npm - @elliotding/ai-agent-mcp - Versions diffs - 0.1.0 - Mend

@elliotding/ai-agent-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (191) hide show

package/dist/api/cached-client.d.ts +48 -0
package/dist/api/cached-client.d.ts.map +1 -0
package/dist/api/cached-client.js +126 -0
package/dist/api/cached-client.js.map +1 -0
package/dist/api/client.d.ts +213 -0
package/dist/api/client.d.ts.map +1 -0
package/dist/api/client.js +326 -0
package/dist/api/client.js.map +1 -0
package/dist/auth/index.d.ts +8 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +26 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/middleware.d.ts +36 -0
package/dist/auth/middleware.d.ts.map +1 -0
package/dist/auth/middleware.js +194 -0
package/dist/auth/middleware.js.map +1 -0
package/dist/auth/permissions.d.ts +60 -0
package/dist/auth/permissions.d.ts.map +1 -0
package/dist/auth/permissions.js +256 -0
package/dist/auth/permissions.js.map +1 -0
package/dist/auth/token-validator.d.ts +52 -0
package/dist/auth/token-validator.d.ts.map +1 -0
package/dist/auth/token-validator.js +217 -0
package/dist/auth/token-validator.js.map +1 -0
package/dist/cache/cache-manager.d.ts +49 -0
package/dist/cache/cache-manager.d.ts.map +1 -0
package/dist/cache/cache-manager.js +191 -0
package/dist/cache/cache-manager.js.map +1 -0
package/dist/cache/index.d.ts +6 -0
package/dist/cache/index.d.ts.map +1 -0
package/dist/cache/index.js +12 -0
package/dist/cache/index.js.map +1 -0
package/dist/cache/redis-client.d.ts +45 -0
package/dist/cache/redis-client.d.ts.map +1 -0
package/dist/cache/redis-client.js +210 -0
package/dist/cache/redis-client.js.map +1 -0
package/dist/config/constants.d.ts +28 -0
package/dist/config/constants.d.ts.map +1 -0
package/dist/config/constants.js +31 -0
package/dist/config/constants.js.map +1 -0
package/dist/config/index.d.ts +54 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +168 -0
package/dist/config/index.js.map +1 -0
package/dist/filesystem/manager.d.ts +45 -0
package/dist/filesystem/manager.d.ts.map +1 -0
package/dist/filesystem/manager.js +246 -0
package/dist/filesystem/manager.js.map +1 -0
package/dist/git/multi-source-manager.d.ts +62 -0
package/dist/git/multi-source-manager.d.ts.map +1 -0
package/dist/git/multi-source-manager.js +293 -0
package/dist/git/multi-source-manager.js.map +1 -0
package/dist/git/operations.d.ts +27 -0
package/dist/git/operations.d.ts.map +1 -0
package/dist/git/operations.js +83 -0
package/dist/git/operations.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +109 -0
package/dist/index.js.map +1 -0
package/dist/monitoring/health.d.ts +35 -0
package/dist/monitoring/health.d.ts.map +1 -0
package/dist/monitoring/health.js +105 -0
package/dist/monitoring/health.js.map +1 -0
package/dist/resources/index.d.ts +6 -0
package/dist/resources/index.d.ts.map +1 -0
package/dist/resources/index.js +10 -0
package/dist/resources/index.js.map +1 -0
package/dist/resources/loader.d.ts +87 -0
package/dist/resources/loader.d.ts.map +1 -0
package/dist/resources/loader.js +452 -0
package/dist/resources/loader.js.map +1 -0
package/dist/server/http.d.ts +57 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +336 -0
package/dist/server/http.js.map +1 -0
package/dist/server.d.ts +13 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +157 -0
package/dist/server.js.map +1 -0
package/dist/session/manager.d.ts +91 -0
package/dist/session/manager.d.ts.map +1 -0
package/dist/session/manager.js +251 -0
package/dist/session/manager.js.map +1 -0
package/dist/tools/index.d.ts +11 -0
package/dist/tools/index.d.ts.map +1 -0
package/dist/tools/index.js +27 -0
package/dist/tools/index.js.map +1 -0
package/dist/tools/manage-subscription.d.ts +43 -0
package/dist/tools/manage-subscription.d.ts.map +1 -0
package/dist/tools/manage-subscription.js +268 -0
