@getjack/jack 0.1.16 → 0.1.17

package/src/lib/wrangler-config.ts

@@ -0,0 +1,459 @@
+/**
+ * Utilities for modifying wrangler.jsonc while preserving comments
+ */
+
+import { existsSync } from "node:fs";
+import { parseJsonc } from "./jsonc.ts";
+
+export interface D1BindingConfig {
+	binding: string; // e.g., "DB" or "ANALYTICS_DB"
+	database_name: string; // e.g., "my-app-db"
+	database_id: string; // UUID from Cloudflare
+}
+
+interface WranglerConfig {
+	d1_databases?: Array<{
+		binding: string;
+		database_name?: string;
+		database_id?: string;
+	}>;
+	[key: string]: unknown;
+}
+
+/**
+ * Get existing D1 bindings from wrangler.jsonc
+ */
+export async function getExistingD1Bindings(configPath: string): Promise<D1BindingConfig[]> {
+	if (!existsSync(configPath)) {
+		throw new Error(`wrangler.jsonc not found at ${configPath}`);
+	}
+
+	const content = await Bun.file(configPath).text();
+	const config = parseJsonc<WranglerConfig>(content);
+
+	if (!config.d1_databases || !Array.isArray(config.d1_databases)) {
+		return [];
+	}
+
+	return config.d1_databases
+		.filter((db) => db.binding && db.database_name && db.database_id)
+		.map((db) => ({
+			binding: db.binding,
+			database_name: db.database_name as string,
+			database_id: db.database_id as string,
+		}));
+}
+
+/**
+ * Add a D1 database binding to wrangler.jsonc while preserving comments.
+ *
+ * Uses text manipulation to preserve comments rather than full JSON parsing.
+ */
+export async function addD1Binding(configPath: string, binding: D1BindingConfig): Promise<void> {
+	if (!existsSync(configPath)) {
+		throw new Error(
+			`wrangler.jsonc not found at ${configPath}. Create a wrangler.jsonc file first or run 'jack new' to create a new project.`,
+		);
+	}
+
+	const content = await Bun.file(configPath).text();
+
+	// Parse to understand existing structure
+	const config = parseJsonc<WranglerConfig>(content);
+
+	// Format the new binding entry
+	const bindingJson = formatD1BindingEntry(binding);
+
+	let newContent: string;
+
+	if (config.d1_databases && Array.isArray(config.d1_databases)) {
+		// d1_databases exists - append to the array
+		newContent = appendToD1DatabasesArray(content, bindingJson);
+	} else {
+		// d1_databases doesn't exist - add it before closing brace
+		newContent = addD1DatabasesSection(content, bindingJson);
+	}
+
+	await Bun.write(configPath, newContent);
+}
+
+/**
+ * Format a D1 binding as a JSON object string with proper indentation
+ */
+function formatD1BindingEntry(binding: D1BindingConfig): string {
+	return `{
+			"binding": "${binding.binding}",
+			"database_name": "${binding.database_name}",
+			"database_id": "${binding.database_id}"
+		}`;
+}
+
+/**
+ * Append a new entry to an existing d1_databases array.
+ * Finds the closing bracket of the array and inserts before it.
+ */
+function appendToD1DatabasesArray(content: string, bindingJson: string): string {
+	// Find "d1_databases" and then find its closing bracket
+	const d1Match = content.match(/"d1_databases"\s*:\s*\[/);
+	if (!d1Match || d1Match.index === undefined) {
+		throw new Error("Could not find d1_databases array in config");
+	}
+
+	const arrayStartIndex = d1Match.index + d1Match[0].length;
+
+	// Find the matching closing bracket, accounting for nested structures
+	const closingBracketIndex = findMatchingBracket(content, arrayStartIndex - 1, "[", "]");
+	if (closingBracketIndex === -1) {
+		throw new Error("Could not find closing bracket for d1_databases array");
+	}
+
+	// Check if array is empty or has content
+	const arrayContent = content.slice(arrayStartIndex, closingBracketIndex).trim();
+	const isEmpty = arrayContent === "" || isOnlyCommentsAndWhitespace(arrayContent);
+
+	// Build the insertion
+	let insertion: string;
+	if (isEmpty) {
+		// Empty array - just add the entry
