npm - @memberjunction/server - Versions diffs - 3.3.0 → 4.0.0 - Mend

@memberjunction/server 3.3.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/README.md +59 -0
package/dist/agents/skip-agent.d.ts +65 -0
package/dist/agents/skip-agent.d.ts.map +1 -1
package/dist/agents/skip-agent.js +63 -5
package/dist/agents/skip-agent.js.map +1 -1
package/dist/agents/skip-sdk.d.ts +163 -0
package/dist/agents/skip-sdk.d.ts.map +1 -1
package/dist/agents/skip-sdk.js +143 -12
package/dist/agents/skip-sdk.js.map +1 -1
package/dist/apolloServer/TransactionPlugin.d.ts +4 -0
package/dist/apolloServer/TransactionPlugin.d.ts.map +1 -0
package/dist/apolloServer/TransactionPlugin.js +46 -0
package/dist/apolloServer/TransactionPlugin.js.map +1 -0
package/dist/apolloServer/index.d.ts +0 -1
package/dist/apolloServer/index.d.ts.map +1 -1
package/dist/auth/APIKeyScopeAuth.d.ts +82 -0
package/dist/auth/APIKeyScopeAuth.d.ts.map +1 -1
package/dist/auth/APIKeyScopeAuth.js +78 -0
package/dist/auth/APIKeyScopeAuth.js.map +1 -1
package/dist/auth/AuthProviderFactory.d.ts +35 -0
package/dist/auth/AuthProviderFactory.d.ts.map +1 -1
package/dist/auth/AuthProviderFactory.js +51 -4
package/dist/auth/AuthProviderFactory.js.map +1 -1
package/dist/auth/BaseAuthProvider.d.ts +22 -0
package/dist/auth/BaseAuthProvider.d.ts.map +1 -1
package/dist/auth/BaseAuthProvider.js +25 -8
package/dist/auth/BaseAuthProvider.js.map +1 -1
package/dist/auth/IAuthProvider.d.ts +33 -0
package/dist/auth/IAuthProvider.d.ts.map +1 -1
package/dist/auth/__tests__/backward-compatibility.test.d.ts +2 -0
package/dist/auth/__tests__/backward-compatibility.test.d.ts.map +1 -0
package/dist/auth/__tests__/backward-compatibility.test.js +135 -0
package/dist/auth/__tests__/backward-compatibility.test.js.map +1 -0
package/dist/auth/exampleNewUserSubClass.d.ts +5 -1
package/dist/auth/exampleNewUserSubClass.d.ts.map +1 -1
package/dist/auth/exampleNewUserSubClass.js +21 -6
package/dist/auth/exampleNewUserSubClass.js.map +1 -1
package/dist/auth/index.d.ts +14 -0
package/dist/auth/index.d.ts.map +1 -1
package/dist/auth/index.js +35 -22
package/dist/auth/index.js.map +1 -1
package/dist/auth/initializeProviders.d.ts +3 -0
package/dist/auth/initializeProviders.d.ts.map +1 -1
package/dist/auth/initializeProviders.js +6 -0
package/dist/auth/initializeProviders.js.map +1 -1
package/dist/auth/newUsers.js +11 -2
package/dist/auth/newUsers.js.map +1 -1
package/dist/auth/providers/Auth0Provider.d.ts +9 -0
package/dist/auth/providers/Auth0Provider.d.ts.map +1 -1
package/dist/auth/providers/Auth0Provider.js +10 -0
package/dist/auth/providers/Auth0Provider.js.map +1 -1
package/dist/auth/providers/CognitoProvider.d.ts +9 -0
package/dist/auth/providers/CognitoProvider.d.ts.map +1 -1
package/dist/auth/providers/CognitoProvider.js +10 -0
package/dist/auth/providers/CognitoProvider.js.map +1 -1
package/dist/auth/providers/GoogleProvider.d.ts +9 -0
package/dist/auth/providers/GoogleProvider.d.ts.map +1 -1
package/dist/auth/providers/GoogleProvider.js +11 -1
package/dist/auth/providers/GoogleProvider.js.map +1 -1
package/dist/auth/providers/MSALProvider.d.ts +9 -0
package/dist/auth/providers/MSALProvider.d.ts.map +1 -1
package/dist/auth/providers/MSALProvider.js +10 -0
package/dist/auth/providers/MSALProvider.js.map +1 -1
package/dist/auth/providers/OktaProvider.d.ts +9 -0
package/dist/auth/providers/OktaProvider.d.ts.map +1 -1
package/dist/auth/providers/OktaProvider.js +10 -0
package/dist/auth/providers/OktaProvider.js.map +1 -1
package/dist/config.d.ts +12 -0
package/dist/config.d.ts.map +1 -1
package/dist/config.js +44 -10
package/dist/config.js.map +1 -1
package/dist/context.d.ts +8 -1
package/dist/context.d.ts.map +1 -1
package/dist/context.js +26 -4
package/dist/context.js.map +1 -1
package/dist/directives/Public.js +2 -0
package/dist/directives/Public.js.map +1 -1
package/dist/entitySubclasses/entityPermissions.server.d.ts +7 -2
package/dist/entitySubclasses/entityPermissions.server.d.ts.map +1 -1
package/dist/entitySubclasses/entityPermissions.server.js +26 -8
package/dist/entitySubclasses/entityPermissions.server.js.map +1 -1
