npm - @josephyan/qingflow-app-user-mcp - Versions diffs - 0.2.0-beta.982 → 0.2.0-beta.984 - Mend

@josephyan/qingflow-app-user-mcp 0.2.0-beta.982 → 0.2.0-beta.984

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +2 -2
package/package.json +1 -1
package/pyproject.toml +1 -1
package/src/qingflow_mcp/__init__.py +1 -1
package/src/qingflow_mcp/builder_facade/service.py +100 -18
package/src/qingflow_mcp/cli/formatters.py +1 -0
package/src/qingflow_mcp/session_store.py +69 -15
package/src/qingflow_mcp/tools/ai_builder_tools.py +3 -1

package/README.md CHANGED Viewed

@@ -3,13 +3,13 @@
 Install:
 ```bash
-npm install @josephyan/qingflow-app-user-mcp@0.2.0-beta.982
+npm install @josephyan/qingflow-app-user-mcp@0.2.0-beta.984
 ```
 Run:
 ```bash
-npx -y -p @josephyan/qingflow-app-user-mcp@0.2.0-beta.982 qingflow-app-user-mcp
+npx -y -p @josephyan/qingflow-app-user-mcp@0.2.0-beta.984 qingflow-app-user-mcp
 ```
 Environment:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@josephyan/qingflow-app-user-mcp",
-  "version": "0.2.0-beta.982",
+  "version": "0.2.0-beta.984",
   "description": "Operational end-user MCP for Qingflow records, tasks, comments, and directory workflows.",
   "license": "MIT",
   "type": "module",

package/pyproject.toml CHANGED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "qingflow-mcp"
-version = "0.2.0b982"
+version = "0.2.0b984"
 description = "User-authenticated MCP server for Qingflow"
 readme = "README.md"
 license = "MIT"

package/src/qingflow_mcp/__init__.py CHANGED Viewed

@@ -5,7 +5,7 @@ from pathlib import Path
 __all__ = ["__version__"]
-_FALLBACK_VERSION = "0.2.0b982"
+_FALLBACK_VERSION = "0.2.0b984"
 def _resolve_local_pyproject_version() -> str | None:

