@equilateral_ai/mindmeld 3.5.0 → 3.5.2

package/src/handlers/helpers/predictiveCache.js

@@ -0,0 +1,51 @@
+const { executeQuery } = require('./index');
+
+/**
+ * Get standards that are consistently relevant for a project (>80% activation rate over 30 days)
+ */
+async function getPredictedStandards(projectId) {
+    const result = await executeQuery(`
+        WITH activation_stats AS (
+            SELECT
+                standard_id,
+                COUNT(*) as activation_count,
+                COUNT(DISTINCT DATE(activated_at)) as active_days
+            FROM rapport.standards_activation_log
+            WHERE project_id = $1
+            AND activated_at > NOW() - INTERVAL '30 days'
+            GROUP BY standard_id
+        ),
+        total_sessions AS (
+            SELECT COUNT(DISTINCT DATE(activated_at)) as total_days
+            FROM rapport.standards_activation_log
+            WHERE project_id = $1
+            AND activated_at > NOW() - INTERVAL '30 days'
+        )
+        SELECT a.standard_id,
+               a.activation_count,
+               a.active_days,
+               t.total_days,
+               CASE WHEN t.total_days > 0
+                    THEN ROUND(a.active_days::numeric / t.total_days * 100, 1)
+                    ELSE 0 END as activation_rate
+        FROM activation_stats a, total_sessions t
+        WHERE t.total_days >= 5
+        AND a.active_days::numeric / GREATEST(t.total_days, 1) > 0.8
+        ORDER BY activation_rate DESC
+    `, [projectId]);
+    return result.rows;
+}
+
+/**
+ * Log which standards were activated for a project
+ */
+async function logStandardsActivation(projectId, standardIds) {
+    if (!standardIds || standardIds.length === 0) return;
+    const values = standardIds.map((id, i) => `($1, $${i + 2})`).join(', ');
+    await executeQuery(
+        `INSERT INTO rapport.standards_activation_log (project_id, standard_id) VALUES ${values}`,
+        [projectId, ...standardIds]
+    );
+}
+
+module.exports = { getPredictedStandards, logStandardsActivation };

package/src/handlers/helpers/projectAccess.js

@@ -0,0 +1,88 @@
+/**
+ * Project Access Verification
+ *
+ * Centralizes the "can this user access this project?" check.
+ * Grants access if the user is either:
+ *   1. A direct project collaborator (rapport.project_collaborators)
+ *   2. A member of the company that owns the project (rapport.user_entitlements)
+ *
+ * Returns the project row (project_id, project_name, company_id) on success,
+ * or null if the user has no access.
+ */
+
+const { executeQuery } = require('./dbOperations');
+
+/**
+ * Verify a user has access to a project via collaborator role or company membership.
+ * @param {string} projectId - Project ID to check
+ * @param {string} email - User's email address
+ * @returns {Promise<{project_id: string, project_name: string, company_id: string, access_type: string}|null>}
+ *   Project row with access_type ('collaborator' or 'company_member'), or null if no access.
+ */
+async function verifyProjectAccess(projectId, email) {
+    const result = await executeQuery(`
+        SELECT
+            p.project_id,
+            p.project_name,
+            p.company_id,
+            CASE
+                WHEN pc.email_address IS NOT NULL THEN 'collaborator'
+                WHEN ue.email_address IS NOT NULL THEN 'company_member'
+            END as access_type
+        FROM rapport.projects p
+        LEFT JOIN rapport.project_collaborators pc
+            ON p.project_id = pc.project_id
+            AND pc.email_address = $2
+        LEFT JOIN rapport.user_entitlements ue
+            ON p.company_id = ue.company_id
+            AND ue.email_address = $2
+        WHERE p.project_id = $1
+        AND (pc.email_address IS NOT NULL OR ue.email_address IS NOT NULL)
+        LIMIT 1
+    `, [projectId, email]);
+
+    return result.rows.length > 0 ? result.rows[0] : null;
+}
+
+/**
+ * Verify a user has a specific collaborator role on a project,
+ * OR is a company admin (which grants equivalent access).
+ * @param {string} projectId - Project ID to check
+ * @param {string} email - User's email address
+ * @param {string[]} allowedRoles - Collaborator roles that grant access (e.g. ['owner', 'admin'])
+ * @returns {Promise<{project_id: string, project_name: string, company_id: string, role: string|null, company_admin: boolean}|null>}
+ */
+async function verifyProjectRole(projectId, email, allowedRoles = ['owner', 'admin', 'collaborator']) {
+    const result = await executeQuery(`
+        SELECT
+            p.project_id,
+            p.project_name,
+            p.company_id,
+            pc.role,
+            COALESCE(ue.admin, false) as company_admin
+        FROM rapport.projects p
+        LEFT JOIN rapport.project_collaborators pc
+            ON p.project_id = pc.project_id
+            AND pc.email_address = $2
+        LEFT JOIN rapport.user_entitlements ue
+            ON p.company_id = ue.company_id
+            AND ue.email_address = $2
+        WHERE p.project_id = $1
+        AND (pc.email_address IS NOT NULL OR ue.email_address IS NOT NULL)
+        LIMIT 1
+    `, [projectId, email]);
+
+    if (result.rows.length === 0) return null;
+
+    const row = result.rows[0];
+    const hasRole = row.role && allowedRoles.includes(row.role);
+    const isCompanyAdmin = row.company_admin === true;
+
+    if (hasRole || isCompanyAdmin) {
+        return row;
+    }
+
+    return null;
+}
+
+module.exports = { verifyProjectAccess, verifyProjectRole };