package/dist/tools/manage-subscription.js.map +1 -0
package/dist/tools/registry.d.ts +40 -0
package/dist/tools/registry.d.ts.map +1 -0
package/dist/tools/registry.js +85 -0
package/dist/tools/registry.js.map +1 -0
package/dist/tools/search-resources.d.ts +31 -0
package/dist/tools/search-resources.d.ts.map +1 -0
package/dist/tools/search-resources.js +154 -0
package/dist/tools/search-resources.js.map +1 -0
package/dist/tools/sync-resources.d.ts +41 -0
package/dist/tools/sync-resources.d.ts.map +1 -0
package/dist/tools/sync-resources.js +606 -0
package/dist/tools/sync-resources.js.map +1 -0
package/dist/tools/uninstall-resource.d.ts +30 -0
package/dist/tools/uninstall-resource.d.ts.map +1 -0
package/dist/tools/uninstall-resource.js +259 -0
package/dist/tools/uninstall-resource.js.map +1 -0
package/dist/tools/upload-resource.d.ts +77 -0
package/dist/tools/upload-resource.d.ts.map +1 -0
package/dist/tools/upload-resource.js +252 -0
package/dist/tools/upload-resource.js.map +1 -0
package/dist/transport/sse.d.ts +29 -0
package/dist/transport/sse.d.ts.map +1 -0
package/dist/transport/sse.js +271 -0
package/dist/transport/sse.js.map +1 -0
package/dist/types/errors.d.ts +60 -0
package/dist/types/errors.d.ts.map +1 -0
package/dist/types/errors.js +112 -0
package/dist/types/errors.js.map +1 -0
package/dist/types/index.d.ts +7 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +23 -0
package/dist/types/index.js.map +1 -0
package/dist/types/mcp.d.ts +50 -0
package/dist/types/mcp.d.ts.map +1 -0
package/dist/types/mcp.js +6 -0
package/dist/types/mcp.js.map +1 -0
package/dist/types/resources.d.ts +109 -0
package/dist/types/resources.d.ts.map +1 -0
package/dist/types/resources.js +7 -0
package/dist/types/resources.js.map +1 -0
package/dist/types/tools.d.ts +147 -0
package/dist/types/tools.d.ts.map +1 -0
package/dist/types/tools.js +6 -0
package/dist/types/tools.js.map +1 -0
package/dist/utils/cursor-paths.d.ts +49 -0
package/dist/utils/cursor-paths.d.ts.map +1 -0
package/dist/utils/cursor-paths.js +116 -0
package/dist/utils/cursor-paths.js.map +1 -0
package/dist/utils/log-cleaner.d.ts +18 -0
package/dist/utils/log-cleaner.d.ts.map +1 -0
package/dist/utils/log-cleaner.js +112 -0
package/dist/utils/log-cleaner.js.map +1 -0
package/dist/utils/logger.d.ts +59 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +292 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/validation.d.ts +58 -0
package/dist/utils/validation.d.ts.map +1 -0
package/dist/utils/validation.js +214 -0
package/dist/utils/validation.js.map +1 -0
package/package.json +58 -0
package/src/api/cached-client.ts +144 -0
package/src/api/client.ts +578 -0
package/src/auth/index.ts +11 -0
package/src/auth/middleware.ts +244 -0
package/src/auth/permissions.ts +317 -0
package/src/auth/token-validator.ts +294 -0
package/src/cache/cache-manager.ts +243 -0
package/src/cache/index.ts +6 -0
package/src/cache/redis-client.ts +249 -0
package/src/config/constants.ts +33 -0
package/src/config/index.ts +228 -0
package/src/filesystem/manager.ts +235 -0
package/src/git/multi-source-manager.ts +333 -0
package/src/git/operations.ts +93 -0
package/src/index.ts +139 -0
package/src/monitoring/health.ts +132 -0
package/src/resources/index.ts +13 -0
package/src/resources/loader.ts +530 -0
package/src/server/http.ts +427 -0
package/src/server.ts +191 -0
package/src/session/manager.ts +296 -0
package/src/tools/index.ts +11 -0
package/src/tools/manage-subscription.ts +332 -0
package/src/tools/registry.ts +97 -0
package/src/tools/search-resources.ts +177 -0
package/src/tools/sync-resources.ts +662 -0
package/src/tools/uninstall-resource.ts +248 -0
package/src/tools/upload-resource.ts +258 -0
package/src/transport/sse.ts +308 -0
package/src/types/errors.ts +146 -0
package/src/types/index.ts +7 -0
package/src/types/mcp.ts +61 -0
package/src/types/resources.ts +141 -0
