@gainable.dev/mcp-server 0.1.5 → 0.2.0

package/dist/collectionSchema.d.ts

@@ -25,6 +25,11 @@ export declare function initSchemaInference(mongoUri: string, dbName: string): P
  * This ensures synchronous cache lookups work from the very first query.
  */
 export declare function preWarmSchemaCache(appName: string, allowedDatasets: string[]): Promise<void>;
+/**
+ * Lazy per-app schema warming. Only warms once per app per process lifetime.
+ * Called from createServerForRequest() so schemas are ready before the first query.
+ */
+export declare function ensureSchemaCacheWarmed(appName: string, allowedDatasets: string[]): Promise<void>;
 /**
  * Infer schema from a collection by sampling documents.
  * Results are cached for the lifetime of the process.

package/dist/collectionSchema.js

@@ -4,6 +4,10 @@ import { CORE_EXPOSED as CORE_COLLECTIONS } from './scoping/index.js';
  * Cache of inferred schemas keyed by real collection name.
  */
 const schemaCache = new Map();
+/**
+ * Track which apps have already been warmed to avoid redundant work.
+ */
+const warmedApps = new Set();
 /**
  * Singleton DB connection for schema inference.
  */
@@ -55,6 +59,16 @@ export async function preWarmSchemaCache(appName, allowedDatasets) {
         console.warn('[Schema] Pre-warm failed:', err);
     }
 }
+/**
+ * Lazy per-app schema warming. Only warms once per app per process lifetime.
+ * Called from createServerForRequest() so schemas are ready before the first query.
+ */
+export async function ensureSchemaCacheWarmed(appName, allowedDatasets) {
+    if (warmedApps.has(appName))
+        return;
+    await preWarmSchemaCache(appName, allowedDatasets);
+    warmedApps.add(appName);
+}
 /**
  * Infer schema from a collection by sampling documents.
  * Results are cached for the lifetime of the process.

package/dist/config.d.ts

@@ -1,9 +1,23 @@
-export interface ScopingConfig {
-    appName: string;
+/**
+ * Process-level config: loaded once at startup from env vars.
+ * Shared across all requests (one MCP process per account).
+ */
+export interface BaseConfig {
     accountId: string;
-    allowedDatasets: string[];
     mongodbUri: string;
+}
+/**
+ * Per-request config: extends BaseConfig with app + agent scoping.
+ * Built dynamically for each incoming MCP request.
+ */
+export interface ScopingConfig extends BaseConfig {
+    appName: string;
+    allowedDatasets: string[];
     /** Per-session field: which collections this agent can access. undefined = unrestricted. */
     agentCollections?: string[];
 }
-export declare function loadConfig(): ScopingConfig;
+/**
+ * Load process-level config from environment variables.
+ * APP_NAME is no longer required at startup — it comes from the request query.
+ */
+export declare function loadBaseConfig(): BaseConfig;

package/dist/config.js

@@ -1,16 +1,13 @@
-export function loadConfig() {
-    const appName = process.env.APP_NAME;
+/**
+ * Load process-level config from environment variables.
+ * APP_NAME is no longer required at startup — it comes from the request query.
+ */
+export function loadBaseConfig() {
     const accountId = process.env.ACCOUNT_ID;
     const mongodbUri = process.env.MONGODB_URI;
-    if (!appName)
-        throw new Error('APP_NAME is required');
     if (!accountId)
         throw new Error('ACCOUNT_ID is required');
     if (!mongodbUri)
         throw new Error('MONGODB_URI is required');
-    const allowedDatasets = (process.env.ALLOWED_DATASETS || '')
-        .split(',')
-        .map(s => s.trim())
-        .filter(Boolean);
-    return { appName, accountId, allowedDatasets, mongodbUri };
+    return { accountId, mongodbUri };
 }

package/dist/gainableHttpRunner.d.ts

@@ -1,16 +1,25 @@
 import { StreamableHttpRunner } from 'mongodb-mcp-server';
-import type { ScopingConfig } from './config.js';
+import type { BaseConfig } from './config.js';
 /**
- * Extends StreamableHttpRunner to support per-agent collection scoping.
+ * Extends StreamableHttpRunner for per-account MCP.
  *
- * Each Weavy agent connects with a URL like `/mcp?agent=marketing-agent`.
- * The agent ID is extracted from the query parameter and used to look up
- * which collections that agent is allowed to access (from MongoDB).
+ * Each request includes `?app={appName}&agent={agentId}` — both required.
+ * The runner auto-discovers datasets from the account DB and builds
+ * per-request scoping config.
  */
 export declare class GainableHttpRunner extends StreamableHttpRunner {
     private baseConfig;
     private scopeClient;
-    constructor(config: ConstructorParameters<typeof StreamableHttpRunner>[0], scopingConfig: ScopingConfig);
+    /** Cached datasets per account (auto-discovered from datamodels collection). TTL 60s. */
+    private datasetsCache;
+    private static readonly DATASETS_TTL_MS;
+    constructor(config: ConstructorParameters<typeof StreamableHttpRunner>[0], baseConfig: BaseConfig);
+    private getClient;
+    /**
+     * Auto-discover allowed datasets from the datamodels collection.
+     * Cached for 60s per process (all apps in an account share the same datasets).
+     */
+    private discoverDatasets;
     /**
      * Look up an agent's scopes from MongoDB.
      * Returns the scopes array if the agent has restrictions, or undefined if unrestricted.