package/src/handlers/mcp/mindmeldMcpStreamHandler.js

@@ -3,11 +3,15 @@
  *
  * Implements MCP Streamable HTTP transport (protocol version 2025-03-26):
  * - POST: JSON-RPC messages, responds with JSON or SSE stream
- * - GET:  Legacy SSE handshake (endpoint event + close)
+ * - GET:  SSE handshake or OAuth discovery
  * - DELETE: Session close
  * - OPTIONS: CORS preflight
  *
- * Auth: X-MindMeld-Token header OR Authorization: Bearer token
+ * Auth: OAuth 2.1 (Cognito JWT) OR X-MindMeld-Token / Bearer API token
+ *
+ * OAuth Discovery (RFC 9728):
+ *   GET /.well-known/oauth-protected-resource → resource metadata
+ *   401 responses include WWW-Authenticate with resource_metadata URL
  *
  * Uses awslambda.streamifyResponse() for Lambda Function URL streaming.
  * The `awslambda` global is provided by the Lambda Node.js runtime.
@@ -16,6 +20,11 @@
 const { validateApiToken, handleJsonRpc, CORS_HEADERS } = require('./mindmeldMcpCore');
 const crypto = require('crypto');
 
+// OAuth / Cognito configuration
+const COGNITO_ISSUER = 'https://cognito-idp.us-east-2.amazonaws.com/us-east-2_638OhwuV1';
+const COGNITO_AUTH_DOMAIN = 'https://mindmeld-auth.auth.us-east-2.amazoncognito.com';
+const MCP_OAUTH_CLIENT_ID = '5bjpug8up86so7k7ndttobc0qi';
+
 /**
  * Write an SSE event to the response stream
  */
@@ -50,9 +59,98 @@ function createStream(responseStream, statusCode, headers) {
     });
 }
 