package/dist/generated/generated.d.ts +954 -2
package/dist/generated/generated.d.ts.map +1 -1
package/dist/generated/generated.js +12183 -14532
package/dist/generated/generated.js.map +1 -1
package/dist/generic/DeleteOptionsInput.d.ts +3 -0
package/dist/generic/DeleteOptionsInput.d.ts.map +1 -1
package/dist/generic/DeleteOptionsInput.js +3 -2
package/dist/generic/DeleteOptionsInput.js.map +1 -1
package/dist/generic/KeyInputOutputTypes.js +0 -6
package/dist/generic/KeyInputOutputTypes.js.map +1 -1
package/dist/generic/KeyValuePairInput.d.ts +4 -0
package/dist/generic/KeyValuePairInput.d.ts.map +1 -1
package/dist/generic/KeyValuePairInput.js +4 -2
package/dist/generic/KeyValuePairInput.js.map +1 -1
package/dist/generic/PushStatusResolver.js +0 -3
package/dist/generic/PushStatusResolver.js.map +1 -1
package/dist/generic/ResolverBase.d.ts +59 -0
package/dist/generic/ResolverBase.d.ts.map +1 -1
package/dist/generic/ResolverBase.js +233 -18
package/dist/generic/ResolverBase.js.map +1 -1
package/dist/generic/RunViewResolver.d.ts +22 -0
package/dist/generic/RunViewResolver.d.ts.map +1 -1
package/dist/generic/RunViewResolver.js +42 -108
package/dist/generic/RunViewResolver.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +84 -39
package/dist/index.js.map +1 -1
package/dist/orm.d.ts.map +1 -1
package/dist/orm.js +2 -1
package/dist/orm.js.map +1 -1
package/dist/resolvers/APIKeyResolver.d.ts +76 -1
package/dist/resolvers/APIKeyResolver.d.ts.map +1 -1
package/dist/resolvers/APIKeyResolver.js +53 -11
package/dist/resolvers/APIKeyResolver.js.map +1 -1
package/dist/resolvers/ActionResolver.d.ts +191 -1
package/dist/resolvers/ActionResolver.d.ts.map +1 -1
package/dist/resolvers/ActionResolver.js +156 -22
package/dist/resolvers/ActionResolver.js.map +1 -1
package/dist/resolvers/ColorResolver.js +0 -5
package/dist/resolvers/ColorResolver.js.map +1 -1
package/dist/resolvers/ComponentRegistryResolver.d.ts +65 -0
package/dist/resolvers/ComponentRegistryResolver.d.ts.map +1 -1
package/dist/resolvers/ComponentRegistryResolver.js +118 -40
package/dist/resolvers/ComponentRegistryResolver.js.map +1 -1
package/dist/resolvers/CreateQueryResolver.d.ts +47 -0
package/dist/resolvers/CreateQueryResolver.d.ts.map +1 -1
package/dist/resolvers/CreateQueryResolver.js +92 -116
package/dist/resolvers/CreateQueryResolver.js.map +1 -1
package/dist/resolvers/DatasetResolver.d.ts +5 -4
package/dist/resolvers/DatasetResolver.d.ts.map +1 -1
package/dist/resolvers/DatasetResolver.js +9 -18
package/dist/resolvers/DatasetResolver.js.map +1 -1
package/dist/resolvers/EntityCommunicationsResolver.d.ts +42 -1
package/dist/resolvers/EntityCommunicationsResolver.d.ts.map +1 -1
package/dist/resolvers/EntityCommunicationsResolver.js +5 -37
package/dist/resolvers/EntityCommunicationsResolver.js.map +1 -1
package/dist/resolvers/EntityRecordNameResolver.js +0 -7
package/dist/resolvers/EntityRecordNameResolver.js.map +1 -1
package/dist/resolvers/FileCategoryResolver.js +13 -1
package/dist/resolvers/FileCategoryResolver.js.map +1 -1
package/dist/resolvers/FileResolver.d.ts +16 -0
package/dist/resolvers/FileResolver.d.ts.map +1 -1
package/dist/resolvers/FileResolver.js +59 -74
package/dist/resolvers/FileResolver.js.map +1 -1
package/dist/resolvers/GetDataContextDataResolver.d.ts +20 -2
package/dist/resolvers/GetDataContextDataResolver.d.ts.map +1 -1
package/dist/resolvers/GetDataContextDataResolver.js +27 -12
package/dist/resolvers/GetDataContextDataResolver.js.map +1 -1
package/dist/resolvers/GetDataResolver.d.ts +19 -0
package/dist/resolvers/GetDataResolver.d.ts.map +1 -1
package/dist/resolvers/GetDataResolver.js +35 -35
package/dist/resolvers/GetDataResolver.js.map +1 -1
package/dist/resolvers/InfoResolver.d.ts.map +1 -1
package/dist/resolvers/InfoResolver.js +4 -7
package/dist/resolvers/InfoResolver.js.map +1 -1
package/dist/resolvers/MCPResolver.d.ts +361 -0
package/dist/resolvers/MCPResolver.d.ts.map +1 -0
package/dist/resolvers/MCPResolver.js +1270 -0
package/dist/resolvers/MCPResolver.js.map +1 -0
package/dist/resolvers/MergeRecordsResolver.d.ts +2 -1
package/dist/resolvers/MergeRecordsResolver.d.ts.map +1 -1