+		insertion = `\n\t\t${bindingJson}\n\t`;
+	} else {
+		// Has existing entries - add comma and new entry
+		insertion = `,\n\t\t${bindingJson}`;
+	}
+
+	// Find position just before the closing bracket
+	// We want to insert after the last non-whitespace content but before the bracket
+	const beforeBracket = content.slice(0, closingBracketIndex);
+	const afterBracket = content.slice(closingBracketIndex);
+
+	if (isEmpty) {
+		return beforeBracket + insertion + afterBracket;
+	}
+
+	// For non-empty arrays, find the last closing brace of an object in the array
+	const lastObjectEnd = findLastObjectEndInArray(content, arrayStartIndex, closingBracketIndex);
+	if (lastObjectEnd === -1) {
+		// Fallback: insert before closing bracket
+		return beforeBracket + insertion + afterBracket;
+	}
+
+	return content.slice(0, lastObjectEnd + 1) + insertion + content.slice(lastObjectEnd + 1);
+}
+
+/**
+ * Add a new d1_databases section to the config.
+ * Inserts before the final closing brace.
+ */
+function addD1DatabasesSection(content: string, bindingJson: string): string {
+	// Find the last closing brace in the file
+	const lastBraceIndex = content.lastIndexOf("}");
+	if (lastBraceIndex === -1) {
+		throw new Error("Invalid JSON: no closing brace found");
+	}
+
+	// Check what comes before the last brace to determine if we need a comma
+	const beforeBrace = content.slice(0, lastBraceIndex);
+	const needsComma = shouldAddCommaBefore(beforeBrace);
+
+	// Build the d1_databases section
+	const d1Section = `"d1_databases": [
+		${bindingJson}
+	]`;
+
+	// Find proper insertion point - look for last non-whitespace content
+	const trimmedBefore = beforeBrace.trimEnd();
+	const whitespaceAfterContent = beforeBrace.slice(trimmedBefore.length);
+
+	let insertion: string;
+	if (needsComma) {
+		insertion = `,\n\t${d1Section}`;
+	} else {
+		insertion = `\n\t${d1Section}`;
+	}
+
+	// Reconstruct: content before + insertion + newline + closing brace
+	return trimmedBefore + insertion + "\n" + content.slice(lastBraceIndex);
+}
+
+/**
+ * Find the matching closing bracket/brace for an opening one
+ */
+function findMatchingBracket(
+	content: string,
+	startIndex: number,
+	openChar: string,
+	closeChar: string,
+): number {
+	let depth = 0;
+	let inString = false;
+	let stringChar = "";
+	let escaped = false;
+	let inLineComment = false;
+	let inBlockComment = false;
+
+	for (let i = startIndex; i < content.length; i++) {
+		const char = content[i] ?? "";
+		const next = content[i + 1] ?? "";
+
+		// Handle line comments
+		if (inLineComment) {
+			if (char === "\n") {
+				inLineComment = false;
+			}
+			continue;
+		}
+
+		// Handle block comments
+		if (inBlockComment) {
+			if (char === "*" && next === "/") {
+				inBlockComment = false;
+				i++;
+			}
+			continue;
+		}
+
+		// Handle strings
+		if (inString) {
+			if (escaped) {
+				escaped = false;
+				continue;
+			}
+			if (char === "\\") {
+				escaped = true;
+				continue;
+			}
+			if (char === stringChar) {
+				inString = false;
+				stringChar = "";
+			}
+			continue;
+		}
+
+		// Check for comment start
+		if (char === "/" && next === "/") {
+			inLineComment = true;
+			i++;
+			continue;
+		}
+		if (char === "/" && next === "*") {
+			inBlockComment = true;
+			i++;
+			continue;
+		}
+
+		// Check for string start
+		if (char === '"' || char === "'") {
+			inString = true;
+			stringChar = char;
+			continue;
+		}
+
+		// Track bracket depth
+		if (char === openChar) {
+			depth++;
+		} else if (char === closeChar) {
+			depth--;
+			if (depth === 0) {
+				return i;
+			}
+		}
+	}
+
+	return -1;
+}
+
+/**
+ * Check if content is only whitespace and comments
+ */
+function isOnlyCommentsAndWhitespace(content: string): boolean {
+	let inLineComment = false;
+	let inBlockComment = false;