+/**
+ * Build the Function URL base from the event
+ */
+function getBaseUrl(event) {
+    const host = event.headers?.host || '';
+    return `https://${host}`;
+}
+
+/**
+ * Return OAuth Protected Resource Metadata (RFC 9728)
+ * Points to ourselves as the authorization server so we can serve
+ * metadata that includes code_challenge_methods_supported (PKCE).
+ * Actual OAuth endpoints still point to Cognito.
+ */
+function getResourceMetadata(baseUrl) {
+    return {
+        resource: baseUrl,
+        authorization_servers: [baseUrl],
+        scopes_supported: ['mcp/standards', 'openid', 'email', 'profile'],
+        bearer_methods_supported: ['header'],
+    };
+}
+
+/**
+ * Return OAuth Authorization Server Metadata (RFC 8414)
+ * Wraps Cognito's endpoints with PKCE support declaration.
+ * Cognito supports PKCE but doesn't advertise it in OIDC metadata.
+ */
+function getAuthServerMetadata(baseUrl) {
+    return {
+        issuer: baseUrl,
+        authorization_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/authorize`,
+        token_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/token`,
+        revocation_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/revoke`,
+        userinfo_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/userInfo`,
+        jwks_uri: `${COGNITO_ISSUER}/.well-known/jwks.json`,
+        scopes_supported: ['mcp/standards', 'openid', 'email', 'profile'],
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+        token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],
+        code_challenge_methods_supported: ['S256'],
+        subject_types_supported: ['public'],
+        id_token_signing_alg_values_supported: ['RS256'],
+    };
+}
+
+/**
+ * Return 401 with WWW-Authenticate header per MCP OAuth spec
+ */
+function write401(stream, baseUrl) {
+    stream.write(JSON.stringify({
+        error: 'unauthorized',
+        message: 'Authentication required. Use OAuth or provide X-MindMeld-Token header.',
+    }));
+    stream.end();
+}
+
 // Lambda Function URL streaming handler
-const streamHandler = async (event, responseStream, _context) => {
+const streamHandler = async (event, responseStream, context) => {
+    // CRITICAL: Don't wait for event loop to drain — the cached pg client
+    // keeps it alive forever, causing 900s timeouts on every request.
+    context.callbackWaitsForEmptyEventLoop = false;
+
     const { method, headers, body, isBase64Encoded } = parseRequest(event);
+    const path = parseRequest(event).path;
+    const baseUrl = getBaseUrl(event);
+
+    // Request logging for debugging
+    const hasAuth = !!(headers['authorization'] || headers['x-mindmeld-token']);
+    console.log(`[MCP-Stream] ${method} ${path} auth=${hasAuth} accept=${headers['accept'] || 'none'}`);
+
+    // === OAuth Discovery: Protected Resource Metadata (RFC 9728) ===
+    if (method === 'GET' && path === '/.well-known/oauth-protected-resource') {
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        });
+        stream.write(JSON.stringify(getResourceMetadata(baseUrl)));
+        stream.end();
+        return;
+    }
+
+    // === OAuth Discovery: Authorization Server Metadata (RFC 8414) ===
+    if (method === 'GET' && path === '/.well-known/oauth-authorization-server') {
+        const stream = createStream(responseStream, 200, {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        });
+        stream.write(JSON.stringify(getAuthServerMetadata(baseUrl)));
+        stream.end();
+        return;
+    }
 
     // === OPTIONS: CORS preflight ===
     if (method === 'OPTIONS') {
@@ -72,15 +170,18 @@ const streamHandler = async (event, responseStream, _context) => {
         return;
     }
 
-    // === GET: Legacy SSE handshake ===
+    // WWW-Authenticate header for 401 responses
+    const wwwAuth = `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`;
+
+    // === GET: SSE handshake ===
     if (method === 'GET') {
         const authResult = await validateApiToken(headers);
         if (authResult.error) {
             const stream = createStream(responseStream, 401, {
                 'Content-Type': 'application/json',
+                'WWW-Authenticate': wwwAuth,
             });
-            stream.write(JSON.stringify({ error: authResult.message }));
-            stream.end();
+            write401(stream, baseUrl);
             return;
         }
 
@@ -93,7 +194,7 @@ const streamHandler = async (event, responseStream, _context) => {
         });
 
         // Send endpoint event — legacy SSE clients expect this
-        stream.write(`event: endpoint\ndata: ${parseRequest(event).path}\n\n`);
+        stream.write(`event: endpoint\ndata: ${path}\n\n`);
 
         // For Streamable HTTP clients probing via GET: close after endpoint event.
         // The client will then POST to us for actual JSON-RPC messages.
@@ -114,17 +215,15 @@ const streamHandler = async (event, responseStream, _context) => {
     // Auth
     const authResult = await validateApiToken(headers);
     if (authResult.error) {
-        const stream = createStream(responseStream, 200, {
+        console.log(`[MCP-Stream] POST auth failed: ${authResult.error} - ${authResult.message}`);
+        const stream = createStream(responseStream, 401, {
             'Content-Type': 'application/json',
+            'WWW-Authenticate': wwwAuth,
         });
-        stream.write(JSON.stringify({
-            jsonrpc: '2.0',
-            error: { code: -32000, message: authResult.message },
-            id: null,
-        }));
-        stream.end();
+        write401(stream, baseUrl);
         return;
     }
+    console.log(`[MCP-Stream] POST auth OK: ${authResult.user.email}`);
 
     // Parse body (Function URL may base64-encode it)
     let parsedBody;

package/src/handlers/standards/discoveriesGet.js

@@ -6,7 +6,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 async function getDiscoveries({ queryStringParameters, requestContext }) {
     try {
@@ -23,13 +23,9 @@ async function getDiscoveries({ queryStringParameters, requestContext }) {
             return createErrorResponse(400, 'project_id is required');
         }
 