package/dist/resolvers/MergeRecordsResolver.js +6 -30
package/dist/resolvers/MergeRecordsResolver.js.map +1 -1
package/dist/resolvers/PotentialDuplicateRecordResolver.d.ts.map +1 -1
package/dist/resolvers/PotentialDuplicateRecordResolver.js +0 -3
package/dist/resolvers/PotentialDuplicateRecordResolver.js.map +1 -1
package/dist/resolvers/QueryResolver.d.ts +22 -1
package/dist/resolvers/QueryResolver.d.ts.map +1 -1
package/dist/resolvers/QueryResolver.js +50 -37
package/dist/resolvers/QueryResolver.js.map +1 -1
package/dist/resolvers/ReportResolver.d.ts +5 -1
package/dist/resolvers/ReportResolver.d.ts.map +1 -1
package/dist/resolvers/ReportResolver.js +13 -11
package/dist/resolvers/ReportResolver.js.map +1 -1
package/dist/resolvers/RunAIAgentResolver.d.ts +54 -0
package/dist/resolvers/RunAIAgentResolver.d.ts.map +1 -1
package/dist/resolvers/RunAIAgentResolver.js +118 -40
package/dist/resolvers/RunAIAgentResolver.js.map +1 -1
package/dist/resolvers/RunAIPromptResolver.d.ts +42 -0
package/dist/resolvers/RunAIPromptResolver.d.ts.map +1 -1
package/dist/resolvers/RunAIPromptResolver.js +98 -22
package/dist/resolvers/RunAIPromptResolver.js.map +1 -1
package/dist/resolvers/RunTemplateResolver.d.ts.map +1 -1
package/dist/resolvers/RunTemplateResolver.js +10 -6
package/dist/resolvers/RunTemplateResolver.js.map +1 -1
package/dist/resolvers/RunTestResolver.d.ts +12 -0
package/dist/resolvers/RunTestResolver.d.ts.map +1 -1
package/dist/resolvers/RunTestResolver.js +35 -21
package/dist/resolvers/RunTestResolver.js.map +1 -1
package/dist/resolvers/SqlLoggingConfigResolver.d.ts +312 -0
package/dist/resolvers/SqlLoggingConfigResolver.d.ts.map +1 -1
package/dist/resolvers/SqlLoggingConfigResolver.js +295 -45
package/dist/resolvers/SqlLoggingConfigResolver.js.map +1 -1
package/dist/resolvers/SyncDataResolver.d.ts +21 -0
package/dist/resolvers/SyncDataResolver.d.ts.map +1 -1
package/dist/resolvers/SyncDataResolver.js +36 -22
package/dist/resolvers/SyncDataResolver.js.map +1 -1
package/dist/resolvers/SyncRolesUsersResolver.d.ts +14 -0
package/dist/resolvers/SyncRolesUsersResolver.d.ts.map +1 -1
package/dist/resolvers/SyncRolesUsersResolver.js +54 -21
package/dist/resolvers/SyncRolesUsersResolver.js.map +1 -1
package/dist/resolvers/TaskResolver.d.ts +13 -0
package/dist/resolvers/TaskResolver.d.ts.map +1 -1
package/dist/resolvers/TaskResolver.js +23 -7
package/dist/resolvers/TaskResolver.js.map +1 -1
package/dist/resolvers/TelemetryResolver.d.ts +22 -0
package/dist/resolvers/TelemetryResolver.d.ts.map +1 -1
package/dist/resolvers/TelemetryResolver.js +45 -79
package/dist/resolvers/TelemetryResolver.js.map +1 -1
package/dist/resolvers/TransactionGroupResolver.js +11 -13
package/dist/resolvers/TransactionGroupResolver.js.map +1 -1
package/dist/resolvers/UserFavoriteResolver.js +3 -12
package/dist/resolvers/UserFavoriteResolver.js.map +1 -1
package/dist/resolvers/UserResolver.d.ts.map +1 -1
package/dist/resolvers/UserResolver.js +14 -0
package/dist/resolvers/UserResolver.js.map +1 -1
package/dist/resolvers/UserViewResolver.js +4 -0
package/dist/resolvers/UserViewResolver.js.map +1 -1
package/dist/resolvers/VersionHistoryResolver.d.ts +39 -0
package/dist/resolvers/VersionHistoryResolver.d.ts.map +1 -0
package/dist/resolvers/VersionHistoryResolver.js +208 -0
package/dist/resolvers/VersionHistoryResolver.js.map +1 -0
package/dist/rest/EntityCRUDHandler.d.ts +19 -0
package/dist/rest/EntityCRUDHandler.d.ts.map +1 -1
package/dist/rest/EntityCRUDHandler.js +55 -0
package/dist/rest/EntityCRUDHandler.js.map +1 -1
package/dist/rest/OAuthCallbackHandler.d.ts +143 -0
package/dist/rest/OAuthCallbackHandler.d.ts.map +1 -0
package/dist/rest/OAuthCallbackHandler.js +634 -0
package/dist/rest/OAuthCallbackHandler.js.map +1 -0
package/dist/rest/RESTEndpointHandler.d.ts +120 -0
package/dist/rest/RESTEndpointHandler.d.ts.map +1 -1
package/dist/rest/RESTEndpointHandler.js +213 -24
package/dist/rest/RESTEndpointHandler.js.map +1 -1
package/dist/rest/ViewOperationsHandler.d.ts +19 -0
package/dist/rest/ViewOperationsHandler.d.ts.map +1 -1
package/dist/rest/ViewOperationsHandler.js +39 -0
package/dist/rest/ViewOperationsHandler.js.map +1 -1
