@harness-fe/mcp-server 3.4.1 → 4.0.0-next.1

package/src/mcp.ts

@@ -26,6 +26,8 @@ import {
 } from '@harness-fe/protocol';
 import type { IBridge } from './bridge.js';
 import type { Bridge } from './bridge.js';
+import type { AuthOptions } from './auth.js';
+import { identifyPrincipal } from './identity.js';
 import { RemoteBridge } from './remoteBridge.js';
 import type { IStore, IMemoryStore } from './store/index.js';
 import { buildVisitorTimeline } from './visitorTimeline.js';
@@ -45,6 +47,12 @@ export interface McpServerOptions {
      * var is set to a non-empty value at server-construction time.
      */
     experimentalEnvVar?: string;
+    /**
+     * Daemon auth options, used to identify the per-call principal from MCP
+     * request headers (4.0 · P4). Omit for stdio / no-auth — calls resolve to
+     * the local principal.
+     */
+    auth?: AuthOptions;
 }
 
 /**
@@ -81,7 +89,7 @@ export function createMcpServer(bridge: IBridge, options: McpServerOptions = {})
         version: PROTOCOL_VERSION,
     });
 
-    registerTools(server, bridge);
+    registerTools(server, bridge, options.auth);
 
     // Experimental tools are on by default. They only get gated when the host
     // supplies an env-var name to key off; see experimentalEnabled().
@@ -134,7 +142,7 @@ function err(message: string): {
 }
 
 
-function registerTools(server: McpServer, bridge: IBridge): void {
+function registerTools(server: McpServer, bridge: IBridge, auth?: AuthOptions): void {
     server.registerTool(
         COMMAND.PAGE_CLICK,
         {
@@ -729,108 +737,104 @@ function registerTools(server: McpServer, bridge: IBridge): void {
     );
 
     // ─── tasks.* tools (user annotations submitted from page) ─────────────
-    // TODO: temporarily hidden — re-enable when the report feature is ready.
-    // To re-enable: remove the `if (false)` wrapper below and restore the block.
 
-    /* eslint-disable no-constant-condition */
-    if (false) {
-        const taskStatusEnum = z.enum(['pending', 'claimed', 'resolved', 'all']);
+    const taskStatusEnum = z.enum(['pending', 'claimed', 'resolved', 'all']);
 
-        server.registerTool(
-            COMMAND.TASKS_PENDING,
-            {
-                description:
-                    'List user-submitted annotation tasks. Default `status="pending"`. Returns id/question/selector/url — call tasks.claim to fetch full element payload.',
-                inputSchema: {
-                    status: taskStatusEnum.optional(),
-                    limit: z.number().int().positive().optional(),
-                },
-            },
-            async ({ status, limit }) => {
-                const tasks = await bridge.listTasks({ status: status ?? 'pending', limit });
-                const summary = tasks.map((t) => ({
-                    id: t.id,
-                    status: t.status,
-                    question: t.question,
-                    selector: t.selector,
-                    url: t.url,
-                    tabId: t.tabId,
-                    createdAt: t.createdAt,
-                    claimedAt: t.claimedAt,
-                    resolvedAt: t.resolvedAt,
-                    note: t.note,
-                }));
-                return ok({ count: summary.length, tasks: summary });
+    server.registerTool(
+        COMMAND.TASKS_PENDING,
+        {
+            description:
+                'List user-submitted annotation tasks. Default `status="pending"`. Returns id/question/selector/url — call tasks.claim to fetch full element payload.',
+            inputSchema: {
+                status: taskStatusEnum.optional(),
+                limit: z.number().int().positive().optional(),
             },
-        );
+        },
+        async ({ status, limit }) => {
+            const tasks = await bridge.listTasks({ status: status ?? 'pending', limit });
+            const summary = tasks.map((t) => ({
+                id: t.id,
+                status: t.status,
+                question: t.question,
+                selector: t.selector,
+                url: t.url,
+                tabId: t.tabId,
+                createdAt: t.createdAt,
+                claimedAt: t.claimedAt,
+                resolvedAt: t.resolvedAt,
+                note: t.note,
+            }));
+            return ok({ count: summary.length, tasks: summary });
+        },
+    );
 
-        server.registerTool(
-            COMMAND.TASKS_CLAIM,
-            {
-                description:
-                    'Claim a task by id. Marks it claimed, returns full payload (selector + element outerHTML + rect).',
-                inputSchema: {
-                    taskId: z.string(),
-                },
-            },
-            async ({ taskId }) => {
-                const task = await bridge.claimTask(taskId);
-                if (!task) {
-                    throw new Error(`tasks.claim: no task with id "${taskId}"`);
-                }
-                return ok(task);
+    server.registerTool(
+        COMMAND.TASKS_CLAIM,
+        {
+            description:
+                'Claim a task by id. Marks it claimed, returns full payload (selector + element outerHTML + rect).',
+            inputSchema: {
+                taskId: z.string(),
             },
-        );
+        },
+        async ({ taskId }, extra) => {
+            const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
+            const task = await bridge.claimTask(taskId, principal);
+            if (!task) {
+                throw new Error(`tasks.claim: no task with id "${taskId}"`);
+            }
+            return ok(task);
+        },
+    );
 