-        // Verify user has access to project
-        const accessResult = await executeQuery(`
-            SELECT role FROM rapport.project_collaborators
-            WHERE project_id = $1 AND email_address = $2
-        `, [projectId, email]);
-
-        if (accessResult.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(projectId, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Access denied to project');
         }
 

package/src/handlers/standards/projectStandardsGet.js

@@ -6,7 +6,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 async function getProjectStandards({ queryStringParameters, pathParameters, requestContext }) {
     try {
@@ -22,19 +22,13 @@ async function getProjectStandards({ queryStringParameters, pathParameters, requ
             return createErrorResponse(400, 'projectId is required');
         }
 
-        // Verify user has access to project
-        const accessResult = await executeQuery(`
-            SELECT pc.role, p.project_name
-            FROM rapport.project_collaborators pc
-            JOIN rapport.projects p ON pc.project_id = p.project_id
-            WHERE pc.project_id = $1 AND pc.email_address = $2
-        `, [projectId, email]);
-
-        if (accessResult.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(projectId, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Access denied to project');
         }
 
-        const projectName = accessResult.rows[0].project_name;
+        const projectName = projectAccess.project_name;
 
         // Get project standards preferences
         const prefsResult = await executeQuery(`

package/src/handlers/standards/projectStandardsPut.js

@@ -7,7 +7,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectRole } = require('./helpers');
 
 async function updateProjectStandards({ body, pathParameters, requestContext }) {
     try {
@@ -27,21 +27,14 @@ async function updateProjectStandards({ body, pathParameters, requestContext })
             enabled_categories,
             standard_overrides,
             critical_overrides,
-            catalog_id = 'equilateral-v1'
+            catalog_id = 'equilateral-v1',
+            standard_id,
+            load_bearing
         } = body || {};
 
-        // Verify user has admin access to project
-        const accessResult = await executeQuery(`
-            SELECT role FROM rapport.project_collaborators
-            WHERE project_id = $1 AND email_address = $2
-        `, [projectId, email]);
-
-        if (accessResult.rowCount === 0) {
-            return createErrorResponse(403, 'Access denied to project');
-        }
-
-        const role = accessResult.rows[0].role;
-        if (role !== 'owner' && role !== 'admin') {
+        // Verify user has admin access to project (project owner/admin or company admin)
+        const projectAccess = await verifyProjectRole(projectId, email, ['owner', 'admin']);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Admin access required to modify standards preferences');
         }
 
@@ -70,6 +63,33 @@ async function updateProjectStandards({ body, pathParameters, requestContext })
             }
         }
 
+        // Update load_bearing flag on a specific standard if provided
+        if (standard_id && typeof load_bearing === 'boolean') {
+            const userCompany = await executeQuery(`
+                SELECT company_id FROM rapport.user_entitlements WHERE email_address = $1 LIMIT 1
+            `, [email]);
+            const companyId = userCompany.rows[0]?.company_id;
+
+            // Try base standards first
+            const baseResult = await executeQuery(`
+                UPDATE rapport.standards_patterns
+                SET load_bearing = $1
+                WHERE pattern_id = $2
+                  AND (company_id IS NULL OR company_id = $3)
+            `, [load_bearing, standard_id, companyId]);
+
+            // If no base standard matched, try company overrides
+            if (baseResult.rowCount === 0 && companyId) {
+                await executeQuery(`
+                    UPDATE rapport.company_standard_overrides
+                    SET load_bearing = $1
+                    WHERE (base_standard_id = $2 OR override_id::text = $3)
+                      AND company_id = $4
+                      AND active = TRUE
+                `, [load_bearing, standard_id, standard_id.replace('company-add-', ''), companyId]);
+            }
+        }
+
         // Upsert project standards
         const result = await executeQuery(`
             INSERT INTO rapport.project_standards (

package/src/handlers/standards/standardsParseUpload.js

@@ -10,7 +10,7 @@
  * parsed YAML-compatible standards ready for storage or review.
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 const { parseAdr } = require('./core/parsers/adrParser');
 const { parseEslint } = require('./core/parsers/eslintParser');
@@ -49,13 +49,9 @@ async function parseUploadStandards({ body, requestContext }) {
       });
     }
 
-    // Verify user has access to the project
-    const accessResult = await executeQuery(`
-      SELECT role FROM rapport.project_collaborators
-      WHERE project_id = $1 AND email_address = $2
-    `, [project_id, email]);
-
-    if (accessResult.rowCount === 0) {
+    // Verify user has access to the project (collaborator or company member)
+    const projectAccess = await verifyProjectAccess(project_id, email);
+    if (!projectAccess) {
       return createErrorResponse(403, 'Access denied to project');
     }