package/dist/gainableHttpRunner.js

@@ -1,79 +1,125 @@
 import { MongoClient } from 'mongodb';
 import { StreamableHttpRunner } from 'mongodb-mcp-server';
 import { createScopedConnectionManagerFactory } from './scopedConnectionManager.js';
+import { ensureSchemaCacheWarmed } from './collectionSchema.js';
 /**
- * Extends StreamableHttpRunner to support per-agent collection scoping.
+ * Extends StreamableHttpRunner for per-account MCP.
  *
- * Each Weavy agent connects with a URL like `/mcp?agent=marketing-agent`.
- * The agent ID is extracted from the query parameter and used to look up
- * which collections that agent is allowed to access (from MongoDB).
+ * Each request includes `?app={appName}&agent={agentId}` — both required.
+ * The runner auto-discovers datasets from the account DB and builds
+ * per-request scoping config.
  */
 export class GainableHttpRunner extends StreamableHttpRunner {
     baseConfig;
     scopeClient = null;
-    constructor(config, scopingConfig) {
+    /** Cached datasets per account (auto-discovered from datamodels collection). TTL 60s. */
+    datasetsCache = null;
+    static DATASETS_TTL_MS = 60_000;
+    constructor(config, baseConfig) {
         super(config);
-        this.baseConfig = scopingConfig;
+        this.baseConfig = baseConfig;
     }
-    /**
-     * Look up an agent's scopes from MongoDB.
-     * Returns the scopes array if the agent has restrictions, or undefined if unrestricted.
-     */
-    async getAgentScopes(agentUid) {
+    async getClient() {
         if (!this.scopeClient) {
             this.scopeClient = new MongoClient(this.baseConfig.mongodbUri);
             await this.scopeClient.connect();
         }
-        const db = this.scopeClient.db(this.baseConfig.accountId);
-        const agent = await db.collection('agents').findOne({ appId: this.baseConfig.appName, uid: agentUid }, { projection: { scopes: 1 } });
+        return this.scopeClient;
+    }
+    /**
+     * Auto-discover allowed datasets from the datamodels collection.
+     * Cached for 60s per process (all apps in an account share the same datasets).
+     */
+    async discoverDatasets() {
+        if (this.datasetsCache && Date.now() - this.datasetsCache.fetchedAt < GainableHttpRunner.DATASETS_TTL_MS) {
+            return this.datasetsCache.datasets;
+        }
+        try {
+            const client = await this.getClient();
+            const db = client.db(this.baseConfig.accountId);
+            const models = await db.collection('datamodels').find({}, { projection: { modelId: 1 } }).toArray();
+            const datasets = models.map(m => m.modelId).filter(Boolean);
+            this.datasetsCache = { datasets, fetchedAt: Date.now() };
+            console.log(`[MCP] Discovered ${datasets.length} datasets for account ${this.baseConfig.accountId}`);
+            return datasets;
+        }
+        catch (err) {
+            console.warn('[MCP] Failed to discover datasets:', err);
+            return this.datasetsCache?.datasets ?? [];
+        }
+    }
+    /**
+     * Look up an agent's scopes from MongoDB.
+     * Returns the scopes array if the agent has restrictions, or undefined if unrestricted.
+     */
+    async getAgentScopes(appName, agentUid) {
+        const client = await this.getClient();
+        const db = client.db(this.baseConfig.accountId);
+        const agent = await db.collection('agents').findOne({ appId: appName, uid: agentUid }, { projection: { scopes: 1 } });
         if (!agent?.scopes || agent.scopes.length === 0)
             return undefined;
         // Normalize scopes: strip app prefix if present (e.g. "my-app_deals" → "deals")