+
+	for (let i = 0; i < content.length; i++) {
+		const char = content[i] ?? "";
+		const next = content[i + 1] ?? "";
+
+		if (inLineComment) {
+			if (char === "\n") {
+				inLineComment = false;
+			}
+			continue;
+		}
+
+		if (inBlockComment) {
+			if (char === "*" && next === "/") {
+				inBlockComment = false;
+				i++;
+			}
+			continue;
+		}
+
+		if (char === "/" && next === "/") {
+			inLineComment = true;
+			i++;
+			continue;
+		}
+
+		if (char === "/" && next === "*") {
+			inBlockComment = true;
+			i++;
+			continue;
+		}
+
+		if (!/\s/.test(char)) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+/**
+ * Find the last closing brace of an object within an array range
+ */
+function findLastObjectEndInArray(content: string, startIndex: number, endIndex: number): number {
+	let lastBraceIndex = -1;
+	let inString = false;
+	let stringChar = "";
+	let escaped = false;
+	let inLineComment = false;
+	let inBlockComment = false;
+
+	for (let i = startIndex; i < endIndex; i++) {
+		const char = content[i] ?? "";
+		const next = content[i + 1] ?? "";
+
+		if (inLineComment) {
+			if (char === "\n") {
+				inLineComment = false;
+			}
+			continue;
+		}
+
+		if (inBlockComment) {
+			if (char === "*" && next === "/") {
+				inBlockComment = false;
+				i++;
+			}
+			continue;
+		}
+
+		if (inString) {
+			if (escaped) {
+				escaped = false;
+				continue;
+			}
+			if (char === "\\") {
+				escaped = true;
+				continue;
+			}
+			if (char === stringChar) {
+				inString = false;
+				stringChar = "";
+			}
+			continue;
+		}
+
+		if (char === "/" && next === "/") {
+			inLineComment = true;
+			i++;
+			continue;
+		}
+
+		if (char === "/" && next === "*") {
+			inBlockComment = true;
+			i++;
+			continue;
+		}
+
+		if (char === '"' || char === "'") {
+			inString = true;
+			stringChar = char;
+			continue;
+		}
+
+		if (char === "}") {
+			lastBraceIndex = i;
+		}
+	}
+
+	return lastBraceIndex;
+}
+
+/**
+ * Determine if we need to add a comma before new content.
+ * Looks at the last non-whitespace, non-comment character.
+ */
+function shouldAddCommaBefore(content: string): boolean {
+	// Strip trailing comments and whitespace to find last meaningful char
+	let i = content.length - 1;
+	let inLineComment = false;
+
+	// First pass: find where any trailing line comment starts
+	for (let j = content.length - 1; j >= 0; j--) {
+		if (content[j] === "\n") {
+			// Check if there's a // comment on this line
+			const lineStart = content.lastIndexOf("\n", j - 1) + 1;
+			const line = content.slice(lineStart, j);
+			const commentIndex = findLineCommentStart(line);
+			if (commentIndex !== -1) {
+				i = lineStart + commentIndex - 1;
+			}
+			break;
+		}
+	}
+
+	// Skip whitespace
+	while (i >= 0 && /\s/.test(content[i] ?? "")) {
+		i--;
+	}
+
+	if (i < 0) return false;
+
+	const lastChar = content[i];
+	// Need comma if last char is }, ], ", number, or identifier char
+	// Don't need comma if last char is { or [ or ,
+	return lastChar !== "{" && lastChar !== "[" && lastChar !== ",";
+}
+
+/**
+ * Find the start of a line comment (//) in a string, respecting strings
+ */
+function findLineCommentStart(line: string): number {
+	let inString = false;
+	let stringChar = "";
+	let escaped = false;
+
+	for (let i = 0; i < line.length - 1; i++) {
+		const char = line[i] ?? "";
+		const next = line[i + 1] ?? "";
+
+		if (inString) {
+			if (escaped) {
+				escaped = false;
+				continue;
+			}
+			if (char === "\\") {
+				escaped = true;
+				continue;
+			}
+			if (char === stringChar) {
+				inString = false;
+				stringChar = "";
+			}
+			continue;
+		}
+
+		if (char === '"' || char === "'") {
+			inString = true;
+			stringChar = char;
+			continue;
+		}
+
+		if (char === "/" && next === "/") {
+			return i;
+		}
+	}
+
+	return -1;
+}

