@gainable.dev/mcp-server 0.1.6 → 0.2.1

package/dist/collectionSchema.d.ts

@@ -25,6 +25,11 @@ export declare function initSchemaInference(mongoUri: string, dbName: string): P
  * This ensures synchronous cache lookups work from the very first query.
  */
 export declare function preWarmSchemaCache(appName: string, allowedDatasets: string[]): Promise<void>;
+/**
+ * Lazy per-app schema warming. Only warms once per app per process lifetime.
+ * Called from createServerForRequest() so schemas are ready before the first query.
+ */
+export declare function ensureSchemaCacheWarmed(appName: string, allowedDatasets: string[]): Promise<void>;
 /**
  * Infer schema from a collection by sampling documents.
  * Results are cached for the lifetime of the process.

package/dist/collectionSchema.js

@@ -4,6 +4,10 @@ import { CORE_EXPOSED as CORE_COLLECTIONS } from './scoping/index.js';
  * Cache of inferred schemas keyed by real collection name.
  */
 const schemaCache = new Map();
+/**
+ * Track which apps have already been warmed to avoid redundant work.
+ */
+const warmedApps = new Set();
 /**
  * Singleton DB connection for schema inference.
  */
@@ -29,32 +33,50 @@ export async function preWarmSchemaCache(appName, allowedDatasets) {
         return;
     try {
         const collections = await schemaDb.listCollections().toArray();
+        const sizeBefore = schemaCache.size;
+        let matched = 0;
         for (const col of collections) {
             const name = col.name;
             // App's custom collections
             if (name.startsWith(`${appName}_`)) {
                 const cleanName = name.slice(appName.length + 1);
                 await getCollectionSchema(name, cleanName);
+                matched++;
                 continue;
             }
             // Allowed data collections
             for (const datasetId of allowedDatasets) {
                 if (name === `data_${datasetId}`) {
                     await getCollectionSchema(name, datasetId);
+                    matched++;
                     break;
                 }
             }
             // Core collections (e.g. users)
             if (CORE_COLLECTIONS.includes(name)) {
                 await getCollectionSchema(name, name);
+                matched++;
             }
         }
-        console.log(`[Schema] Pre-warmed cache for ${schemaCache.size} collections`);
+        const cached = schemaCache.size - sizeBefore;
+        const skipped = matched - cached;
+        console.log(`[Schema] Pre-warmed schema for ${cached} collections${skipped > 0 ? ` (${skipped} empty collection${skipped > 1 ? 's' : ''} skipped)` : ''}`);
     }
     catch (err) {
         console.warn('[Schema] Pre-warm failed:', err);
     }
 }
+/**
+ * Lazy per-app schema warming. Only warms once per app per process lifetime.
+ * Called from createServerForRequest() so schemas are ready before the first query.
+ */
+export async function ensureSchemaCacheWarmed(appName, allowedDatasets) {
+    const key = `${appName}:${allowedDatasets.sort().join(',')}`;
+    if (warmedApps.has(key))
+        return;
+    await preWarmSchemaCache(appName, allowedDatasets);
+    warmedApps.add(key);
+}
 /**
  * Infer schema from a collection by sampling documents.
  * Results are cached for the lifetime of the process.

package/dist/config.d.ts

@@ -1,9 +1,23 @@
-export interface ScopingConfig {
-    appName: string;
+/**
+ * Process-level config: loaded once at startup from env vars.
+ * Shared across all requests (one MCP process per account).
+ */
+export interface BaseConfig {
     accountId: string;
-    allowedDatasets: string[];
     mongodbUri: string;
+}
+/**
+ * Per-request config: extends BaseConfig with app + agent scoping.
+ * Built dynamically for each incoming MCP request.
+ */
+export interface ScopingConfig extends BaseConfig {
+    appName: string;
+    allowedDatasets: string[];
     /** Per-session field: which collections this agent can access. undefined = unrestricted. */
     agentCollections?: string[];
 }
-export declare function loadConfig(): ScopingConfig;
+/**
+ * Load process-level config from environment variables.
+ * APP_NAME is no longer required at startup — it comes from the request query.
+ */
+export declare function loadBaseConfig(): BaseConfig;