package/src/qingflow_mcp/builder_facade/service.py CHANGED Viewed

@@ -2786,6 +2786,19 @@ class AiBuilderFacade:
             "can_copy_app": _coerce_optional_bool(base.get("copyAppStatus")),
         }
+    def _derive_can_edit_app_base(self, *, profile: str, permission_summary: JSONObject) -> bool:
+        if permission_summary.get("can_edit_app") is not True:
+            return False
+        tag_ids = _coerce_int_list(permission_summary.get("tag_ids"))
+        for tag_id in tag_ids:
+            try:
+                package_permission = self._read_package_permission_summary(profile=profile, tag_id=tag_id)
+            except (QingflowApiError, RuntimeError):
+                return False
+            if package_permission.get("can_edit_tag") is not True:
+                return False
+        return True
     def _read_portal_permission_summary(self, *, dash_key: str, portal_result: dict[str, Any]) -> JSONObject:
         tag_ids = _coerce_int_list(portal_result.get("tagIds"))
         if not tag_ids:
@@ -2999,7 +3012,7 @@ class AiBuilderFacade:
     def app_read_summary(self, *, profile: str, app_key: str) -> JSONObject:
         try:
-            state = self._load_base_schema_state(profile=profile, app_key=app_key)
+            base = self.apps.app_get_base(profile=profile, app_key=app_key, include_raw=True)
         except (QingflowApiError, RuntimeError) as error:
             api_error = _coerce_api_error(error)
             return _failed_from_api_error(
@@ -3009,26 +3022,55 @@ class AiBuilderFacade:
                 details={"app_key": app_key},
                 suggested_next_call={"tool_name": "app_resolve", "arguments": {"profile": profile, "app_key": app_key}},
             )
-        views, views_unavailable = self._load_views_result(profile=profile, app_key=app_key, tolerate_404=True)
-        workflow, workflow_unavailable = self._load_workflow_result(profile=profile, app_key=app_key, tolerate_404=True)
-        parsed = state["parsed"]
+        base_result = base.get("result") if isinstance(base.get("result"), dict) else {}
+        schema_unavailable = False
+        try:
+            schema_result, _schema_source = self._read_schema_with_fallback(profile=profile, app_key=app_key)
+            parsed = _parse_schema(schema_result)
+        except (QingflowApiError, RuntimeError) as error:
+            api_error = _coerce_api_error(error)
+            if api_error.http_status == 404 or _is_permission_restricted_api_error(api_error):
+                schema_unavailable = True
+                parsed = {"fields": [], "layout": {"sections": []}}
+            else:
+                return _failed_from_api_error(
+                    "APP_READ_FAILED",
+                    api_error,
+                    normalized_args={"app_key": app_key},
+                    details={"app_key": app_key},
+                    suggested_next_call={"tool_name": "app_resolve", "arguments": {"profile": profile, "app_key": app_key}},
+                )
+        views, views_unavailable = self._load_views_result(
+            profile=profile,
+            app_key=app_key,
+            tolerate_404=True,
+            tolerate_permission_restricted=True,
+        )
+        workflow, workflow_unavailable = self._load_workflow_result(
+            profile=profile,
+            app_key=app_key,
+            tolerate_404=True,
+            tolerate_permission_restricted=True,
+        )
         verification_hints = _build_verification_hints(
-            tag_ids=_coerce_int_list(state["base"].get("tagIds")),
+            tag_ids=_coerce_int_list(base_result.get("tagIds")),
             fields=parsed["fields"],
             layout=parsed["layout"],
             views=_summarize_views(views),
         )
+        if schema_unavailable:
+            verification_hints.append("schema_read_unavailable")
         if views_unavailable:
             verification_hints.append("views_read_unavailable")
         if workflow_unavailable:
             verification_hints.append("workflow_read_unavailable")
         response = AppReadSummaryResponse(
             app_key=app_key,
-            title=state["base"].get("formTitle"),
-            app_icon=str(state["base"].get("appIcon") or "").strip() or None,
-            visibility=_public_visibility_from_member_auth(state["base"].get("auth")),
-            tag_ids=_coerce_int_list(state["base"].get("tagIds")),
-            publish_status=state["base"].get("appPublishStatus"),
+            title=base_result.get("formTitle"),
+            app_icon=str(base_result.get("appIcon") or "").strip() or None,
+            visibility=_public_visibility_from_member_auth(base_result.get("auth")),
+            tag_ids=_coerce_int_list(base_result.get("tagIds")),
+            publish_status=base_result.get("appPublishStatus"),
             field_count=len(parsed["fields"]),
             layout_section_count=len(parsed["layout"].get("sections", [])),
             view_count=len(_summarize_views(views)),
@@ -3050,10 +3092,11 @@ class AiBuilderFacade:
             "warnings": _warnings_from_verification_hints(verification_hints),
             "verification": {
                 "app_exists": True,
+                "schema_read_unavailable": schema_unavailable,
                 "views_read_unavailable": views_unavailable,
                 "workflow_read_unavailable": workflow_unavailable,