package/src/mcp/tools/index.ts

@@ -5,6 +5,12 @@ import { JackError, JackErrorCode } from "../../lib/errors.ts";
 import { createProject, deployProject, getProjectStatus } from "../../lib/project-operations.ts";
 import { listAllProjects } from "../../lib/project-resolver.ts";
 import { createDatabase } from "../../lib/services/db-create.ts";
+import {
+	DestructiveOperationError,
+	WriteNotAllowedError,
+	executeSql,
+	wrapResultsForMcp,
+} from "../../lib/services/db-execute.ts";
 import { listDatabases } from "../../lib/services/db-list.ts";
 import { Events, track, withTelemetry } from "../../lib/telemetry.ts";
 import type { DebugLogger, McpServerOptions } from "../types.ts";
@@ -53,6 +59,25 @@ const ListDatabasesSchema = z.object({
 		.describe("Path to project directory (defaults to current directory)"),
 });
 
+const ExecuteSqlSchema = z.object({
+	sql: z.string().describe("SQL query to execute"),
+	project_path: z
+		.string()
+		.optional()
+		.describe("Path to project directory (defaults to current directory)"),
+	allow_write: z
+		.boolean()
+		.optional()
+		.default(false)
+		.describe(
+			"Allow write operations (INSERT, UPDATE, DELETE). Required for any data modification. Destructive operations (DROP, TRUNCATE) are blocked and must be run via CLI.",
+		),
+	database_name: z
+		.string()
+		.optional()
+		.describe("Database name (auto-detect from wrangler.jsonc if not provided)"),
+});
+
 export function registerTools(server: McpServer, _options: McpServerOptions, debug: DebugLogger) {
 	// Register tool list handler
 	server.setRequestHandler(ListToolsRequestSchema, async () => {
@@ -155,6 +180,38 @@ export function registerTools(server: McpServer, _options: McpServerOptions, deb
 						},
 					},
 				},
+				{
+					name: "execute_sql",
+					description:
+						"Execute SQL against the project's D1 database. Read-only by default for safety. " +
+						"Set allow_write=true for INSERT, UPDATE, DELETE operations. " +
+						"Destructive operations (DROP, TRUNCATE, ALTER) are blocked and must be run via CLI with confirmation. " +
+						"Results are wrapped with anti-injection headers to prevent prompt injection from database content.",
+					inputSchema: {
+						type: "object",
+						properties: {
+							sql: {
+								type: "string",
+								description: "SQL query to execute",
+							},
+							project_path: {
+								type: "string",
+								description: "Path to project directory (defaults to current directory)",
+							},
+							allow_write: {
+								type: "boolean",
+								default: false,
+								description:
+									"Allow write operations (INSERT, UPDATE, DELETE). Required for any data modification.",
+							},
+							database_name: {
+								type: "string",
+								description: "Database name (auto-detect from wrangler.jsonc if not provided)",
+							},
+						},
+						required: ["sql"],
+					},
+				},
 			],
 		};
 	});
@@ -389,6 +446,110 @@ export function registerTools(server: McpServer, _options: McpServerOptions, deb
 					};
 				}
 
+				case "execute_sql": {
+					const args = ExecuteSqlSchema.parse(request.params.arguments ?? {});
+					const projectPath = args.project_path ?? process.cwd();
+
+					const wrappedExecuteSql = withTelemetry(
+						"execute_sql",
+						async (projectDir: string, sql: string, allowWrite: boolean, databaseName?: string) => {
+							try {
+								const result = await executeSql({
+									projectDir,
+									sql,
+									databaseName,
+									allowWrite,
+									interactive: false, // MCP is non-interactive
+									wrapResults: true,
+								});
+
+								// Track business event
+								track(Events.SQL_EXECUTED, {
+									risk_level: result.risk,
+									statement_count: result.statements.length,
+									platform: "mcp",
+								});
+
+								// Wrap results with anti-injection header for MCP
+								const wrappedContent = wrapResultsForMcp(result.results ?? [], sql, result.meta);
+
+								return {
+									success: result.success,
+									risk_level: result.risk,
+									results_wrapped: wrappedContent,
+									meta: result.meta,
+									warning: result.warning,
+								};
+							} catch (err) {
+								if (err instanceof WriteNotAllowedError) {
+									return {
+										success: false,
+										error: err.message,
+										suggestion: "Set allow_write=true to allow data modification",
+										risk_level: err.risk,
+									};
+								}
+								if (err instanceof DestructiveOperationError) {
+									return {
+										success: false,
+										error: err.message,
+										suggestion:
+											"Destructive operations (DROP, TRUNCATE, ALTER, DELETE without WHERE) " +
+											"must be run via CLI with explicit confirmation: " +
+											`jack services db execute "${sql.slice(0, 50)}..." --write`,
+										risk_level: "destructive",
+									};
+								}
+								throw err;
+							}
+						},
+						{ platform: "mcp" },
+					);
+
+					const result = await wrappedExecuteSql(
+						projectPath,
+						args.sql,
+						args.allow_write ?? false,
+						args.database_name,
+					);
+
+					// Check if the result indicates an error (e.g., WriteNotAllowedError, DestructiveOperationError)
+					// These are returned as objects with success: false instead of thrown
+					const resultObj = result as Record<string, unknown>;
+					if (resultObj?.success === false) {
+						return {
+							content: [
+								{
+									type: "text",
+									text: JSON.stringify(
+										{
+											success: false,
+											error: resultObj.error,
+											suggestion: resultObj.suggestion,
+											risk_level: resultObj.risk_level,
+											meta: {
+												duration_ms: Date.now() - startTime,
+											},
+										},
+										null,
+										2,
+									),
+								},
+							],
+							isError: true,
+						};
+					}
+
+					return {
+						content: [
+							{
+								type: "text",
+								text: JSON.stringify(formatSuccessResponse(result, startTime), null, 2),
+							},
+						],
+					};
+				}
+
 				default:
 					throw new Error(`Unknown tool: ${toolName}`);
 			}

