@equilateral_ai/mindmeld 3.5.3 → 4.0.2

package/src/handlers/mcp/mindmeldMcpStreamHandler.js

@@ -1,342 +0,0 @@
-/**
- * MindMeld MCP Streaming Handler — Lambda Function URL (RESPONSE_STREAM)
- *
- * Implements MCP Streamable HTTP transport (protocol version 2025-03-26):
- * - POST: JSON-RPC messages, responds with JSON or SSE stream
- * - GET:  SSE handshake or OAuth discovery
- * - DELETE: Session close
- * - OPTIONS: CORS preflight
- *
- * Auth: OAuth 2.1 (Cognito JWT) OR X-MindMeld-Token / Bearer API token
- *
- * OAuth Discovery (RFC 9728):
- *   GET /.well-known/oauth-protected-resource → resource metadata
- *   401 responses include WWW-Authenticate with resource_metadata URL
- *
- * Uses awslambda.streamifyResponse() for Lambda Function URL streaming.
- * The `awslambda` global is provided by the Lambda Node.js runtime.
- */
-
-const { validateApiToken, handleJsonRpc, CORS_HEADERS } = require('./mindmeldMcpCore');
-const crypto = require('crypto');
-
-// OAuth / Cognito configuration
-const COGNITO_ISSUER = 'https://cognito-idp.us-east-2.amazonaws.com/us-east-2_638OhwuV1';
-const COGNITO_AUTH_DOMAIN = 'https://mindmeld-auth.auth.us-east-2.amazoncognito.com';
-const MCP_OAUTH_CLIENT_ID = '5bjpug8up86so7k7ndttobc0qi';
-
-/**
- * Write an SSE event to the response stream
- */
-function writeSSE(stream, data, eventType) {
-    if (eventType) {
-        stream.write(`event: ${eventType}\n`);
-    }
-    stream.write(`data: ${JSON.stringify(data)}\n\n`);
-}
-
-/**
- * Parse Lambda Function URL event (different format from API Gateway)
- */
-function parseRequest(event) {
-    const http = event.requestContext?.http || {};
-    return {
-        method: http.method || 'GET',
-        path: http.path || '/',
-        headers: event.headers || {},
-        body: event.body || '',
-        isBase64Encoded: event.isBase64Encoded || false,
-    };
-}
-
-/**
- * Create a response stream with headers
- */
-function createStream(responseStream, statusCode, headers) {
-    return awslambda.HttpResponseStream.from(responseStream, {
-        statusCode,
-        headers: { ...CORS_HEADERS, ...headers },
-    });
-}
-
-/**
- * Build the Function URL base from the event
- */
-function getBaseUrl(event) {
-    const host = event.headers?.host || '';
-    return `https://${host}`;
-}
-
-/**
- * Return OAuth Protected Resource Metadata (RFC 9728)
- * Points to ourselves as the authorization server so we can serve
- * metadata that includes code_challenge_methods_supported (PKCE).
- * Actual OAuth endpoints still point to Cognito.
- */
-function getResourceMetadata(baseUrl) {
-    return {
-        resource: baseUrl,
-        authorization_servers: [baseUrl],
-        scopes_supported: ['mcp/standards', 'openid', 'email', 'profile'],
-        bearer_methods_supported: ['header'],
-    };
-}
-
-/**
- * Return OAuth Authorization Server Metadata (RFC 8414)
- * Wraps Cognito's endpoints with PKCE support declaration.
- * Cognito supports PKCE but doesn't advertise it in OIDC metadata.