package/dist/rest/index.d.ts +1 -0
package/dist/rest/index.d.ts.map +1 -1
package/dist/rest/index.js +1 -0
package/dist/rest/index.js.map +1 -1
package/dist/rest/setupRESTEndpoints.d.ts +35 -0
package/dist/rest/setupRESTEndpoints.d.ts.map +1 -1
package/dist/rest/setupRESTEndpoints.js +15 -1
package/dist/rest/setupRESTEndpoints.js.map +1 -1
package/dist/services/ScheduledJobsService.d.ts +31 -0
package/dist/services/ScheduledJobsService.d.ts.map +1 -1
package/dist/services/ScheduledJobsService.js +38 -4
package/dist/services/ScheduledJobsService.js.map +1 -1
package/dist/services/TaskOrchestrator.d.ts +73 -0
package/dist/services/TaskOrchestrator.d.ts.map +1 -1
package/dist/services/TaskOrchestrator.js +137 -15
package/dist/services/TaskOrchestrator.js.map +1 -1
package/dist/types.d.ts +14 -0
package/dist/types.d.ts.map +1 -1
package/dist/types.js +0 -13
package/dist/types.js.map +1 -1
package/dist/util.d.ts +37 -1
package/dist/util.d.ts.map +1 -1
package/dist/util.js +55 -8
package/dist/util.js.map +1 -1
package/package.json +79 -77
package/src/auth/BaseAuthProvider.ts +3 -0
package/src/auth/IAuthProvider.ts +5 -0
package/src/auth/exampleNewUserSubClass.ts +1 -5
package/src/config.ts +2 -2
package/src/entitySubclasses/entityPermissions.server.ts +1 -3
package/src/generated/generated.ts +6245 -2558
package/src/generic/ResolverBase.ts +89 -3
package/src/index.ts +71 -64
package/src/resolvers/APIKeyResolver.ts +8 -1
package/src/resolvers/ActionResolver.ts +8 -1
package/src/resolvers/DatasetResolver.ts +11 -4
package/src/resolvers/EntityCommunicationsResolver.ts +5 -1
package/src/resolvers/GetDataContextDataResolver.ts +14 -6
package/src/resolvers/InfoResolver.ts +5 -1
package/src/resolvers/MCPResolver.ts +1380 -0
package/src/resolvers/MergeRecordsResolver.ts +5 -1
package/src/resolvers/PotentialDuplicateRecordResolver.ts +0 -4
package/src/resolvers/QueryResolver.ts +17 -3
package/src/resolvers/ReportResolver.ts +8 -1
package/src/resolvers/RunAIAgentResolver.ts +6 -0
package/src/resolvers/RunAIPromptResolver.ts +10 -1
package/src/resolvers/RunTemplateResolver.ts +4 -1
package/src/resolvers/TaskResolver.ts +3 -0
package/src/resolvers/UserResolver.ts +15 -3
package/src/resolvers/VersionHistoryResolver.ts +177 -0
package/src/rest/OAuthCallbackHandler.ts +766 -0
package/src/rest/RESTEndpointHandler.ts +58 -35
package/src/rest/index.ts +2 -1
package/src/rest/setupRESTEndpoints.ts +13 -12
package/src/resolvers/AskSkipResolver.ts +0 -3446
package/src/scheduler/LearningCycleScheduler.ts +0 -320

package/src/generic/ResolverBase.ts CHANGED Viewed

@@ -19,8 +19,9 @@ import {
 } from '@memberjunction/core';
 import { AuditLogEntity, ErrorLogEntity, UserViewEntityExtended } from '@memberjunction/core-entities';
 import { SQLServerDataProvider, UserCache } from '@memberjunction/sqlserver-dataprovider';
-import { PubSubEngine } from 'type-graphql';
+import { PubSubEngine, AuthorizationError } from 'type-graphql';
 import { GraphQLError } from 'graphql';
+import { GetAPIKeyEngine } from '@memberjunction/api-keys';
 import sql from 'mssql';
 import { httpTransport, CloudEvent, emitterFor } from 'cloudevents';
@@ -504,7 +505,7 @@ export class ResolverBase {
     if (!userPayload) {
       throw new Error(`userPayload is null`);
     }
     // first check permissions, the logged in user must have read permissions on the entity to run the view
     if (entityInfo) {
       const userInfo = UserCache.Users.find((u) => u.Email.toLowerCase().trim() === userPayload.email.toLowerCase().trim()); // get the user record from MD so we have ROLES attached, don't use the one from payload directly
@@ -516,12 +517,85 @@ export class ResolverBase {
       if (!userPermissions.CanRead) {
         throw new Error(`User ${userPayload.email} does not have read permissions on ${entityInfo.Name}`);
       }
-    }
+    }
     else {
       throw new Error(`Entity not found in metadata`);
     }
   }
+  /**
+   * Checks API key scope authorization. Only performs check if request
+   * was authenticated via API key (apiKeyHash present in userPayload).
+   * For OAuth/JWT auth, this is a no-op.