package/src/templates/index.ts

@@ -73,6 +73,7 @@ async function loadTemplate(name: string): Promise<Template> {
 		description: string;
 		secrets: string[];
 		optionalSecrets?: Template["optionalSecrets"];
+		envVars?: Template["envVars"];
 		capabilities?: Template["capabilities"];
 		requires?: Template["requires"];
 		hooks?: Template["hooks"];
@@ -90,6 +91,7 @@ async function loadTemplate(name: string): Promise<Template> {
 		description: metadata.description,
 		secrets: metadata.secrets,
 		optionalSecrets: metadata.optionalSecrets,
+		envVars: metadata.envVars,
 		capabilities: metadata.capabilities,
 		requires: metadata.requires,
 		hooks: metadata.hooks,
@@ -165,6 +167,7 @@ async function fetchPublishedTemplate(username: string, slug: string): Promise<T
 		description: (metadata.description as string) || `Fork of ${username}/${slug}`,
 		secrets: (metadata.secrets as string[]) || [],
 		optionalSecrets: metadata.optionalSecrets as Template["optionalSecrets"],
+		envVars: metadata.envVars as Template["envVars"],
 		capabilities: metadata.capabilities as Template["capabilities"],
 		requires: metadata.requires as Template["requires"],
 		hooks: metadata.hooks as Template["hooks"],
@@ -200,6 +203,7 @@ async function fetchUserTemplate(slug: string): Promise<Template | null> {
 		description: (metadata.description as string) || `Your project: ${slug}`,
 		secrets: (metadata.secrets as string[]) || [],
 		optionalSecrets: metadata.optionalSecrets as Template["optionalSecrets"],
+		envVars: metadata.envVars as Template["envVars"],
 		capabilities: metadata.capabilities as Template["capabilities"],
 		requires: metadata.requires as Template["requires"],
 		hooks: metadata.hooks as Template["hooks"],

package/src/templates/types.ts

@@ -16,6 +16,8 @@ export type HookAction =
 				path: string;
 				set: Record<string, string | { from: "input" }>;
 			};
+			deployAfter?: boolean; // Redeploy after successful input (only if user provided input)
+			deployMessage?: string; // Message to show during deploy (default: "Deploying...")
 	  }
 	| {
 			action: "writeJson";
@@ -53,6 +55,15 @@ export interface OptionalSecret {
 	setupUrl?: string;
 }
 
+export interface EnvVar {
+	name: string;
+	description: string;
+	required?: boolean;
+	defaultValue?: string;
+	example?: string;
+	setupUrl?: string;
+}
+
 export interface IntentMetadata {
 	keywords: string[];
 	examples?: string[]; // For future telemetry/docs
@@ -62,6 +73,7 @@ export interface Template {
 	files: Record<string, string>; // path -> content
 	secrets?: string[]; // required secret keys (e.g., ["NEYNAR_API_KEY"])
 	optionalSecrets?: OptionalSecret[]; // optional secret configurations
+	envVars?: EnvVar[]; // environment variables (non-secret config)
 	capabilities?: Capability[]; // infrastructure requirements (deprecated, use requires)
 	requires?: ServiceTypeKey[]; // service requirements (DB, KV, CRON, QUEUE, STORAGE)
 	description?: string; // for help text