- */
-function getAuthServerMetadata(baseUrl) {
-    return {
-        issuer: baseUrl,
-        authorization_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/authorize`,
-        token_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/token`,
-        revocation_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/revoke`,
-        userinfo_endpoint: `${COGNITO_AUTH_DOMAIN}/oauth2/userInfo`,
-        jwks_uri: `${COGNITO_ISSUER}/.well-known/jwks.json`,
-        scopes_supported: ['mcp/standards', 'openid', 'email', 'profile'],
-        response_types_supported: ['code'],
-        grant_types_supported: ['authorization_code', 'refresh_token'],
-        token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],
-        code_challenge_methods_supported: ['S256'],
-        subject_types_supported: ['public'],
-        id_token_signing_alg_values_supported: ['RS256'],
-    };
-}
-
-/**
- * Return 401 with WWW-Authenticate header per MCP OAuth spec
- */
-function write401(stream, baseUrl) {
-    stream.write(JSON.stringify({
-        error: 'unauthorized',
-        message: 'Authentication required. Use OAuth or provide X-MindMeld-Token header.',
-    }));
-    stream.end();
-}
-
-// Lambda Function URL streaming handler
-const streamHandler = async (event, responseStream, context) => {
-    // CRITICAL: Don't wait for event loop to drain — the cached pg client
-    // keeps it alive forever, causing 900s timeouts on every request.
-    context.callbackWaitsForEmptyEventLoop = false;
-
-    const { method, headers, body, isBase64Encoded } = parseRequest(event);
-    const path = parseRequest(event).path;
-    const baseUrl = getBaseUrl(event);
-
-    // Request logging for debugging
-    const hasAuth = !!(headers['authorization'] || headers['x-mindmeld-token']);
-    console.log(`[MCP-Stream] ${method} ${path} auth=${hasAuth} accept=${headers['accept'] || 'none'}`);
-
-    // === OAuth Discovery: Protected Resource Metadata (RFC 9728) ===
-    if (method === 'GET' && path === '/.well-known/oauth-protected-resource') {
-        const stream = createStream(responseStream, 200, {
-            'Content-Type': 'application/json',
-            'Cache-Control': 'public, max-age=3600',
-        });
-        stream.write(JSON.stringify(getResourceMetadata(baseUrl)));
-        stream.end();
-        return;
-    }
-
-    // === OAuth Discovery: Authorization Server Metadata (RFC 8414) ===
-    if (method === 'GET' && path === '/.well-known/oauth-authorization-server') {
-        const stream = createStream(responseStream, 200, {
-            'Content-Type': 'application/json',
-            'Cache-Control': 'public, max-age=3600',
-        });
-        stream.write(JSON.stringify(getAuthServerMetadata(baseUrl)));
-        stream.end();
-        return;
-    }
-
-    // === OPTIONS: CORS preflight ===
-    if (method === 'OPTIONS') {
-        const stream = createStream(responseStream, 200, {
-            'Access-Control-Max-Age': '86400',
-        });
-        stream.end();
-        return;
-    }
-
-    // === DELETE: Session close ===
-    if (method === 'DELETE') {
-        const stream = createStream(responseStream, 200, {
-            'Content-Type': 'application/json',
-        });
-        stream.end();
-        return;
-    }
-
-    // WWW-Authenticate header for 401 responses
-    const wwwAuth = `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`;
-
-    // === GET: SSE handshake ===
-    if (method === 'GET') {
-        const authResult = await validateApiToken(headers);
-        if (authResult.error) {
-            const stream = createStream(responseStream, 401, {
-                'Content-Type': 'application/json',
-                'WWW-Authenticate': wwwAuth,
-            });
-            write401(stream, baseUrl);
-            return;
-        }
-
-        const sessionId = crypto.randomUUID();
-        const stream = createStream(responseStream, 200, {
-            'Content-Type': 'text/event-stream',
-            'Cache-Control': 'no-cache',
-            'Connection': 'keep-alive',
-            'Mcp-Session-Id': sessionId,
-        });
-
-        // Send endpoint event — legacy SSE clients expect this
-        stream.write(`event: endpoint\ndata: ${path}\n\n`);
-
-        // For Streamable HTTP clients probing via GET: close after endpoint event.
-        // The client will then POST to us for actual JSON-RPC messages.