             },
-            "verified": not views_unavailable and not workflow_unavailable,
+            "verified": not schema_unavailable and not views_unavailable and not workflow_unavailable,
             **response.model_dump(mode="json"),
         }
@@ -3066,8 +3109,9 @@ class AiBuilderFacade:
         permission_summary = self._read_app_permission_summary(profile=profile, app_key=app_key)
         result["message"] = "read app config summary"
         result["editability"] = {
+            "can_edit_app_base": self._derive_can_edit_app_base(profile=profile, permission_summary=permission_summary),
             "can_edit_form": permission_summary.get("can_edit_app"),
-            "can_edit_flow": permission_summary.get("can_edit_app"),
+            "can_edit_flow": permission_summary.get("can_manage_data"),
             "can_edit_views": permission_summary.get("can_manage_data"),
             "can_edit_charts": permission_summary.get("can_manage_data"),
         }
@@ -7444,17 +7488,35 @@ class AiBuilderFacade:
             sync_result = {**sync_result, "button_config_restored": True}
         return sync_result
-    def _load_views_result(self, *, profile: str, app_key: str, tolerate_404: bool) -> tuple[Any, bool]:
+    def _load_views_result(
+        self,
+        *,
+        profile: str,
+        app_key: str,
+        tolerate_404: bool,
+        tolerate_permission_restricted: bool = False,
+    ) -> tuple[Any, bool]:
         try:
             views = self.views.view_list_flat(profile=profile, app_key=app_key)
         except (QingflowApiError, RuntimeError) as error:
             api_error = _coerce_api_error(error)
-            if api_error.http_status == 404:
+            if api_error.http_status == 404 or (
+                tolerate_permission_restricted and _is_permission_restricted_api_error(api_error)
+            ):
                 try:
                     legacy_views = self.views.view_list(profile=profile, app_key=app_key)
                 except (QingflowApiError, RuntimeError) as legacy_error:
                     legacy_api_error = _coerce_api_error(legacy_error)
-                    if tolerate_404 and legacy_api_error.http_status == 404:
+                    if (
+                        tolerate_404
+                        and (
+                            legacy_api_error.http_status == 404
+                            or (
+                                tolerate_permission_restricted
+                                and _is_permission_restricted_api_error(legacy_api_error)
+                            )
+                        )
+                    ):
                         return [], True
                     raise
                 legacy_result = legacy_views.get("result")
@@ -7471,19 +7533,38 @@ class AiBuilderFacade:
             legacy_views = self.views.view_list(profile=profile, app_key=app_key)
         except (QingflowApiError, RuntimeError) as legacy_error:
             legacy_api_error = _coerce_api_error(legacy_error)
-            if tolerate_404 and legacy_api_error.http_status == 404:
+            if (
+                tolerate_404
+                and (
+                    legacy_api_error.http_status == 404
+                    or (
+                        tolerate_permission_restricted
+                        and _is_permission_restricted_api_error(legacy_api_error)
+                    )
+                )
+            ):
                 return normalized_views, False
             raise
         legacy_result = legacy_views.get("result")
         legacy_normalized = _normalize_view_collection(legacy_result)
         return legacy_normalized or normalized_views, False
-    def _load_workflow_result(self, *, profile: str, app_key: str, tolerate_404: bool) -> tuple[Any, bool]:
+    def _load_workflow_result(
+        self,
+        *,
+        profile: str,
+        app_key: str,
+        tolerate_404: bool,
+        tolerate_permission_restricted: bool = False,
+    ) -> tuple[Any, bool]:
         try:
             workflow = self.workflows.workflow_list_nodes(profile=profile, app_key=app_key)
         except (QingflowApiError, RuntimeError) as error:
             api_error = _coerce_api_error(error)
-            if tolerate_404 and api_error.http_status == 404:
+            if tolerate_404 and (
+                api_error.http_status == 404
+                or (tolerate_permission_restricted and _is_permission_restricted_api_error(api_error))
+            ):
                 return [], True
             raise
         return workflow.get("result"), False
@@ -12241,6 +12322,7 @@ def _warnings_from_verification_hints(hints: list[str]) -> list[dict[str, Any]]:
         "package attachment not verified": _warning("PACKAGE_ATTACHMENT_UNVERIFIED", "package attachment is not verified"),
         "layout has unplaced fields": _warning("LAYOUT_HAS_UNPLACED_FIELDS", "layout still contains unplaced fields"),
         "no public views detected": _warning("NO_PUBLIC_VIEWS", "no public views were detected"),
+        "schema_read_unavailable": _warning("SCHEMA_READ_UNAVAILABLE", "schema summary readback is unavailable"),
         "views_read_unavailable": _warning("VIEWS_READ_UNAVAILABLE", "views summary readback is unavailable"),
         "workflow_read_unavailable": _warning("WORKFLOW_READ_UNAVAILABLE", "workflow summary readback is unavailable"),
     }