package/dist/config.js

@@ -1,16 +1,13 @@
-export function loadConfig() {
-    const appName = process.env.APP_NAME;
+/**
+ * Load process-level config from environment variables.
+ * APP_NAME is no longer required at startup — it comes from the request query.
+ */
+export function loadBaseConfig() {
     const accountId = process.env.ACCOUNT_ID;
     const mongodbUri = process.env.MONGODB_URI;
-    if (!appName)
-        throw new Error('APP_NAME is required');
     if (!accountId)
         throw new Error('ACCOUNT_ID is required');
     if (!mongodbUri)
         throw new Error('MONGODB_URI is required');
-    const allowedDatasets = (process.env.ALLOWED_DATASETS || '')
-        .split(',')
-        .map(s => s.trim())
-        .filter(Boolean);
-    return { appName, accountId, allowedDatasets, mongodbUri };
+    return { accountId, mongodbUri };
 }

package/dist/gainableHttpRunner.d.ts

@@ -1,16 +1,21 @@
 import { StreamableHttpRunner } from 'mongodb-mcp-server';
-import type { ScopingConfig } from './config.js';
+import type { BaseConfig } from './config.js';
 /**
- * Extends StreamableHttpRunner to support per-agent collection scoping.
+ * Extends StreamableHttpRunner for per-account MCP.
  *
- * Each Weavy agent connects with a URL like `/mcp?agent=marketing-agent`.
- * The agent ID is extracted from the query parameter and used to look up
- * which collections that agent is allowed to access (from MongoDB).
+ * Each request includes `?app={appName}&agent={agentId}` — both required.
+ * Attached data collections are read from `app_config` in the account DB per request.
  */
 export declare class GainableHttpRunner extends StreamableHttpRunner {
     private baseConfig;
     private scopeClient;
-    constructor(config: ConstructorParameters<typeof StreamableHttpRunner>[0], scopingConfig: ScopingConfig);
+    constructor(config: ConstructorParameters<typeof StreamableHttpRunner>[0], baseConfig: BaseConfig);
+    private getClient;
+    /**
+     * Look up attached data collections for an app from the app_config collection.
+     * Returns array of collection IDs (e.g. ["col_xxx", "col_yyy"]).
+     */
+    private getAppDatasets;
     /**
      * Look up an agent's scopes from MongoDB.
      * Returns the scopes array if the agent has restrictions, or undefined if unrestricted.