-        stream.end();
-        return;
-    }
-
-    // === POST: Streamable HTTP JSON-RPC ===
-    if (method !== 'POST') {
-        const stream = createStream(responseStream, 405, {
-            'Content-Type': 'application/json',
-        });
-        stream.write(JSON.stringify({ error: 'Method not allowed' }));
-        stream.end();
-        return;
-    }
-
-    // Auth
-    const authResult = await validateApiToken(headers);
-    if (authResult.error) {
-        console.log(`[MCP-Stream] POST auth failed: ${authResult.error} - ${authResult.message}`);
-        const stream = createStream(responseStream, 401, {
-            'Content-Type': 'application/json',
-            'WWW-Authenticate': wwwAuth,
-        });
-        write401(stream, baseUrl);
-        return;
-    }
-    console.log(`[MCP-Stream] POST auth OK: ${authResult.user.email}`);
-
-    // Parse body (Function URL may base64-encode it)
-    let parsedBody;
-    try {
-        const raw = isBase64Encoded ? Buffer.from(body, 'base64').toString() : body;
-        parsedBody = JSON.parse(raw);
-    } catch (e) {
-        const stream = createStream(responseStream, 400, {
-            'Content-Type': 'application/json',
-        });
-        stream.write(JSON.stringify({
-            jsonrpc: '2.0',
-            error: { code: -32700, message: 'Parse error: invalid JSON' },
-            id: null,
-        }));
-        stream.end();
-        return;
-    }
-
-    // Session ID management
-    const sessionId = headers['mcp-session-id'] || crypto.randomUUID();
-
-    // Check if client wants SSE response
-    const acceptHeader = headers['accept'] || '';
-    const wantsSSE = acceptHeader.includes('text/event-stream');
-
-    if (wantsSSE) {
-        // === SSE streaming response ===
-        const stream = createStream(responseStream, 200, {
-            'Content-Type': 'text/event-stream',
-            'Cache-Control': 'no-cache',
-            'Mcp-Session-Id': sessionId,
-        });
-
-        if (Array.isArray(parsedBody)) {
-            for (const msg of parsedBody) {
-                const response = await handleJsonRpc(msg, authResult.user);
-                if (response) {
-                    writeSSE(stream, response, 'message');
-                }
-            }
-        } else {
-            const response = await handleJsonRpc(parsedBody, authResult.user);
-            if (response) {
-                writeSSE(stream, response, 'message');
-            }
-        }
-
-        stream.end();
-    } else {
-        // === Standard JSON response ===
-        const responseHeaders = {
-            'Content-Type': 'application/json',
-            'Mcp-Session-Id': sessionId,
-        };
-
-        if (Array.isArray(parsedBody)) {
-            const responses = [];
-            for (const msg of parsedBody) {
-                const response = await handleJsonRpc(msg, authResult.user);
-                if (response) responses.push(response);
-            }
-            const stream = createStream(responseStream,
-                responses.length > 0 ? 200 : 202, responseHeaders);
-            if (responses.length > 0) {
-                stream.write(JSON.stringify(responses));
-            }
-            stream.end();
-        } else {
-            const response = await handleJsonRpc(parsedBody, authResult.user);
-            if (!response) {
-                const stream = createStream(responseStream, 202, responseHeaders);
-                stream.end();
-            } else {
-                const stream = createStream(responseStream, 200, responseHeaders);
-                stream.write(JSON.stringify(response));
-                stream.end();
-            }
-        }
-    }
-};
-
-// awslambda is a global provided by the Lambda Node.js runtime.
-// In local/test environments it won't exist — export the raw handler for testing.
