@equilateral_ai/mindmeld 3.4.0 → 3.5.1

package/src/handlers/mcp/mindmeldMcpStreamHandler.js

@@ -0,0 +1,342 @@
+/**
+ * MindMeld MCP Streaming Handler — Lambda Function URL (RESPONSE_STREAM)
+ *
+ * Implements MCP Streamable HTTP transport (protocol version 2025-03-26):
+ * - POST: JSON-RPC messages, responds with JSON or SSE stream
+ * - GET:  SSE handshake or OAuth discovery
+ * - DELETE: Session close
+ * - OPTIONS: CORS preflight
+ *
+ * Auth: OAuth 2.1 (Cognito JWT) OR X-MindMeld-Token / Bearer API token
+ *
+ * OAuth Discovery (RFC 9728):
+ *   GET /.well-known/oauth-protected-resource → resource metadata
+ *   401 responses include WWW-Authenticate with resource_metadata URL
+ *
+ * Uses awslambda.streamifyResponse() for Lambda Function URL streaming.
+ * The `awslambda` global is provided by the Lambda Node.js runtime.
+ */
+
+const { validateApiToken, handleJsonRpc, CORS_HEADERS } = require('./mindmeldMcpCore');
+const crypto = require('crypto');
+
+// OAuth / Cognito configuration
+const COGNITO_ISSUER = 'https://cognito-idp.us-east-2.amazonaws.com/us-east-2_638OhwuV1';
+const COGNITO_AUTH_DOMAIN = 'https://mindmeld-auth.auth.us-east-2.amazoncognito.com';
+const MCP_OAUTH_CLIENT_ID = '5bjpug8up86so7k7ndttobc0qi';
+
+/**
+ * Write an SSE event to the response stream
+ */
+function writeSSE(stream, data, eventType) {
+    if (eventType) {
+        stream.write(`event: ${eventType}\n`);
+    }
+    stream.write(`data: ${JSON.stringify(data)}\n\n`);
+}
+
+/**
+ * Parse Lambda Function URL event (different format from API Gateway)
+ */
+function parseRequest(event) {
+    const http = event.requestContext?.http || {};
+    return {
+        method: http.method || 'GET',
+        path: http.path || '/',
+        headers: event.headers || {},
+        body: event.body || '',
+        isBase64Encoded: event.isBase64Encoded || false,
+    };
+}
+
+/**
+ * Create a response stream with headers
+ */
+function createStream(responseStream, statusCode, headers) {
+    return awslambda.HttpResponseStream.from(responseStream, {
+        statusCode,
+        headers: { ...CORS_HEADERS, ...headers },
+    });
+}
+
+/**
+ * Build the Function URL base from the event
+ */
+function getBaseUrl(event) {
+    const host = event.headers?.host || '';
+    return `https://${host}`;
+}
+
+/**
+ * Return OAuth Protected Resource Metadata (RFC 9728)
+ * Points to ourselves as the authorization server so we can serve
+ * metadata that includes code_challenge_methods_supported (PKCE).
+ * Actual OAuth endpoints still point to Cognito.
+ */
+function getResourceMetadata(baseUrl) {
+    return {
+        resource: baseUrl,
+        authorization_servers: [baseUrl],
+        scopes_supported: ['mcp/standards', 'openid', 'email', 'profile'],
+        bearer_methods_supported: ['header'],
+    };
+}
+
+/**
+ * Return OAuth Authorization Server Metadata (RFC 8414)
+ * Wraps Cognito's endpoints with PKCE support declaration.
+ * Cognito supports PKCE but doesn't advertise it in OIDC metadata.
+ */
+function getAuthServerMetadata(baseUrl) {
+    return {
+        issuer: baseUrl,
+        authorization_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/authorize`,
+        token_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/token`,
+        revocation_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/revoke`,
+        userinfo_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/userInfo`,
+        jwks_uri: `${COGNITO_ISSUER}/.well-known/jwks.json`,
+        scopes_supported: ['mcp/standards', 'openid', 'email', 'profile'],
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+        token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],
+        code_challenge_methods_supported: ['S256'],
+        subject_types_supported: ['public'],
+        id_token_signing_alg_values_supported: ['RS256'],
+    };
+}
+
+/**
+ * Return 401 with WWW-Authenticate header per MCP OAuth spec
+ */
+function write401(stream, baseUrl) {