package/dist/gainableHttpRunner.js

@@ -1,79 +1,108 @@
 import { MongoClient } from 'mongodb';
 import { StreamableHttpRunner } from 'mongodb-mcp-server';
 import { createScopedConnectionManagerFactory } from './scopedConnectionManager.js';
+import { ensureSchemaCacheWarmed } from './collectionSchema.js';
 /**
- * Extends StreamableHttpRunner to support per-agent collection scoping.
+ * Extends StreamableHttpRunner for per-account MCP.
  *
- * Each Weavy agent connects with a URL like `/mcp?agent=marketing-agent`.
- * The agent ID is extracted from the query parameter and used to look up
- * which collections that agent is allowed to access (from MongoDB).
+ * Each request includes `?app={appName}&agent={agentId}` — both required.
+ * Attached data collections are read from `app_config` in the account DB per request.
  */
 export class GainableHttpRunner extends StreamableHttpRunner {
     baseConfig;
     scopeClient = null;
-    constructor(config, scopingConfig) {
+    constructor(config, baseConfig) {
         super(config);
-        this.baseConfig = scopingConfig;
+        this.baseConfig = baseConfig;
     }
-    /**
-     * Look up an agent's scopes from MongoDB.
-     * Returns the scopes array if the agent has restrictions, or undefined if unrestricted.
-     */
-    async getAgentScopes(agentUid) {
+    async getClient() {
         if (!this.scopeClient) {
             this.scopeClient = new MongoClient(this.baseConfig.mongodbUri);
             await this.scopeClient.connect();
         }
-        const db = this.scopeClient.db(this.baseConfig.accountId);
-        const agent = await db.collection('agents').findOne({ appId: this.baseConfig.appName, uid: agentUid }, { projection: { scopes: 1 } });
+        return this.scopeClient;
+    }
+    /**
+     * Look up attached data collections for an app from the app_config collection.
+     * Returns array of collection IDs (e.g. ["col_xxx", "col_yyy"]).
+     */
+    async getAppDatasets(appName) {
+        const client = await this.getClient();
+        const db = client.db(this.baseConfig.accountId);
+        const config = await db.collection('app_config').findOne({ appId: appName }, { projection: { attachedCollections: 1 } });
+        return config?.attachedCollections || [];
+    }
+    /**
+     * Look up an agent's scopes from MongoDB.
+     * Returns the scopes array if the agent has restrictions, or undefined if unrestricted.
+     */
+    async getAgentScopes(appName, agentUid) {
+        const client = await this.getClient();
+        const db = client.db(this.baseConfig.accountId);
+        const agent = await db.collection('agents').findOne({ appId: appName, uid: agentUid }, { projection: { scopes: 1 } });
         if (!agent?.scopes || agent.scopes.length === 0)
             return undefined;
         // Normalize scopes: strip app prefix if present (e.g. "my-app_deals" → "deals")
-        const appPrefix = `${this.baseConfig.appName}_`;
+        const appPrefix = `${appName}_`;
         return agent.scopes.map((s) => s.startsWith(appPrefix) ? s.slice(appPrefix.length) : s);
     }
     async createServerForRequest({ request, serverOptions, sessionOptions, }) {
-        const agentId = extractAgentId(request);
-        let agentCollections;
-        if (agentId) {
-            agentCollections = await this.getAgentScopes(agentId);
+        // Both app and agent are required
+        const appName = extractQueryParam(request, 'app');
+        const agentId = extractQueryParam(request, 'agent');
+        if (!appName) {
+            throw new Error('Missing required query parameter: app');
+        }
+        if (!agentId) {
+            throw new Error('Missing required query parameter: agent');
         }
-        console.log(`[MCP Session] agent=${agentId ?? '(none)'} | scoped=${agentCollections ? 'yes' : 'no'}${agentCollections ? ` | collections=${JSON.stringify(agentCollections)}` : ''}`);
-        // Build per-agent scoping config
-        const agentConfig = {
+        // Look up attached collections from app_config in account DB
+        const allowedDatasets = await this.getAppDatasets(appName);
+        // Look up agent scopes
+        const agentCollections = await this.getAgentScopes(appName, agentId);
+        // Lazy schema warming for this app
+        await ensureSchemaCacheWarmed(appName, allowedDatasets);
+        console.log(`[MCP Session] app=${appName} | agent=${agentId} | datasets=${allowedDatasets.length > 0 ? allowedDatasets.join(',') : '(none)'} | scoped=${agentCollections ? 'yes' : 'no'}${agentCollections ? ` | collections=${JSON.stringify(agentCollections)}` : ''}`);
+        // Build per-request scoping config
+        const scopingConfig = {
             ...this.baseConfig,
+            appName,
+            allowedDatasets,
             agentCollections,
         };
-        // Create a per-session connection manager with agent-specific scoping
-        console.log('[MCP Session] Creating connection manager...');
-        const connectionManager = await createScopedConnectionManagerFactory(agentConfig)({
+        // Create a per-session connection manager with request-specific scoping
+        const connectionManager = await createScopedConnectionManagerFactory(scopingConfig)({
             logger: this.logger,
             deviceId: this.deviceId,
             userConfig: this.userConfig,
         });
-        console.log('[MCP Session] Connection manager created');
-        console.log('[MCP Session] Creating server...');
         const server = await this.createServer({
             userConfig: this.userConfig,
             logger: undefined,
             serverOptions: {
                 tools: this.tools,
                 ...serverOptions,
+                toolContext: {
+                    appName,
+                    accountId: this.baseConfig.accountId,
+                    allowedDatasets,
+                },
             },
             sessionOptions: {
                 ...sessionOptions,
                 connectionManager,
             },
         });
-        console.log('[MCP Session] Server created successfully');
         return server;
     }
 }
-function extractAgentId(request) {
-    const agent = request?.query?.agent;
-    if (typeof agent === 'string')
-        return agent;
-    if (Array.isArray(agent))
-        return agent[0];
+function extractQueryParam(request, param) {
+    if (!param || !request?.query)
+        return undefined;
+    const value = request.query[param];
+    if (typeof value === 'string')
+        return value;
+    if (Array.isArray(value))
+        return value[0];
     return undefined;
 }