package/src/qingflow_mcp/cli/formatters.py CHANGED Viewed

@@ -118,6 +118,7 @@ def _format_app_get(result: dict[str, Any]) -> str:
     if editability:
         lines.append(
             "Editability: "
+            f"app_base={editability.get('can_edit_app_base')} / "
             f"form={editability.get('can_edit_form')} / "
             f"flow={editability.get('can_edit_flow')} / "
             f"views={editability.get('can_edit_views')} / "

package/src/qingflow_mcp/session_store.py CHANGED Viewed

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import json
+import os
 from dataclasses import asdict, dataclass
 from datetime import datetime, timezone
 from pathlib import Path
@@ -70,6 +71,7 @@ class SessionStore:
         profiles_path = get_profiles_path() if base_dir is None else Path(base_dir) / "profiles.json"
         self._profiles_path = profiles_path
         self._profiles_path.parent.mkdir(parents=True, exist_ok=True)
+        self._secrets_path = self._profiles_path.parent / "secrets.json"
         self._keyring = keyring_backend if keyring_backend is not None else keyring
         self._memory_sessions: dict[str, BackendSession] = {}
         self._logged_out_profiles: set[str] = set()
@@ -264,26 +266,78 @@ class SessionStore:
             json.dump(payload, handle, ensure_ascii=False, indent=2)
     def _set_secret(self, key: str, value: str) -> bool:
-        if self._keyring is None:
-            return False
+        if self._keyring is not None:
+            try:
+                self._keyring.set_password(KEYRING_SERVICE_NAME, key, value)
+                self._delete_file_secret(key)
+                return True
+            except Exception:
+                pass
+        return self._set_file_secret(key, value)
+    def _get_secret(self, key: str) -> str | None:
+        if self._keyring is not None:
+            try:
+                value = self._keyring.get_password(KEYRING_SERVICE_NAME, key)
+            except Exception:
+                value = None
+            if value:
+                return value
+        return self._get_file_secret(key)
+    def _delete_secret(self, key: str) -> None:
+        if self._keyring is not None:
+            try:
+                self._keyring.delete_password(KEYRING_SERVICE_NAME, key)
+            except Exception:
+                pass
+        self._delete_file_secret(key)
+    def _load_file_secrets(self) -> dict[str, str]:
+        if not self._secrets_path.exists():
+            return {}
+        try:
+            with self._secrets_path.open("r", encoding="utf-8") as handle:
+                payload = json.load(handle)
+        except (OSError, json.JSONDecodeError):
+            return {}
+        if not isinstance(payload, dict):
+            return {}
+        return {str(key): str(value) for key, value in payload.items() if isinstance(value, str)}
+    def _save_file_secrets(self, payload: dict[str, str]) -> bool:
+        self._secrets_path.parent.mkdir(parents=True, exist_ok=True)
         try:
-            self._keyring.set_password(KEYRING_SERVICE_NAME, key, value)
+            fd = os.open(self._secrets_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+            with os.fdopen(fd, "w", encoding="utf-8") as handle:
+                json.dump(payload, handle, ensure_ascii=False, indent=2)
+            try:
+                os.chmod(self._secrets_path, 0o600)
+            except OSError:
+                pass
             return True
-        except Exception:
+        except OSError:
             return False
-    def _get_secret(self, key: str) -> str | None:
-        if self._keyring is None:
-            return None
-        try:
-            return self._keyring.get_password(KEYRING_SERVICE_NAME, key)
-        except Exception:
-            return None
+    def _set_file_secret(self, key: str, value: str) -> bool:
+        payload = self._load_file_secrets()
+        payload[key] = value
+        return self._save_file_secrets(payload)
-    def _delete_secret(self, key: str) -> None:
-        if self._keyring is None:
+    def _get_file_secret(self, key: str) -> str | None:
+        return self._load_file_secrets().get(key)
+    def _delete_file_secret(self, key: str) -> None:
+        payload = self._load_file_secrets()
+        if key not in payload:
+            return
+        payload.pop(key, None)
+        if payload:
+            self._save_file_secrets(payload)
             return
         try:
-            self._keyring.delete_password(KEYRING_SERVICE_NAME, key)
-        except Exception:
+            self._secrets_path.unlink()
+        except FileNotFoundError:
+            return
+        except OSError:
             return

package/src/qingflow_mcp/tools/ai_builder_tools.py CHANGED Viewed

@@ -3058,7 +3058,9 @@ _BUILDER_TOOL_CONTRACTS: dict[str, JSONObject] = {
         "execution_notes": [
             "returns builder-side app configuration summary and editability",
             "use this as the default builder discovery read before fields/layout/views/flow/charts detail reads",
-            "editability reflects builder permissions, not end-user data visibility",
+            "editability is route-aware builder capability summary, not end-user data visibility",
+            "can_edit_app_base covers app base-info writes such as app_name, icon, and visibility",
+            "can_edit_form covers form/schema routes only and does not imply app base-info writes",
             "returns normalized app visibility when backend auth is readable",
         ],
         "minimal_example": {