-        server.registerTool(
-            COMMAND.TASKS_RESOLVE,
-            {
-                description:
-                    'Mark a task as resolved with an optional note. Use after addressing the user request.',
-                inputSchema: {
-                    taskId: z.string(),
-                    note: z.string().optional(),
-                },
-            },
-            async ({ taskId, note }) => {
-                const task = await bridge.resolveTask(taskId, note);
-                if (!task) {
-                    throw new Error(`tasks.resolve: no task with id "${taskId}"`);
-                }
-                return ok({ ok: true, task });
+    server.registerTool(
+        COMMAND.TASKS_RESOLVE,
+        {
+            description:
+                'Mark a task as resolved with an optional note. Use after addressing the user request.',
+            inputSchema: {
+                taskId: z.string(),
+                note: z.string().optional(),
             },
-        );
+        },
+        async ({ taskId, note }, extra) => {
+            const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
+            const task = await bridge.resolveTask(taskId, note, principal);
+            if (!task) {
+                throw new Error(`tasks.resolve: no task with id "${taskId}"`);
+            }
+            return ok({ ok: true, task });
+        },
+    );
 
-        server.registerTool(
-            'tasks.get_attachment',
-            {
-                description:
-                    'Return a task screenshot attachment as a vision-ready image block. ' +
-                    'Call after tasks.claim when the task summary includes an attachment pointer. ' +
-                    'Compatible with Claude vision and GPT-4V.',
-                inputSchema: {
-                    taskId: z.string().describe('Task id (from tasks.pending or tasks.claim).'),
-                    attachmentId: z.string().describe('Attachment id (from task.attachments[].id).'),
-                },
-            },
-            async ({ taskId, attachmentId }) => {
-                const base64 = await bridge.getTaskAttachmentData(taskId, attachmentId);
-                if (!base64) {
-                    throw new Error(`tasks.get_attachment: attachment not found (taskId=${taskId}, attachmentId=${attachmentId})`);
-                }
-                return {
-                    content: [
-                        {
-                            type: 'image' as const,
-                            mimeType: 'image/png' as const,
-                            data: base64,
-                        },
-                    ],
-                };
+    server.registerTool(
+        'tasks.get_attachment',
+        {
+            description:
+                'Return a task screenshot attachment as a vision-ready image block. ' +
+                'Call after tasks.claim when the task summary includes an attachment pointer. ' +
+                'Compatible with Claude vision and GPT-4V.',
+            inputSchema: {
+                taskId: z.string().describe('Task id (from tasks.pending or tasks.claim).'),
+                attachmentId: z.string().describe('Attachment id (from task.attachments[].id).'),
             },
-        );
-    }
-    /* eslint-enable no-constant-condition */
+        },
+        async ({ taskId, attachmentId }) => {
+            const base64 = await bridge.getTaskAttachmentData(taskId, attachmentId);
+            if (!base64) {
+                throw new Error(`tasks.get_attachment: attachment not found (taskId=${taskId}, attachmentId=${attachmentId})`);
+            }
+            return {
+                content: [
+                    {
+                        type: 'image' as const,
+                        mimeType: 'image/png' as const,
+                        data: base64,
+                    },
+                ],
+            };
+        },
+    );
 }
 
 // ─── Experimental tools (gated by HARNESS_FE_EXPERIMENTAL) ────────────────────

package/src/mcpHttp.ts

@@ -61,7 +61,13 @@ export async function startMcpHttpServer(
             ? undefined
             : opts.eventStore ?? new MemoryEventStore();
 
-    const server = createMcpServer(bridge, { experimentalEnvVar: opts.experimentalEnvVar });
+    // Pass the daemon's auth so MCP tools can identify the per-call principal
+    // from request headers (4.0 · P4). stdio (startMcpStdioServer) omits this,
+    // so stdio calls resolve to the local principal.
+    const server = createMcpServer(bridge, {
+        experimentalEnvVar: opts.experimentalEnvVar,
+        auth: (bridge as Bridge).getAuthOptions(),
+    });
     const transport = new StreamableHTTPServerTransport({
         sessionIdGenerator: stateful ? () => randomUUID() : undefined,
         eventStore,

package/src/sessionRouter.ts

@@ -12,11 +12,14 @@ import type {
     PeerRole,
     TabInfo,
 } from '@harness-fe/protocol';
+import type { Principal } from './identity.js';
 