+   *
+   * @param scopePath - The scope path (e.g., 'entity:read', 'agent:execute')
+   * @param resource - The resource name (e.g., entity name, agent name)
+   * @param userPayload - The user payload from context
+   * @throws AuthorizationError if API key lacks required scope
+   */
+  protected async CheckAPIKeyScopeAuthorization(
+    scopePath: string,
+    resource: string,
+    userPayload: UserPayload
+  ): Promise<void> {
+    // Skip scope check for OAuth/JWT auth (no API key)
+    if (!userPayload.apiKeyHash) {
+      return;
+    }
+    // Get system user for authorization call
+    // NOTE: We use system user here because Authorize() needs to run internal
+    // database queries (loading scope rules, logging decisions). The system user
+    // ensures these queries work regardless of what permissions the API key's
+    // user has. The API key's associated user (in userPayload.userRecord) is
+    // used later when the actual operation executes - their permissions are
+    // the ultimate ceiling that scopes can only narrow, never expand.
+    const systemUser = UserCache.Instance.Users.find(u => u.Type === 'System');
+    if (!systemUser) {
+      throw new Error('System user not found');
+    }
+    const apiKeyEngine = GetAPIKeyEngine();
+    // Check for full_access scope first (god power - bypasses all other checks)
+    const fullAccessResult = await apiKeyEngine.Authorize(
+      userPayload.apiKeyHash,
+      'MJAPI',
+      'full_access',
+      '*',
+      systemUser,
+      { endpoint: '/graphql', method: 'POST' }
+    );
+    if (fullAccessResult.Allowed) {
+      // full_access granted - skip specific scope check
+      return;
+    }
+    // Check specific scope
+    const result = await apiKeyEngine.Authorize(
+      userPayload.apiKeyHash,
+      'MJAPI',
+      scopePath,
+      resource,
+      systemUser,
+      {
+        endpoint: '/graphql',
+        method: 'POST'
+      }
+    );
+    if (!result.Allowed) {
+      // Provide specific, actionable error message
+      throw new AuthorizationError(
+        `Access denied. This API key requires the '${scopePath}' scope ` +
+        `for resource '${resource}' to perform this operation. ` +
+        `Please update the API key's scopes or use an API key with appropriate permissions. ` +
+        `Denial reason: ${result.Reason}`
+      );
+    }
+  }
   /**
    * Optimized RunViewGenericInternal implementation with:
    * - Field filtering at source (Fix #7)
@@ -550,6 +624,9 @@ export class ResolverBase {
     try {
       if (!viewInfo || !userPayload) return null;
+      // Check API key scope authorization for view operations
+      await this.CheckAPIKeyScopeAuthorization('view:run', viewInfo.Entity, userPayload);
       const md = provider
       const user = UserCache.Users.find((u) => u.Email.toLowerCase().trim() === userPayload?.email.toLowerCase().trim());
       if (!user) throw new Error(`User ${userPayload?.email} not found in metadata`);
@@ -908,6 +985,9 @@ export class ResolverBase {
   }
   protected async CreateRecord(entityName: string, input: any, provider: DatabaseProviderBase, userPayload: UserPayload, pubSub: PubSubEngine) {
+    // Check API key scope authorization for entity create operations
+    await this.CheckAPIKeyScopeAuthorization('entity:create', entityName, userPayload);
     if (await this.BeforeCreate(provider, input)) {
       // fire event and proceed if it wasn't cancelled
       const entityObject = await provider.GetEntityObject(entityName, this.GetUserFromPayload(userPayload));
@@ -940,6 +1020,9 @@ export class ResolverBase {
   protected async AfterCreate(provider: DatabaseProviderBase, input: any) {}
   protected async UpdateRecord(entityName: string, input: any, provider: DatabaseProviderBase, userPayload: UserPayload, pubSub: PubSubEngine) {
+    // Check API key scope authorization for entity update operations
+    await this.CheckAPIKeyScopeAuthorization('entity:update', entityName, userPayload);
     if (await this.BeforeUpdate(provider, input)) {
       // fire event and proceed if it wasn't cancelled