-if (typeof awslambda !== 'undefined') {
-    exports.handler = awslambda.streamifyResponse(streamHandler);
-} else {
-    // Fallback for local testing: wrap as standard async handler
-    exports.handler = async (event) => {
-        let result = { statusCode: 200, headers: {}, body: '' };
-        const mockStream = {
-            _headers: {},
-            _statusCode: 200,
-            _chunks: [],
-            write(chunk) { this._chunks.push(chunk); },
-            end() {},
-        };
-        // Mock awslambda.HttpResponseStream.from
-        const originalFrom = mockStream;
-        const createMockStream = (_rs, meta) => {
-            mockStream._statusCode = meta.statusCode;
-            mockStream._headers = meta.headers;
-            return mockStream;
-        };
-        global.awslambda = {
-            HttpResponseStream: { from: createMockStream },
-        };
-        await streamHandler(event, mockStream, {});
-        delete global.awslambda;
-        return {
-            statusCode: mockStream._statusCode,
-            headers: mockStream._headers,
-            body: mockStream._chunks.join(''),
-        };
-    };
-}

package/src/handlers/notifications/getPreferences.js

@@ -1,84 +0,0 @@
-/**
- * Get Notification Preferences Handler
- * Retrieves user's notification preferences
- *
- * GET /api/notifications/preferences
- * Auth: Cognito JWT required
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
-
-exports.handler = wrapHandler(async ({ requestContext }) => {
-    const Request_ID = requestContext.requestId;
-    const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-    if (!email) {
-        return createErrorResponse(401, 'Authentication required');
-    }
-
-    // Get user preferences using the helper function
-    const prefsResult = await executeQuery(`
-        SELECT rapport.get_notification_preferences($1) as preferences
-    `, [email]);
-
-    const preferences = prefsResult.rows[0]?.preferences || getDefaultPreferences();
-
-    // Get notification log summary (last 30 days)
-    const logSummary = await executeQuery(`
-        SELECT
-            notification_type,
-            channel,
-            status,
-            COUNT(*) as count
-        FROM rapport.notification_log
-        WHERE email_address = $1
-            AND created_at > NOW() - INTERVAL '30 days'
-        GROUP BY notification_type, channel, status
-        ORDER BY notification_type, channel
-    `, [email]);
-
-    // Get pending digests
-    const pendingDigests = await executeQuery(`
-        SELECT
-            digest_type,
-            scheduled_for,
-            status
-        FROM rapport.digest_queue
-        WHERE email_address = $1
-            AND status = 'pending'
-        ORDER BY scheduled_for
-    `, [email]);
-
-    return createSuccessResponse(
-        {
-            preferences: preferences,
-            notification_summary: logSummary.rows,
-            pending_digests: pendingDigests.rows
-        },
-        'Preferences retrieved',
-        { Request_ID, Timestamp: new Date().toISOString() }
-    );
-});
-
-/**
- * Get default notification preferences
- */
-function getDefaultPreferences() {
-    return {
-        email_enabled: true,
-        slack_enabled: true,
-        notification_types: {
-            pattern_promotion: { email: true, slack: true },
-            weekly_digest: { email: true, slack: false },
-            critical_violation: { email: true, slack: true },
-            team_alert: { email: true, slack: true },
-            curation_candidate: { email: true, slack: true }
-        },
-        project_overrides: {},
-        digest_frequency: 'weekly',
-        digest_day: 1,
-        quiet_hours_enabled: false,
-        quiet_hours_timezone: 'America/New_York',
-        slack_dm_enabled: true
-    };
-}

package/src/handlers/notifications/sendNotification.js

@@ -1,170 +0,0 @@
-/**
- * Send Notification Handler
- * Sends email and/or Slack notifications based on user preferences
- *
- * POST /api/notifications/send
- * Auth: Cognito JWT required (Admin or internal service)
- *
- * Body:
- * {
- *   "type": "pattern_promotion|weekly_digest|critical_violation|team_alert|curation_candidate",
- *   "recipients": ["email@example.com"] | "all_project" | "all_admins",
- *   "projectId": "prj_xxx" (optional),
- *   "data": { ... notification-specific data ... }
- * }
- */
-
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
-const { NotificationService } = require('./core/NotificationService');
-
-// Initialize notification service (singleton for Lambda warm starts)
-const notificationService = new NotificationService();
-
-exports.handler = wrapHandler(async ({ requestContext, body }) => {
-    const Request_ID = requestContext.requestId;
-    const email = requestContext.authorizer?.claims?.email || requestContext.authorizer?.jwt?.claims?.email;
-
-    if (!email) {
-        return createErrorResponse(401, 'Authentication required');
-    }
-
-    // Validate required fields