-        const appPrefix = `${this.baseConfig.appName}_`;
+        const appPrefix = `${appName}_`;
         return agent.scopes.map((s) => s.startsWith(appPrefix) ? s.slice(appPrefix.length) : s);
     }
     async createServerForRequest({ request, serverOptions, sessionOptions, }) {
-        const agentId = extractAgentId(request);
-        let agentCollections;
-        if (agentId) {
-            agentCollections = await this.getAgentScopes(agentId);
+        // Both app and agent are required
+        const appName = extractQueryParam(request, 'app');
+        const agentId = extractQueryParam(request, 'agent');
+        if (!appName) {
+            throw new Error('Missing required query parameter: app');
+        }
+        if (!agentId) {
+            throw new Error('Missing required query parameter: agent');
         }
-        console.log(`[MCP Session] agent=${agentId ?? '(none)'} | scoped=${agentCollections ? 'yes' : 'no'}${agentCollections ? ` | collections=${JSON.stringify(agentCollections)}` : ''}`);
-        // Build per-agent scoping config
-        const agentConfig = {
+        // Auto-discover datasets and look up agent scopes in parallel
+        const [allowedDatasets, agentCollections] = await Promise.all([
+            this.discoverDatasets(),
+            this.getAgentScopes(appName, agentId),
+        ]);
+        // Lazy schema warming for this app
+        await ensureSchemaCacheWarmed(appName, allowedDatasets);
+        console.log(`[MCP Session] app=${appName} | agent=${agentId} | datasets=${allowedDatasets.length} | scoped=${agentCollections ? 'yes' : 'no'}${agentCollections ? ` | collections=${JSON.stringify(agentCollections)}` : ''}`);
+        // Build per-request scoping config
+        const scopingConfig = {
             ...this.baseConfig,
+            appName,
+            allowedDatasets,
             agentCollections,
         };
-        // Create a per-session connection manager with agent-specific scoping
-        console.log('[MCP Session] Creating connection manager...');
-        const connectionManager = await createScopedConnectionManagerFactory(agentConfig)({
+        // Create a per-session connection manager with request-specific scoping
+        const connectionManager = await createScopedConnectionManagerFactory(scopingConfig)({
             logger: this.logger,
             deviceId: this.deviceId,
             userConfig: this.userConfig,
         });
-        console.log('[MCP Session] Connection manager created');
-        console.log('[MCP Session] Creating server...');
         const server = await this.createServer({
             userConfig: this.userConfig,
             logger: undefined,
             serverOptions: {
                 tools: this.tools,
                 ...serverOptions,
+                toolContext: {
+                    appName,
+                    accountId: this.baseConfig.accountId,
+                    allowedDatasets,
+                },
             },
             sessionOptions: {
                 ...sessionOptions,
                 connectionManager,
             },
         });
-        console.log('[MCP Session] Server created successfully');
         return server;
     }
 }
-function extractAgentId(request) {
-    const agent = request?.query?.agent;
-    if (typeof agent === 'string')
-        return agent;
-    if (Array.isArray(agent))
-        return agent[0];
+function extractQueryParam(request, param) {
+    if (!param || !request?.query)
+        return undefined;
+    const value = request.query[param];
+    if (typeof value === 'string')
+        return value;
+    if (Array.isArray(value))
+        return value[0];
     return undefined;
 }