package/src/types/tools.ts +175 -0
package/src/utils/cursor-paths.ts +83 -0
package/src/utils/log-cleaner.ts +92 -0
package/src/utils/logger.ts +333 -0
package/src/utils/validation.ts +262 -0

package/src/auth/middleware.ts ADDED Viewed

@@ -0,0 +1,244 @@
+/**
+ * Authentication and Permission Middlewares
+ * Token authentication and permission checking for HTTP endpoints
+ */
+import { FastifyRequest, FastifyReply } from 'fastify';
+import { verifyToken, TokenPayload } from './token-validator';
+import { checkPermission } from './permissions';
+import { logger } from '../utils/logger';
+/**
+ * Extended request with user info
+ */
+export interface AuthenticatedRequest extends FastifyRequest {
+  user?: TokenPayload;
+}
+/**
+ * Token Authentication Middleware
+ * Verifies token via external REST API
+ */
+export async function tokenAuthMiddleware(
+  request: AuthenticatedRequest,
+  reply: FastifyReply
+): Promise<void> {
+  try {
+    // Extract token from Authorization header
+    const authHeader = request.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      logger.warn(
+        {
+          type: 'auth',
+          operation: 'middleware',
+          ip: request.ip,
+          url: request.url
+        },
+        'Missing or invalid Authorization header'
+      );
+      reply.code(401).send({
+        error: 'Unauthorized',
+        message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
+      });
+      return;
+    }
+    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+    // Verify token via external API
+    const payload = await verifyToken(token);
+    if (!payload) {
+      logger.warn(
+        {
+          type: 'auth',
+          operation: 'middleware',
+          ip: request.ip,
+          url: request.url
+        },
+        'Token validation failed'
+      );
+      reply.code(401).send({
+        error: 'Unauthorized',
+        message: 'Invalid or expired token',
+      });
+      return;
+    }
+    // Attach user info to request
+    request.user = payload;
+    logger.debug(
+      {
+        type: 'auth',
+        operation: 'middleware',
+        userId: payload.userId,
+        email: payload.email,
+        groups: payload.groups
+      },
+      `Token authentication successful for user ${payload.userId}`
+    );
+  } catch (error) {
+    logger.error({
+      type: 'auth',
+      operation: 'middleware',
+      error: error instanceof Error ? error.message : 'Unknown error'
+    }, 'Token authentication error');
+    reply.code(500).send({
+      error: 'Internal Server Error',
+      message: 'Authentication failed',
+    });
+  }
+}
+/**
+ * Token Authentication Middleware with Legacy Bearer Token Support
+ * Supports both token validation via API and legacy bearer tokens
+ */
+export async function tokenAuthOrLegacyMiddleware(
+  request: AuthenticatedRequest,
+  reply: FastifyReply
+): Promise<void> {
+  try {
+    const authHeader = request.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      logger.warn(
+        {
+          type: 'auth',
+          operation: 'middleware_legacy',
+          ip: request.ip,
+          url: request.url
+        },
+        'Missing or invalid Authorization header'
+      );
+      reply.code(401).send({
+        error: 'Unauthorized',
+        message: 'Missing or invalid Authorization header',
+      });
+      return;
+    }
+    const token = authHeader.substring(7);
+    // Try to validate via API first
+    const payload = await verifyToken(token);
+    if (payload) {
+      // API validation successful
+      request.user = payload;
+      logger.debug(
+        {
+          type: 'auth',
+          operation: 'middleware_legacy',
+          userId: payload.userId,
+          email: payload.email,
+          groups: payload.groups
+        },