-    const { type, recipients, projectId, data } = body;
-
-    if (!type) {
-        return createErrorResponse(400, 'Notification type is required');
-    }
-
-    if (!recipients) {
-        return createErrorResponse(400, 'Recipients are required');
-    }
-
-    if (!data) {
-        return createErrorResponse(400, 'Notification data is required');
-    }
-
-    // Validate notification type
-    const validTypes = ['pattern_promotion', 'weekly_digest', 'critical_violation', 'team_alert', 'curation_candidate'];
-    if (!validTypes.includes(type)) {
-        return createErrorResponse(400, `Invalid notification type. Valid types: ${validTypes.join(', ')}`);
-    }
-
-    // Check authorization (only admins and managers can send notifications)
-    const authCheck = await executeQuery(`
-        SELECT
-            ue.admin,
-            ue.manager,
-            u.super_admin,
-            ue.company_id
-        FROM rapport.user_entitlements ue
-        JOIN rapport.users u ON ue.email_address = u.email_address
-        WHERE ue.email_address = $1
-    `, [email]);
-
-    if (authCheck.rowCount === 0) {
-        return createErrorResponse(403, 'Access denied');
-    }
-
-    const userRole = authCheck.rows[0];
-    const isAuthorized = userRole.super_admin || userRole.admin || userRole.manager;
-
-    if (!isAuthorized) {
-        return createErrorResponse(403, 'Only admins and managers can send notifications');
-    }
-
-    // Resolve recipients
-    let recipientEmails = [];
-
-    if (Array.isArray(recipients)) {
-        // Direct email list
-        recipientEmails = recipients;
-    } else if (recipients === 'all_project' && projectId) {
-        // All project collaborators
-        const collaborators = await executeQuery(`
-            SELECT pc.email_address
-            FROM rapport.project_collaborators pc
-            WHERE pc.project_id = $1
-        `, [projectId]);
-        recipientEmails = collaborators.rows.map(r => r.email_address);
-    } else if (recipients === 'all_admins') {
-        // All company admins
-        const admins = await executeQuery(`
-            SELECT ue.email_address
-            FROM rapport.user_entitlements ue
-            WHERE ue.company_id = $1 AND ue.admin = true
-        `, [userRole.company_id]);
-        recipientEmails = admins.rows.map(r => r.email_address);
-    } else if (recipients === 'all_managers') {
-        // All company managers
-        const managers = await executeQuery(`
-            SELECT ue.email_address
-            FROM rapport.user_entitlements ue
-            WHERE ue.company_id = $1 AND (ue.manager = true OR ue.admin = true)
-        `, [userRole.company_id]);
-        recipientEmails = managers.rows.map(r => r.email_address);
-    } else {
-        return createErrorResponse(400, 'Invalid recipients format');
-    }
-
-    if (recipientEmails.length === 0) {
-        return createSuccessResponse({
-            sent: 0,
-            skipped: 0,
-            failed: 0,
-            message: 'No recipients found'
-        }, 'No notifications sent');
-    }
-
-    // Get preferences for all recipients
-    const prefsQuery = await executeQuery(`
-        SELECT email_address, rapport.get_notification_preferences(email_address) as preferences
-        FROM rapport.users
-        WHERE email_address = ANY($1)
-    `, [recipientEmails]);
-
-    const prefsMap = new Map(prefsQuery.rows.map(r => [r.email_address, r.preferences]));
-
-    // Build recipient list with preferences
-    const recipientList = recipientEmails.map(recipientEmail => ({
-        email: recipientEmail,
-        preferences: prefsMap.get(recipientEmail) || null,
-        data: data,
-        projectId: projectId
-    }));
-
-    // Send batch notifications
-    const results = await notificationService.sendBatch(recipientList, type);
-
-    // Log notifications
-    for (const recipientEmail of recipientEmails) {
-        const status = results.errors.find(e => e.email === recipientEmail) ? 'failed' : 'sent';
-        const errorMessage = results.errors.find(e => e.email === recipientEmail)?.error || null;
-
-        await executeQuery(`
-            SELECT rapport.log_notification($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)
-        `, [
-            recipientEmail,
-            type,
-            'email', // Primary channel
-            status,
-            projectId || null,
-            data.referenceType || null,
-            data.referenceId || null,
-            JSON.stringify(data),
-            null, // message_id populated by NotificationService if available
-            errorMessage
-        ]);
-    }
-
-    return createSuccessResponse(
-        {
-            total: results.total,
-            sent: results.sent,
-            skipped: results.skipped,
-            failed: results.failed,
-            errors: results.errors.length > 0 ? results.errors : undefined
-        },
-        'Notifications processed',
-        { Request_ID, Timestamp: new Date().toISOString() }
-    );
-});