+    stream.write(JSON.stringify({
+        error: 'unauthorized',
+        message: 'Authentication required. Use OAuth or provide X-MindMeld-Token header.',
+    }));
+    stream.end();
+}
+
+// Lambda Function URL streaming handler
+const streamHandler = async (event, responseStream, context) => {
+    // CRITICAL: Don't wait for event loop to drain — the cached pg client
+    // keeps it alive forever, causing 900s timeouts on every request.
+    context.callbackWaitsForEmptyEventLoop = false;
+
+    const { method, headers, body, isBase64Encoded } = parseRequest(event);
+    const path = parseRequest(event).path;
+    const baseUrl = getBaseUrl(event);
+
+    // Request logging for debugging
+    const hasAuth = !!(headers['authorization'] || headers['x-mindmeld-token']);
+    console.log(`[MCP-Stream] ${method} ${path} auth=${hasAuth} accept=${headers['accept'] || 'none'}`);
+
+    // === OAuth Discovery: Protected Resource Metadata (RFC 9728) ===
+    if (method === 'GET' && path === '/.well-known/oauth-protected-resource') {
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        });
+        stream.write(JSON.stringify(getResourceMetadata(baseUrl)));
+        stream.end();
+        return;
+    }
+
+    // === OAuth Discovery: Authorization Server Metadata (RFC 8414) ===
+    if (method === 'GET' && path === '/.well-known/oauth-authorization-server') {
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        });
+        stream.write(JSON.stringify(getAuthServerMetadata(baseUrl)));
+        stream.end();
+        return;
+    }
+
+    // === OPTIONS: CORS preflight ===
+    if (method === 'OPTIONS') {
+        const stream = createStream(responseStream, 200, {
+            'Access-Control-Max-Age': '86400',
+        });
+        stream.end();
+        return;
+    }
+
+    // === DELETE: Session close ===
+    if (method === 'DELETE') {
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'application/json',
+        });
+        stream.end();
+        return;
+    }
+
+    // WWW-Authenticate header for 401 responses
+    const wwwAuth = `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`;
+
+    // === GET: SSE handshake ===
+    if (method === 'GET') {
+        const authResult = await validateApiToken(headers);
+        if (authResult.error) {
+            const stream = createStream(responseStream, 401, {
+                'Content-Type': 'application/json',
+                'WWW-Authenticate': wwwAuth,
+            });
+            write401(stream, baseUrl);
+            return;
+        }
+
+        const sessionId = crypto.randomUUID();
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+            'Mcp-Session-Id': sessionId,
+        });
+
+        // Send endpoint event — legacy SSE clients expect this
+        stream.write(`event: endpoint\ndata: ${path}\n\n`);
+
+        // For Streamable HTTP clients probing via GET: close after endpoint event.
+        // The client will then POST to us for actual JSON-RPC messages.
+        stream.end();
+        return;
+    }
+
+    // === POST: Streamable HTTP JSON-RPC ===
+    if (method !== 'POST') {
+        const stream = createStream(responseStream, 405, {
+            'Content-Type': 'application/json',
+        });
+        stream.write(JSON.stringify({ error: 'Method not allowed' }));
+        stream.end();
+        return;
+    }
+
+    // Auth
+    const authResult = await validateApiToken(headers);
+    if (authResult.error) {
+        console.log(`[MCP-Stream] POST auth failed: ${authResult.error} - ${authResult.message}`);
+        const stream = createStream(responseStream, 401, {
+            'Content-Type': 'application/json',
+            'WWW-Authenticate': wwwAuth,
+        });
+        write401(stream, baseUrl);
+        return;
+    }
+    console.log(`[MCP-Stream] POST auth OK: ${authResult.user.email}`);
+
+    // Parse body (Function URL may base64-encode it)
+    let parsedBody;
+    try {