+        `Token validated via API for user ${payload.userId}`
+      );
+      return;
+    }
+    // Fallback to legacy bearer token (for backward compatibility)
+    logger.debug(
+      {
+        type: 'auth',
+        operation: 'middleware_legacy',
+        ip: request.ip
+      },
+      'API validation failed, using legacy bearer token mode'
+    );
+    // In legacy mode, we don't have user info, so continue without setting request.user
+    // The endpoint will handle the legacy token separately
+  } catch (error) {
+    logger.error({
+      type: 'auth',
+      operation: 'middleware_legacy',
+      error: error instanceof Error ? error.message : 'Unknown error'
+    }, 'Token authentication error');
+    reply.code(500).send({
+      error: 'Internal Server Error',
+      message: 'Authentication failed',
+    });
+  }
+}
+/**
+ * Permission Check Middleware Factory
+ * Creates middleware to check permissions for a specific tool
+ */
+export function requirePermission(toolName: string) {
+  return async (request: AuthenticatedRequest, reply: FastifyReply): Promise<void> => {
+    try {
+      if (!request.user) {
+        logger.error(
+          {
+            type: 'auth',
+            operation: 'permission_check',
+            url: request.url
+          },
+          'Permission check called without authentication'
+        );
+        reply.code(401).send({
+          error: 'Unauthorized',
+          message: 'Authentication required',
+        });
+        return;
+      }
+      // Check permission
+      const permissionCheck = checkPermission(toolName, request.user.groups);
+      if (!permissionCheck.allowed) {
+        logger.warn(
+          {
+            type: 'auth',
+            operation: 'permission_check',
+            userId: request.user.userId,
+            email: request.user.email,
+            groups: request.user.groups,
+            toolName,
+            reason: permissionCheck.reason,
+          },
+          `Permission denied for user ${request.user.userId} to access tool ${toolName}`
+        );
+        reply.code(403).send({
+          error: 'Forbidden',
+          message: permissionCheck.reason || 'Insufficient permissions',
+        });
+        return;
+      }
+      logger.debug(
+        {
+          type: 'auth',
+          operation: 'permission_check',
+          userId: request.user.userId,
+          toolName
+        },
+        `Permission granted for user ${request.user.userId} to access tool ${toolName}`
+      );
+    } catch (error) {
+      logger.error({
+        type: 'auth',
+        operation: 'permission_check',
+        toolName,
+        error: error instanceof Error ? error.message : 'Unknown error'
+      }, 'Permission check error');
+      reply.code(500).send({
+        error: 'Internal Server Error',
+        message: 'Permission check failed',
+      });
+    }
+  };
+}
+/**
+ * Permission Check for Tool Call
+ * Checks permission when tools/call is invoked
+ */
+export function checkToolCallPermission(
+  toolName: string,
+  user: TokenPayload
+): { allowed: boolean; reason?: string } {
+  return checkPermission(toolName, user.groups);
+}

package/src/auth/permissions.ts ADDED Viewed

@@ -0,0 +1,317 @@
+/**
+ * Permission Control System
+ * Group-based access control for MCP tools
+ * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
+ */
+import { logger, logAuthAttempt } from '../utils/logger';
+/**
+ * Known groups from CSP
+ * Users may belong to one or more groups
+ */
+export const KnownGroups = {
+  ZNET: 'zNet',                      // zNet team - full access
+  CLIENT_PUBLIC: 'Client-Public',    // Client-Public team - standard access
+  ADMIN: 'admin',                    // Admin group - full access (if exists)
+} as const;
+/**
+ * Permission level for operations
+ */
