: args || {},
     },
-  })
+  }))
 
   // Extract result from JSON-RPC response
   if (response.result) {
@@ -137,7 +192,7 @@ export async function proxyToolCall(toolName, args) {
 
     if (text != null) {
       let parsed
-      try { parsed = JSON.parse(text) } catch { parsed = text }
+      parsed = decodeTransportValue(text)
       // Some remote errors come as a plain string without isError flag
       if (typeof parsed === "string" && /^(Error:|Input validation error:|You don't have)/i.test(parsed)) {
         throw new Error(parsed)

package/src/tools/sql-guard.js

@@ -18,7 +18,7 @@
 
 // Schemas the agent must not modify. SELECT against them stays allowed.
 const PROTECTED_SCHEMAS = new Set([
-  "auth",                // better-auth user/session tables — engine-owned
+  "auth",                // auth user/session tables — engine-owned
   "storage",             // file upload metadata — engine-owned
   "system",              // DYPAI internals (endpoints, credentials, etc.)
   "information_schema",  // PG metadata catalog

package/src/tools/sync/describe.js

@@ -127,7 +127,7 @@ export const dypaiDescribeTool = {
       placeholders_available: [
         "${input.<field>}  — request body / query params",
         "${nodes.<node_id>.<field>}  — output of a previous node",
-        "${current_user_id}  — uuid of the authenticated user (jwt auth only)",
+        "${current_user_id}  — id of the authenticated user (TEXT, NOT a UUID; jwt auth only)",
         "${current_user_role}  — role name of the authenticated user",
       ],
 

package/src/tools/sync/pull.js

@@ -206,7 +206,7 @@ output:
 #
 #   \${input.<field>}            — the request body / query params
 #   \${nodes.<id>.<field>}       — output of a previous node
-#   \${current_user_id}          — UUID of the JWT-authenticated user
+#   \${current_user_id}          — ID of the JWT-authenticated user (TEXT, NOT a UUID — match against TEXT columns)
 #   \${current_user_role}        — role name from the JWT
 #
 # Expressions inside placeholders work: arithmetic, comparisons, JS-ish.
@@ -218,8 +218,9 @@ output:
 #   plain object/array  →  binds as ::jsonb
 #   Date instance       →  binds as ::timestamptz
 #   text / int / bool   →  binds without an explicit cast (Postgres infers)
-# So you write SQL naturally — DON'T add '\${current_user_id}'::uuid manually.
-# Just write: WHERE user_id = \${current_user_id}
+# So you write SQL naturally — DON'T add type casts manually like
+# '\${input.product_id}'::uuid. Just write: WHERE id = \${input.product_id}
+# (and remember: \${current_user_id} is TEXT, so user_id columns must be TEXT too).
 workflow:
   nodes:
 

package/src/tools/sync/test-endpoint.js

@@ -243,7 +243,7 @@ export const dypaiTestEndpointTool = {
       },
       as_user: {
         type: "string",
-        description: "User UUID to impersonate. Required for jwt endpoints that read ${current_user_id}.",
+        description: "User ID to impersonate. Required for jwt endpoints that read ${current_user_id}. NOTE: user IDs are stored in auth.\"user\".id as a TEXT alphanumeric string (e.g. '9KxggvkPhgpYXITE6koY0vYWJqQzSwaw'), NOT a UUID. Discover IDs with manage_users(operation:'list') or execute_sql(\"SELECT id, email FROM auth.\\\"user\\\" LIMIT 5\"). Common mistake: passing a UUID copied from system.users or a business table.",
       },
       trace_mode: {
         type: "string",

package/src/tools/sync/validate.js

@@ -1175,7 +1175,7 @@ export async function runValidation(rootDir, projectId) {
             `    user_id TEXT NOT NULL,\\n` +
             `    created_at TIMESTAMPTZ DEFAULT NOW()\\n` +
             `  );" })\n` +
-            `IMPORTANT: user_id must be TEXT (not UUID) — better-auth's auth.user.id is a 32-char nanoid stored as TEXT. ` +
+            `IMPORTANT: user_id must be TEXT (not UUID) — auth.\"user\".id is a TEXT alphanumeric string (~32 chars). ` +
             `(Add other columns matching what your endpoint INSERTs.) ` +
             `schema.sql will auto-refresh after the DDL. Existing tables: ${knownTablesList}`,
         })