       const userInfo = this.GetUserFromPayload(userPayload);
@@ -1202,6 +1285,9 @@ export class ResolverBase {
     userPayload: UserPayload,
     pubSub: PubSubEngine
   ) {
+    // Check API key scope authorization for entity delete operations
+    await this.CheckAPIKeyScopeAuthorization('entity:delete', entityName, userPayload);
     if (await this.BeforeDelete(provider, key)) {
       // fire event and proceed if it wasn't cancelled
       const entityObject = await provider.GetEntityObject(entityName, this.GetUserFromPayload(userPayload));

package/src/index.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import dotenv from 'dotenv';
-dotenv.config();
+dotenv.config({ quiet: true });
 import { expressMiddleware } from '@apollo/server/express4';
 import { mergeSchemas } from '@graphql-tools/schema';
@@ -27,45 +27,10 @@ import { contextFunction, getUserPayload } from './context.js';
 import { requireSystemUserDirective, publicDirective } from './directives/index.js';
 import createMSSQLConfig from './orm.js';
 import { setupRESTEndpoints } from './rest/setupRESTEndpoints.js';
-import { LoadAllCoreActions } from '@memberjunction/core-actions';
-LoadAllCoreActions(); // prevent tree shaking for this dynamic module
-import { LoadApolloAccountsEnrichmentAction, LoadApolloContactsEnrichmentAction } from '@memberjunction/actions-apollo'
-LoadApolloAccountsEnrichmentAction();
-LoadApolloContactsEnrichmentAction();
-import { LoadCoreEntitiesServerSubClasses } from '@memberjunction/core-entities-server';
-LoadCoreEntitiesServerSubClasses(); // prevent tree shaking for this dynamic module
-import { LoadAgentManagementActions } from '@memberjunction/ai-agent-manager-actions';
-LoadAgentManagementActions();
-// Load agent manager core classes (registers custom agent classes like AgentBuilderAgent, AgentArchitectAgent)
-import { LoadAgentManagerCore } from '@memberjunction/ai-agent-manager';
-LoadAgentManagerCore();
-import { LoadSchedulingEngine } from '@memberjunction/scheduling-engine';
-LoadSchedulingEngine(); // This also loads drivers
-import { LoadAllSchedulingActions } from '@memberjunction/scheduling-actions';
-LoadAllSchedulingActions(); // prevent tree shaking for scheduling actions
-import { GetTypeformResponsesAction } from '@memberjunction/actions-bizapps-formbuilders';
-const x = GetTypeformResponsesAction; // prevent tree shaking for this dynamic module
+import { createOAuthCallbackHandler } from './rest/OAuthCallbackHandler.js';
 import { resolve } from 'node:path';
 import { DataSourceInfo, raiseEvent } from './types.js';
-import { LoadAIEngine } from '@memberjunction/aiengine';
-import { LoadAIProviders } from '@memberjunction/ai-provider-bundle';
-// Load AI Engine and all providers to prevent tree shaking
-LoadAIEngine();
-LoadAIProviders();
-// Load Communication Providers
-import { LoadMSGraphProvider } from '@memberjunction/communication-ms-graph';
-import { LoadProvider as LoadSendGridProvider } from '@memberjunction/communication-sendgrid';
-LoadMSGraphProvider();
-LoadSendGridProvider();
 import { ExternalChangeDetectorEngine } from '@memberjunction/external-change-detection';
 import { ScheduledJobsService } from './services/ScheduledJobsService.js';
@@ -81,7 +46,15 @@ export { configInfo, DEFAULT_SERVER_CONFIG } from './config.js';
 export * from './directives/index.js';
 export * from './entitySubclasses/entityPermissions.server.js';
 export * from './types.js';
-export { TokenExpiredError, getSystemUser } from './auth/index.js';
+export {
+    TokenExpiredError,
+    getSystemUser,
+    getSigningKeys,
+    extractUserInfoFromPayload,
+    verifyUserRecord,
+    AuthProviderFactory,
+    IAuthProvider,
+} from './auth/index.js';
 export * from './auth/APIKeyScopeAuth.js';
 export * from './generic/PushStatusResolver.js';
@@ -98,7 +71,6 @@ export * from './generic/DeleteOptionsInput.js';
 export * from './agents/skip-agent.js';
 export * from './agents/skip-sdk.js';
-export * from './resolvers/AskSkipResolver.js';
 export * from './resolvers/ColorResolver.js';
 export * from './resolvers/ComponentRegistryResolver.js';