package/dist/index.js

@@ -1,27 +1,25 @@
 import 'dotenv/config';
 import { UserConfigSchema } from 'mongodb-mcp-server';
 import { FindTool, AggregateTool, CountTool, ExportTool, InsertManyTool, UpdateManyTool, DeleteManyTool, ListCollectionsTool, CollectionSchemaTool, CollectionIndexesTool, ExplainTool, } from 'mongodb-mcp-server/tools';
-import { loadConfig } from './config.js';
+import { loadBaseConfig } from './config.js';
 import { GainableHttpRunner } from './gainableHttpRunner.js';
-import { unwrapTools, setToolContext } from './stripUntrustedTags.js';
-import { initSchemaInference, preWarmSchemaCache } from './collectionSchema.js';
-const config = loadConfig();
+import { unwrapTools } from './stripUntrustedTags.js';
+import { initSchemaInference } from './collectionSchema.js';
+const config = loadBaseConfig();
 // Initialize schema inference connection (used for validation + response hints)
+// Schema warming happens lazily per-app in createServerForRequest()
 await initSchemaInference(config.mongodbUri, config.accountId);
-await preWarmSchemaCache(config.appName, config.allowedDatasets);
-// Set tool context so response wrappers can resolve collection names
-setToolContext(config.appName, config.allowedDatasets);
+const port = parseInt(process.env.PORT || process.env.HTTP_PORT || '3099', 10);
 const userConfig = UserConfigSchema.parse({
     transport: 'http',
-    httpPort: parseInt(process.env.HTTP_PORT || '3099', 10),
-    httpHost: '127.0.0.1',
+    httpPort: port,
+    httpHost: '0.0.0.0',
     connectionString: config.mongodbUri,
     telemetry: 'disabled',
     // 24h idle timeout — sessions are long-lived (Weavy agent conversations)
     idleTimeoutMs: 86400000,
     notificationTimeoutMs: 82800000,
     // Weavy manages session IDs externally — accept any session ID without requiring initialize
-    // This prevents 404 "session not found" after sidecar restarts
     externallyManagedSessions: true,
     // Auth: validate X-Internal-Key header on every request (returns 403 if invalid)
     httpHeaders: process.env.INTERNAL_API_KEY
@@ -46,14 +44,6 @@ const tools = unwrapTools([
     ExplainTool,
 ]);
 const runner = new GainableHttpRunner({ userConfig, tools }, config);
-await runner.start({
-    serverOptions: {
-        toolContext: {
-            appName: config.appName,
-            accountId: config.accountId,
-            allowedDatasets: config.allowedDatasets,
-        },
-    },
-});
-console.log(`Gainable MCP Server running on http://127.0.0.1:${process.env.HTTP_PORT || '3099'}/mcp`);
-console.log(`App: ${config.appName} | DB: ${config.accountId}`);
+await runner.start();
+console.log(`Gainable MCP Server running on http://0.0.0.0:${port}/mcp`);
+console.log(`Account: ${config.accountId} | Per-request scoping via ?app=&agent=`);

package/dist/scopedProvider.js

@@ -123,8 +123,9 @@ function filterAndRenameCollections(collections, appName, allowedDatasets, agent
         // Everything else is hidden
     }
     // Agent-level restriction: filter to only allowed collections
+    // Core collections (users, userfieldmetadatas) are always included
     if (agentCollections) {
-        return results.filter(col => agentCollections.includes(col.name));
+        return results.filter(col => col.type === 'core' || agentCollections.includes(col.name));
     }
     return results;
 }