package/dist/index.js

@@ -1,28 +1,30 @@
 import 'dotenv/config';
 import { UserConfigSchema } from 'mongodb-mcp-server';
 import { FindTool, AggregateTool, CountTool, ExportTool, InsertManyTool, UpdateManyTool, DeleteManyTool, ListCollectionsTool, CollectionSchemaTool, CollectionIndexesTool, ExplainTool, } from 'mongodb-mcp-server/tools';
-import { loadConfig } from './config.js';
+import { loadBaseConfig } from './config.js';
 import { GainableHttpRunner } from './gainableHttpRunner.js';
-import { unwrapTools, setToolContext } from './stripUntrustedTags.js';
-import { initSchemaInference, preWarmSchemaCache } from './collectionSchema.js';
-const config = loadConfig();
+import { unwrapTools } from './stripUntrustedTags.js';
+import { initSchemaInference } from './collectionSchema.js';
+const config = loadBaseConfig();
 // Initialize schema inference connection (used for validation + response hints)
+// Schema warming happens lazily per-app in createServerForRequest()
 await initSchemaInference(config.mongodbUri, config.accountId);
-await preWarmSchemaCache(config.appName, config.allowedDatasets);
-// Set tool context so response wrappers can resolve collection names
-setToolContext(config.appName, config.allowedDatasets);
+const port = parseInt(process.env.PORT || process.env.HTTP_PORT || '3099', 10);
 const userConfig = UserConfigSchema.parse({
     transport: 'http',
-    httpPort: parseInt(process.env.HTTP_PORT || '3099', 10),
-    httpHost: '127.0.0.1',
+    httpPort: port,
+    httpHost: '0.0.0.0',
     connectionString: config.mongodbUri,
     telemetry: 'disabled',
     // 24h idle timeout — sessions are long-lived (Weavy agent conversations)
     idleTimeoutMs: 86400000,
     notificationTimeoutMs: 82800000,
     // Weavy manages session IDs externally — accept any session ID without requiring initialize
-    // This prevents 404 "session not found" after sidecar restarts
     externallyManagedSessions: true,
+    // Auth: validate X-Internal-Key header on every request (returns 403 if invalid)
+    httpHeaders: process.env.INTERNAL_API_KEY
+        ? { 'x-internal-key': process.env.INTERNAL_API_KEY }
+        : {},
     disabledTools: [
         'drop-database', 'drop-collection', 'create-collection',
         'list-databases', 'rename-collection', 'drop-index',
@@ -42,14 +44,6 @@ const tools = unwrapTools([
     ExplainTool,
 ]);
 const runner = new GainableHttpRunner({ userConfig, tools }, config);
-await runner.start({
-    serverOptions: {
-        toolContext: {
-            appName: config.appName,
-            accountId: config.accountId,
-            allowedDatasets: config.allowedDatasets,
-        },
-    },
-});
-console.log(`Gainable MCP Server running on http://127.0.0.1:${process.env.HTTP_PORT || '3099'}/mcp`);
-console.log(`App: ${config.appName} | DB: ${config.accountId}`);
+await runner.start();
+console.log(`Gainable MCP Server running on http://0.0.0.0:${port}/mcp`);
+console.log(`Account: ${config.accountId} | Per-request scoping via ?app=&agent=`);

package/dist/stripUntrustedTags.d.ts

@@ -1,5 +1,4 @@
 import type { ToolClass } from 'mongodb-mcp-server/tools';
-export declare function setToolContext(appName: string, allowedDatasets: string[]): void;
 /**
  * Strips the `<untrusted-user-data-UUID>` wrapper and security warnings
  * from tool response text content.
@@ -11,6 +10,9 @@ export declare function setToolContext(appName: string, allowedDatasets: string[
  *
  * This creates a new tool class that extends the original and post-processes
  * the invoke() result to remove the wrapping.
+ *
+ * Uses `this.toolContext` (set per-session by the MCP framework) to resolve
+ * collection names — no module-level globals needed.
  */
 export declare function unwrapTool<T extends ToolClass>(ToolCtor: T): T;
 /**

package/dist/stripUntrustedTags.js

@@ -1,12 +1,5 @@
 import { getCollectionSchema, formatSchemaHint } from './collectionSchema.js';
 import { resolveCollection } from './scoping/index.js';
-/** Set by index.ts at startup so tool wrappers can resolve collection names. */
-let _appName = '';
-let _allowedDatasets = [];
-export function setToolContext(appName, allowedDatasets) {
-    _appName = appName;
-    _allowedDatasets = allowedDatasets;
-}
 /**
  * Strips the `<untrusted-user-data-UUID>` wrapper and security warnings
  * from tool response text content.
@@ -18,6 +11,9 @@ export function setToolContext(appName, allowedDatasets) {
  *
  * This creates a new tool class that extends the original and post-processes
  * the invoke() result to remove the wrapping.
+ *
+ * Uses `this.toolContext` (set per-session by the MCP framework) to resolve
+ * collection names — no module-level globals needed.
  */
 export function unwrapTool(ToolCtor) {
     // Create a subclass that overrides invoke to strip tags
@@ -49,10 +45,13 @@ export function unwrapTool(ToolCtor) {
                 }
                 // Append schema hint for the target collection so the agent
                 // knows the correct field names, types, and valid values.
+                // Read appName and allowedDatasets from per-session toolContext.
                 const collection = args[0]?.collection;
-                if (collection && _appName) {
+                const appName = this.toolContext?.appName;
+                const allowedDatasets = this.toolContext?.allowedDatasets ?? [];
+                if (collection && appName) {
                     try {
-                        const resolved = resolveCollection(collection, _appName, _allowedDatasets);
+                        const resolved = resolveCollection(collection, appName, allowedDatasets);
                         const schema = await getCollectionSchema(resolved.realName, collection);
                         if (schema) {
                             textParts.push(formatSchemaHint(schema));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gainable.dev/mcp-server",
-  "version": "0.1.5",
+  "version": "0.2.0",
   "description": "Scoped MCP server for Gainable in-app copilot agents — wraps mongodb-mcp-server with per-app data isolation",
   "type": "module",
   "main": "dist/index.js",