 export * from './resolvers/DatasetResolver.js';
@@ -115,6 +87,7 @@ export * from './resolvers/TransactionGroupResolver.js';
 export * from './resolvers/CreateQueryResolver.js';
 export * from './resolvers/TelemetryResolver.js';
 export * from './resolvers/APIKeyResolver.js';
+export * from './resolvers/MCPResolver.js';
 export { GetReadOnlyDataSource, GetReadWriteDataSource, GetReadWriteProvider, GetReadOnlyProvider } from './util.js';
 export * from './generated/generated.js';
@@ -292,20 +265,7 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
     level: 6
   }));
-  app.use(
-    graphqlRootPath,
-    cors<cors.CorsRequest>(),
-    BodyParser.json({ limit: '50mb' }),
-    expressMiddleware(apolloServer, {
-      context: contextFunction({
-                                 setupComplete$,
-                                 dataSource: extendConnectionPoolWithQuery(pool), // default read-write data source
-                                 dataSources // all data source
-                               }),
-    })
-  );
-  // Setup REST API endpoints
+  // Setup REST API endpoints BEFORE GraphQL (since graphqlRootPath may be '/' which catches all routes)
   const authMiddleware = async (req, res, next) => {
     try {
       const sessionIdRaw = req.headers['x-session-id'];
@@ -318,27 +278,58 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
       if (!userPayload) {
         return res.status(401).json({ error: 'Invalid token' });
       }
+      // Set both req.user (standard Express convention) and req['mjUser'] (MJ REST convention)
+      // Note: userPayload contains { userRecord: UserInfo, email, sessionId }
+      // The mjUser property expects the UserInfo directly (userRecord)
       req.user = userPayload;
+      req['mjUser'] = userPayload.userRecord;
       next();
     } catch (error) {
       console.error('Auth error:', error);
       return res.status(401).json({ error: 'Authentication failed' });
     }
   };
-  // Get REST API configuration from the config file
-  const restApiConfig: RESTApiOptions = {
-    enabled: configInfo.restApiOptions?.enabled ?? true,
+  // Build public URL for OAuth callbacks
+  const oauthPublicUrl = configInfo.publicUrl || `${configInfo.baseUrl}:${configInfo.graphqlPort}${configInfo.graphqlRootPath || ''}`;
+  console.log(`[OAuth] publicUrl: ${oauthPublicUrl}`);
+  // Set up OAuth callback routes at /oauth (independent of REST API)
+  // These must be registered BEFORE GraphQL middleware since graphqlRootPath may be '/'
+  if (oauthPublicUrl) {
+    const { callbackRouter, authenticatedRouter } = createOAuthCallbackHandler({
+      publicUrl: oauthPublicUrl,
+      // TODO: These should be configurable to point to the MJ Explorer UI
+      successRedirectUrl: `${oauthPublicUrl}/oauth/success`,
+      errorRedirectUrl: `${oauthPublicUrl}/oauth/error`
+    });
+    // Create CORS middleware for OAuth routes (needed for cross-origin requests from frontend)
+    const oauthCors = cors<cors.CorsRequest>();
+    // OAuth callback is unauthenticated (called by external auth server)
+    app.use('/oauth', oauthCors, callbackRouter);
+    console.log('[OAuth] Callback route registered at /oauth/callback');
+    // OAuth status, initiate, and exchange endpoints require authentication
+    // Must also have CORS for frontend requests and JSON body parsing
+    app.use('/oauth', oauthCors, BodyParser.json(), authMiddleware, authenticatedRouter);
+    console.log('[OAuth] Authenticated routes registered at /oauth/status, /oauth/initiate, and /oauth/exchange');
+  }
+  // Get REST API configuration
+  const restApiConfig = {
+    enabled: configInfo.restApiOptions?.enabled ?? false,
     includeEntities: configInfo.restApiOptions?.includeEntities,
-    excludeEntities: configInfo.restApiOptions?.excludeEntities
+    excludeEntities: configInfo.restApiOptions?.excludeEntities,
   };
   // Apply options from server options if provided (these override the config file)
   if (options?.restApiOptions) {
     Object.assign(restApiConfig, options.restApiOptions);
   }
   // Get REST API configuration from environment variables if present (env vars override everything)