package/dist/scoping/resolveCollection.js

@@ -1,26 +1,27 @@
 export const CORE_EXPOSED = ['users', 'userfieldmetadatas'];
 const BLOCKED = ['agents', 'connections', 'emailtemplates', 'emaillogs', 'datamodels'];
 export function resolveCollection(cleanName, appName, allowedDatasets, agentCollections) {
-    // 0. Agent-level restriction: if agent has a scoped list, check it first
-    if (agentCollections && !agentCollections.includes(cleanName)) {
-        throw new Error(`Collection '${cleanName}' is not accessible`);
-    }
-    // 1. Core collections — name stays as-is
+    // 1. Core collections — always accessible regardless of agent scoping
     if (CORE_EXPOSED.includes(cleanName)) {
         return { realName: cleanName, type: 'core', writable: true };
     }
-    // 2. Data collections — check allowed datasets
+    // 2. Agent-level restriction: if agent has a scoped list, check it
+    //    (core collections above are always allowed)
+    if (agentCollections && !agentCollections.includes(cleanName)) {
+        throw new Error(`Collection '${cleanName}' is not accessible`);
+    }
+    // 3. Data collections — check allowed datasets
     for (const datasetId of allowedDatasets) {
         const realName = `data_${datasetId}`;
         if (cleanName === realName || cleanName === datasetId) {
             return { realName, type: 'data', writable: false };
         }
     }
-    // 3. Blocked core/system collections
+    // 4. Blocked core/system collections
     if (BLOCKED.includes(cleanName)) {
         throw new Error(`Collection '${cleanName}' is not accessible`);
     }
-    // 4. Custom collections — add app prefix
+    // 5. Custom collections — add app prefix
     const prefixed = `${appName}_${cleanName}`;
     return { realName: prefixed, type: 'custom', writable: true };
 }

package/dist/stripUntrustedTags.d.ts

@@ -1,5 +1,4 @@
 import type { ToolClass } from 'mongodb-mcp-server/tools';
-export declare function setToolContext(appName: string, allowedDatasets: string[]): void;
 /**
  * Strips the `<untrusted-user-data-UUID>` wrapper and security warnings
  * from tool response text content.
@@ -11,6 +10,9 @@ export declare function setToolContext(appName: string, allowedDatasets: string[
  *
  * This creates a new tool class that extends the original and post-processes
  * the invoke() result to remove the wrapping.
+ *
+ * Uses `this.toolContext` (set per-session by the MCP framework) to resolve
+ * collection names — no module-level globals needed.
  */
 export declare function unwrapTool<T extends ToolClass>(ToolCtor: T): T;
 /**

package/dist/stripUntrustedTags.js

@@ -1,12 +1,5 @@
 import { getCollectionSchema, formatSchemaHint } from './collectionSchema.js';
 import { resolveCollection } from './scoping/index.js';
-/** Set by index.ts at startup so tool wrappers can resolve collection names. */
-let _appName = '';
-let _allowedDatasets = [];
-export function setToolContext(appName, allowedDatasets) {
-    _appName = appName;
-    _allowedDatasets = allowedDatasets;
-}
 /**
  * Strips the `<untrusted-user-data-UUID>` wrapper and security warnings
  * from tool response text content.
@@ -18,6 +11,9 @@ export function setToolContext(appName, allowedDatasets) {
  *
  * This creates a new tool class that extends the original and post-processes
  * the invoke() result to remove the wrapping.
+ *
+ * Uses `this.toolContext` (set per-session by the MCP framework) to resolve
+ * collection names — no module-level globals needed.
  */
 export function unwrapTool(ToolCtor) {
     // Create a subclass that overrides invoke to strip tags
@@ -49,10 +45,13 @@ export function unwrapTool(ToolCtor) {
                 }
                 // Append schema hint for the target collection so the agent
                 // knows the correct field names, types, and valid values.
+                // Read appName and allowedDatasets from per-session toolContext.
                 const collection = args[0]?.collection;
-                if (collection && _appName) {
+                const appName = this.toolContext?.appName;
+                const allowedDatasets = this.toolContext?.allowedDatasets ?? [];
+                if (collection && appName) {
                     try {
-                        const resolved = resolveCollection(collection, _appName, _allowedDatasets);
+                        const resolved = resolveCollection(collection, appName, allowedDatasets);
                         const schema = await getCollectionSchema(resolved.realName, collection);
                         if (schema) {
                             textParts.push(formatSchemaHint(schema));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gainable.dev/mcp-server",
-  "version": "0.1.6",
+  "version": "0.2.1",
   "description": "Scoped MCP server for Gainable in-app copilot agents — wraps mongodb-mcp-server with per-app data isolation",
   "type": "module",
   "main": "dist/index.js",