+export enum PermissionLevel {
+  READ = 'read',
+  WRITE = 'write',
+  ADMIN = 'admin',
+}
+/**
+ * Tool permission configuration
+ */
+export interface ToolPermission {
+  tool: string;
+  allowedGroups: string[];  // Changed from requiredRole to allowedGroups
+  requiredPermission: PermissionLevel;
+}
+/**
+ * Default permission rules for each tool
+ * All authenticated users (with valid groups) can use these tools
+ */
+const defaultPermissions: ToolPermission[] = [
+  // sync_resources - available to all authenticated users
+  {
+    tool: 'sync_resources',
+    allowedGroups: ['*'],  // * means all authenticated users
+    requiredPermission: PermissionLevel.WRITE,
+  },
+  // manage_subscription - available to all authenticated users
+  {
+    tool: 'manage_subscription',
+    allowedGroups: ['*'],
+    requiredPermission: PermissionLevel.WRITE,
+  },
+  // search_resources - read-only, all authenticated users
+  {
+    tool: 'search_resources',
+    allowedGroups: ['*'],
+    requiredPermission: PermissionLevel.READ,
+  },
+  // upload_resource - requires write permission
+  {
+    tool: 'upload_resource',
+    allowedGroups: ['*'],
+    requiredPermission: PermissionLevel.WRITE,
+  },
+  // uninstall_resource - requires write permission
+  {
+    tool: 'uninstall_resource',
+    allowedGroups: ['*'],
+    requiredPermission: PermissionLevel.WRITE,
+  },
+];
+/**
+ * Custom permission rules (can be overridden via config)
+ */
+let permissionRules: Map<string, ToolPermission> = new Map();
+/**
+ * Initialize permission system
+ */
+export function initializePermissions(customRules?: ToolPermission[]): void {
+  // Load default permissions
+  for (const perm of defaultPermissions) {
+    permissionRules.set(perm.tool, perm);
+  }
+  // Override with custom rules if provided
+  if (customRules && customRules.length > 0) {
+    logger.info(
+      { count: customRules.length },
+      'Loading custom permission rules'
+    );
+    for (const perm of customRules) {
+      permissionRules.set(perm.tool, perm);
+    }
+  }
+  logger.info(
+    { toolCount: permissionRules.size },
+    'Permission system initialized'
+  );
+}
+/**
+ * Check if a user has permission to access a tool
+ * @param toolName - The name of the tool to check
+ * @param userGroups - The groups the user belongs to (from CSP API)
+ */
+export function checkPermission(
+  toolName: string,
+  userGroups: string[]
+): { allowed: boolean; reason?: string } {
+  const checkStartTime = Date.now();
+  logger.debug({
+    type: 'permission_check',
+    toolName,
+    userGroups,
+    timestamp: new Date().toISOString()
+  }, `Checking permission for tool: ${toolName}`);
+  // Check if tool has permission rules
+  const permission = permissionRules.get(toolName);
+  if (!permission) {
+    // If no permission rule defined, deny by default
+    logger.warn({
+      type: 'permission_check',
+      toolName,
+      userGroups,
+      result: 'denied',
+      reason: 'no_rule',
+      timestamp: new Date().toISOString()
+    }, 'No permission rule found for tool, denying access');
+    logAuthAttempt('permission_check', false, {
+      toolName,
+      userGroups,
+      reason: 'no_rule',
+      duration: Date.now() - checkStartTime
+    });
+    return {
+      allowed: false,
+      reason: `Tool '${toolName}' has no permission rule defined`,
+    };
+  }
+  // If no groups provided, deny access
+  if (!userGroups || userGroups.length === 0) {
+    logger.warn(
+      {
+        type: 'permission_check',
+        toolName,
+        result: 'denied',
+        reason: 'no_groups',
+        timestamp: new Date().toISOString()
+      },
+      'Permission denied: user has no groups'
+    );
+    logAuthAttempt('permission_check', false, {
+      toolName,
+      reason: 'no_groups',