 export interface PeerSession {
     role: PeerRole;
     projectId: string;
     tabId?: string;
+    /** Caller identity behind this connection (4.0 · P1). Defaults to `local`. */
+    principal?: Principal;
     /** Runtime-client only: identifies the page load (sessionId) this connection belongs to. */
     sessionId?: string;
     /** Runtime-client only: stable per-browser visitor identifier. */

package/src/store/JsonlStore.ts

@@ -483,6 +483,8 @@ export class JsonlStore implements IStore {
             ...existing,
             ...meta,
             id: sessionId,
+            // Write-once: first principal to open the session owns it.
+            createdBy: existing?.createdBy ?? meta.createdBy,
         };
         // Reset participants — we'll rebuild via dedup loop below
         merged.participants = [];
@@ -650,6 +652,8 @@ export class JsonlStore implements IStore {
             id: projectId,
             createdAt: existing?.createdAt ?? Date.now(),
             lastActiveAt: Date.now(),
+            // Write-once: the first principal to create the project owns it.
+            createdBy: existing?.createdBy ?? patch.createdBy,
         };
         enforceExtensionBudget(merged, `project ${projectId}`);
         writeJson(metaPath, merged);

package/src/store/identityTagging.test.ts

@@ -0,0 +1,67 @@
+/**
+ * Caller-identity tagging (4.0 · P1): `createdBy` is write-once on project /
+ * session metadata — the first principal to create the record owns it, and
+ * later upserts (which never carry an identity in normal flow) must not
+ * silently re-attribute ownership.
+ */
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { JsonlStore } from './JsonlStore.js';
+
+describe('store: createdBy tagging (P1)', () => {
+    let dir: string;
+    let store: JsonlStore;
+
+    beforeEach(() => {
+        dir = mkdtempSync(join(tmpdir(), 'harness-identity-test-'));
+        store = new JsonlStore(dir);
+    });
+    afterEach(() => {
+        store.close();
+        try { rmSync(dir, { recursive: true, force: true }); } catch { /* ignore */ }
+    });
+
+    it('project: records createdBy on creation', () => {
+        const p = store.upsertProject('proj-a', { createdBy: 'token:abc' });
+        expect(p.createdBy).toBe('token:abc');
+        expect(store.getProject('proj-a')?.createdBy).toBe('token:abc');
+    });
+
+    it('project: createdBy is write-once (later upsert without it is preserved)', () => {
+        store.upsertProject('proj-a', { createdBy: 'local' });
+        const after = store.upsertProject('proj-a', { displayName: 'renamed' });
+        expect(after.createdBy).toBe('local');
+        expect(after.displayName).toBe('renamed');
+    });
+
+    it('project: a later upsert cannot re-attribute ownership', () => {
+        store.upsertProject('proj-a', { createdBy: 'local' });
+        const after = store.upsertProject('proj-a', { createdBy: 'token:evil' });
+        expect(after.createdBy).toBe('local');
+    });
+
+    it('project: createdBy stays undefined when never supplied (back-compat)', () => {
+        const p = store.upsertProject('proj-legacy', { displayName: 'x' });
+        expect(p.createdBy).toBeUndefined();
+    });
+
+    it('session: records and locks createdBy', () => {
+        const sid = randomUUID();
+        store.upsertSession(sid, {
+            tabId: 'tab-1',
+            startedAt: Date.now(),
+            participants: [{ projectId: 'proj-a', joinedAt: Date.now() }],
+            createdBy: 'local',
+        });
+        store.upsertSession(sid, {
+            tabId: 'tab-1',
+            startedAt: Date.now(),
+            participants: [{ projectId: 'proj-a', joinedAt: Date.now() }],
+            createdBy: 'token:other',
+        });
+        expect(store.getSession(sid)?.createdBy).toBe('local');
+    });
+});

package/src/store/types.ts

@@ -104,6 +104,12 @@ export interface ProjectMeta {
     parentProjectId?: string;
     displayName?: string;
     tags?: string[];
+    /**
+     * Caller-identity tag (4.0 · P1): principal id that first created this
+     * project. Write-once (locked on creation like `createdAt`); informational
+     * in P1, the basis for `project → agent` routing/isolation in P3.
+     */
+    createdBy?: string;
     metadata?: Record<string, unknown>;
 }
 
@@ -173,6 +179,11 @@ export interface SessionMeta {
         storageKeys?: { local?: number; session?: number; cookie?: number };
         storageTruncated?: boolean;
     };
+    /**
+     * Caller-identity tag (4.0 · P1): principal id of the connection that
+     * opened this session. Write-once. Informational in P1.
+     */
+    createdBy?: string;
     metadata?: Record<string, unknown>;
 }