+        const raw = isBase64Encoded ? Buffer.from(body, 'base64').toString() : body;
+        parsedBody = JSON.parse(raw);
+    } catch (e) {
+        const stream = createStream(responseStream, 400, {
+            'Content-Type': 'application/json',
+        });
+        stream.write(JSON.stringify({
+            jsonrpc: '2.0',
+            error: { code: -32700, message: 'Parse error: invalid JSON' },
+            id: null,
+        }));
+        stream.end();
+        return;
+    }
+
+    // Session ID management
+    const sessionId = headers['mcp-session-id'] || crypto.randomUUID();
+
+    // Check if client wants SSE response
+    const acceptHeader = headers['accept'] || '';
+    const wantsSSE = acceptHeader.includes('text/event-stream');
+
+    if (wantsSSE) {
+        // === SSE streaming response ===
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Mcp-Session-Id': sessionId,
+        });
+
+        if (Array.isArray(parsedBody)) {
+            for (const msg of parsedBody) {
+                const response = await handleJsonRpc(msg, authResult.user);
+                if (response) {
+                    writeSSE(stream, response, 'message');
+                }
+            }
+        } else {
+            const response = await handleJsonRpc(parsedBody, authResult.user);
+            if (response) {
+                writeSSE(stream, response, 'message');
+            }
+        }
+
+        stream.end();
+    } else {
+        // === Standard JSON response ===
+        const responseHeaders = {
+            'Content-Type': 'application/json',
+            'Mcp-Session-Id': sessionId,
+        };
+
+        if (Array.isArray(parsedBody)) {
+            const responses = [];
+            for (const msg of parsedBody) {
+                const response = await handleJsonRpc(msg, authResult.user);
+                if (response) responses.push(response);
+            }
+            const stream = createStream(responseStream,
+                responses.length > 0 ? 200 : 202, responseHeaders);
+            if (responses.length > 0) {
+                stream.write(JSON.stringify(responses));
+            }
+            stream.end();
+        } else {
+            const response = await handleJsonRpc(parsedBody, authResult.user);
+            if (!response) {
+                const stream = createStream(responseStream, 202, responseHeaders);
+                stream.end();
+            } else {
+                const stream = createStream(responseStream, 200, responseHeaders);
+                stream.write(JSON.stringify(response));
+                stream.end();
+            }
+        }
+    }
+};
+
+// awslambda is a global provided by the Lambda Node.js runtime.
+// In local/test environments it won't exist — export the raw handler for testing.
+if (typeof awslambda !== 'undefined') {
+    exports.handler = awslambda.streamifyResponse(streamHandler);
+} else {
+    // Fallback for local testing: wrap as standard async handler
+    exports.handler = async (event) => {
+        let result = { statusCode: 200, headers: {}, body: '' };
+        const mockStream = {
+            _headers: {},
+            _statusCode: 200,
+            _chunks: [],
+            write(chunk) { this._chunks.push(chunk); },
+            end() {},
+        };
+        // Mock awslambda.HttpResponseStream.from
+        const originalFrom = mockStream;
+        const createMockStream = (_rs, meta) => {
+            mockStream._statusCode = meta.statusCode;
+            mockStream._headers = meta.headers;
+            return mockStream;
+        };
+        global.awslambda = {
+            HttpResponseStream: { from: createMockStream },
+        };
+        await streamHandler(event, mockStream, {});
+        delete global.awslambda;
+        return {
+            statusCode: mockStream._statusCode,
+            headers: mockStream._headers,
+            body: mockStream._chunks.join(''),
+        };
+    };
+}