+      duration: Date.now() - checkStartTime
+    });
+    return {
+      allowed: false,
+      reason: `User must belong to at least one group to access tools`,
+    };
+  }
+  // Admin group bypasses all checks
+  if (userGroups.includes(KnownGroups.ADMIN) || userGroups.includes('admin')) {
+    logger.info(
+      {
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        result: 'granted',
+        reason: 'admin_bypass',
+        duration: Date.now() - checkStartTime,
+        timestamp: new Date().toISOString()
+      },
+      'Admin group access granted'
+    );
+    logAuthAttempt('permission_check', true, {
+      toolName,
+      userGroups,
+      reason: 'admin',
+      duration: Date.now() - checkStartTime
+    });
+    return { allowed: true };
+  }
+  // Check if tool allows all authenticated users
+  if (permission.allowedGroups.includes('*')) {
+    logger.info(
+      {
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        allowedGroups: permission.allowedGroups,
+        result: 'granted',
+        reason: 'wildcard',
+        duration: Date.now() - checkStartTime,
+        timestamp: new Date().toISOString()
+      },
+      'Permission granted (tool allows all authenticated users)'
+    );
+    logAuthAttempt('permission_check', true, {
+      toolName,
+      userGroups,
+      reason: 'wildcard',
+      duration: Date.now() - checkStartTime
+    });
+    return { allowed: true };
+  }
+  // Check if user belongs to any of the allowed groups
+  const hasAllowedGroup = userGroups.some((group) =>
+    permission.allowedGroups.includes(group)
+  );
+  if (!hasAllowedGroup) {
+    logger.warn(
+      {
+        type: 'permission_check',
+        toolName,
+        userGroups,
+        allowedGroups: permission.allowedGroups,
+        result: 'denied',
+        reason: 'group_mismatch',
+        duration: Date.now() - checkStartTime,
+        timestamp: new Date().toISOString()
+      },
+      'Permission denied: user not in allowed groups'
+    );
+    logAuthAttempt('permission_check', false, {
+      toolName,
+      userGroups,
+      allowedGroups: permission.allowedGroups,
+      reason: 'group_mismatch',
+      duration: Date.now() - checkStartTime
+    });
+    return {
+      allowed: false,
+      reason: `Tool '${toolName}' requires membership in one of: ${permission.allowedGroups.join(', ')}`,
+    };
+  }
+  logger.info(
+    {
+      type: 'permission_check',
+      toolName,
+      userGroups,
+      allowedGroups: permission.allowedGroups,
+      result: 'granted',
+      reason: 'group_match',
+      duration: Date.now() - checkStartTime,
+      timestamp: new Date().toISOString()
+    },
+    'Permission granted (user in allowed groups)'
+  );
+  logAuthAttempt('permission_check', true, {
+    toolName,
+    userGroups,
+    matchedGroups: userGroups.filter(g => permission.allowedGroups.includes(g)),
+    duration: Date.now() - checkStartTime
+  });
+  return { allowed: true };
+}
+/**
+ * Get permission info for a tool
+ */
+export function getToolPermission(toolName: string): ToolPermission | undefined {
+  return permissionRules.get(toolName);
+}
+/**
+ * Get all permission rules
+ */
+export function getAllPermissions(): ToolPermission[] {
+  return Array.from(permissionRules.values());
+}
+/**
+ * Update permission rule for a tool
+ */
+export function updatePermission(permission: ToolPermission): void {
+  permissionRules.set(permission.tool, permission);
+  logger.info(
+    { tool: permission.tool, permission },
+    'Permission rule updated'
+  );
+}
+/**
+ * Remove permission rule for a tool
+ */
+export function removePermission(toolName: string): void {
+  permissionRules.delete(toolName);
+  logger.info({ toolName }, 'Permission rule removed');
+}
+// Initialize with default permissions
+initializePermissions();