package/src/handlers/standards/discoveriesGet.js

@@ -6,7 +6,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 async function getDiscoveries({ queryStringParameters, requestContext }) {
     try {
@@ -23,13 +23,9 @@ async function getDiscoveries({ queryStringParameters, requestContext }) {
             return createErrorResponse(400, 'project_id is required');
         }
 
-        // Verify user has access to project
-        const accessResult = await executeQuery(`
-            SELECT role FROM rapport.project_collaborators
-            WHERE project_id = $1 AND email_address = $2
-        `, [projectId, email]);
-
-        if (accessResult.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(projectId, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Access denied to project');
         }
 

package/src/handlers/standards/projectStandardsGet.js

@@ -6,7 +6,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 async function getProjectStandards({ queryStringParameters, pathParameters, requestContext }) {
     try {
@@ -22,19 +22,13 @@ async function getProjectStandards({ queryStringParameters, pathParameters, requ
             return createErrorResponse(400, 'projectId is required');
         }
 
-        // Verify user has access to project
-        const accessResult = await executeQuery(`
-            SELECT pc.role, p.project_name
-            FROM rapport.project_collaborators pc
-            JOIN rapport.projects p ON pc.project_id = p.project_id
-            WHERE pc.project_id = $1 AND pc.email_address = $2
-        `, [projectId, email]);
-
-        if (accessResult.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(projectId, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Access denied to project');
         }
 
-        const projectName = accessResult.rows[0].project_name;
+        const projectName = projectAccess.project_name;
 
         // Get project standards preferences
         const prefsResult = await executeQuery(`

package/src/handlers/standards/projectStandardsPut.js

@@ -7,7 +7,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectRole } = require('./helpers');
 
 async function updateProjectStandards({ body, pathParameters, requestContext }) {
     try {
@@ -27,21 +27,14 @@ async function updateProjectStandards({ body, pathParameters, requestContext })
             enabled_categories,
             standard_overrides,
             critical_overrides,
-            catalog_id = 'equilateral-v1'
+            catalog_id = 'equilateral-v1',
+            standard_id,
+            load_bearing
         } = body || {};
 
-        // Verify user has admin access to project
-        const accessResult = await executeQuery(`
-            SELECT role FROM rapport.project_collaborators
-            WHERE project_id = $1 AND email_address = $2
-        `, [projectId, email]);
-
-        if (accessResult.rowCount === 0) {
-            return createErrorResponse(403, 'Access denied to project');
-        }
-
-        const role = accessResult.rows[0].role;
-        if (role !== 'owner' && role !== 'admin') {
+        // Verify user has admin access to project (project owner/admin or company admin)
+        const projectAccess = await verifyProjectRole(projectId, email, ['owner', 'admin']);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Admin access required to modify standards preferences');
         }
 
@@ -70,6 +63,18 @@ async function updateProjectStandards({ body, pathParameters, requestContext })
             }
         }
 
+        // Update load_bearing flag on a specific standard if provided
+        if (standard_id && typeof load_bearing === 'boolean') {
+            await executeQuery(`
+                UPDATE rapport.standards_patterns
+                SET load_bearing = $1
+                WHERE pattern_id = $2
+                  AND (company_id IS NULL OR company_id = (
+                      SELECT company_id FROM rapport.user_entitlements WHERE email_address = $3 LIMIT 1
+                  ))
+            `, [load_bearing, standard_id, email]);
+        }
+
         // Upsert project standards
         const result = await executeQuery(`
             INSERT INTO rapport.project_standards (

package/src/handlers/standards/standardsParseUpload.js

@@ -10,7 +10,7 @@
  * parsed YAML-compatible standards ready for storage or review.
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 const { parseAdr } = require('./core/parsers/adrParser');
 const { parseEslint } = require('./core/parsers/eslintParser');
@@ -49,13 +49,9 @@ async function parseUploadStandards({ body, requestContext }) {
       });
     }
 
-    // Verify user has access to the project
-    const accessResult = await executeQuery(`
-      SELECT role FROM rapport.project_collaborators
-      WHERE project_id = $1 AND email_address = $2
-    `, [project_id, email]);
-
-    if (accessResult.rowCount === 0) {
+    // Verify user has access to the project (collaborator or company member)
+    const projectAccess = await verifyProjectAccess(project_id, email);
+    if (!projectAccess) {
       return createErrorResponse(403, 'Access denied to project');
     }