   if (process.env.MJ_REST_API_ENABLED !== undefined) {
     restApiConfig.enabled = process.env.MJ_REST_API_ENABLED === 'true';
@@ -346,18 +337,34 @@ export const serve = async (resolverPaths: Array<string>, app: Application = cre
       console.log('REST API is enabled via environment variable');
     }
   }
   if (process.env.MJ_REST_API_INCLUDE_ENTITIES) {
     restApiConfig.includeEntities = process.env.MJ_REST_API_INCLUDE_ENTITIES.split(',').map(e => e.trim());
   }
   if (process.env.MJ_REST_API_EXCLUDE_ENTITIES) {
     restApiConfig.excludeEntities = process.env.MJ_REST_API_EXCLUDE_ENTITIES.split(',').map(e => e.trim());
   }
   // Set up REST endpoints with the configured options and auth middleware
   setupRESTEndpoints(app, restApiConfig, authMiddleware);
+  // GraphQL middleware (after REST so /api/v1/* routes are handled first)
+  // Note: Type assertion needed due to @apollo/server bundling older @types/express types
+  // that are incompatible with Express 5.x types (missing 'param' property)
+  app.use(
+    graphqlRootPath,
+    cors<cors.CorsRequest>(),
+    BodyParser.json({ limit: '50mb' }),
+    expressMiddleware(apolloServer, {
+      context: contextFunction({
+                                 setupComplete$,
+                                 dataSource: extendConnectionPoolWithQuery(pool), // default read-write data source
+                                 dataSources // all data source
+                               }),
+    }) as unknown as express.RequestHandler
+  );
   // Initialize and start scheduled jobs service if enabled
   let scheduledJobsService: ScheduledJobsService | null = null;
   if (configInfo.scheduledJobs?.enabled) {

package/src/resolvers/APIKeyResolver.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { LogError, Metadata } from "@memberjunction/core";
 import { APIKeyScopeEntity } from "@memberjunction/core-entities";
 import { GetAPIKeyEngine } from "@memberjunction/api-keys";
 import { AppContext } from "../types.js";
+import { ResolverBase } from "../generic/ResolverBase.js";
 /**
  * Input type for creating a new API key
@@ -90,7 +91,7 @@ export class RevokeAPIKeyResult {
  * Handles secure server-side API key generation
  */
 @Resolver()
-export class APIKeyResolver {
+export class APIKeyResolver extends ResolverBase {
     /**
      * Creates a new API key with proper server-side cryptographic hashing.
      *
@@ -109,6 +110,9 @@ export class APIKeyResolver {
         @Arg("input") input: CreateAPIKeyInput,
         @Ctx() ctx: AppContext
     ): Promise<CreateAPIKeyResult> {
+        // Check API key scope authorization for API key creation
+        await this.CheckAPIKeyScopeAuthorization('apikey:create', '*', ctx.userPayload);
         try {
             // Get the authenticated user
             const user = ctx.userPayload.userRecord;
@@ -173,6 +177,9 @@ export class APIKeyResolver {
         @Arg("apiKeyId") apiKeyId: string,
         @Ctx() ctx: AppContext
     ): Promise<RevokeAPIKeyResult> {
+        // Check API key scope authorization for API key revocation
+        await this.CheckAPIKeyScopeAuthorization('apikey:revoke', apiKeyId, ctx.userPayload);
         try {
             const user = ctx.userPayload.userRecord;
             if (!user) {

package/src/resolvers/ActionResolver.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import { KeyValuePairInput } from "../generic/KeyValuePairInput.js";
 import { AppContext, ProviderInfo } from "../types.js";
 import { CopyScalarsAndArrays } from "@memberjunction/global";
 import { GetReadOnlyProvider } from "../util.js";
+import { ResolverBase } from "../generic/ResolverBase.js";
 /**
  * Input type for action parameters
@@ -171,7 +172,7 @@ export class ActionResultOutput {
  * Handles running actions and entity actions through GraphQL
  */
 @Resolver()
-export class ActionResolver {
+export class ActionResolver extends ResolverBase {
   /**
    * Mutation for running an action
    * @param input The input parameters for running the action
@@ -184,6 +185,9 @@ export class ActionResolver {
     @Ctx() ctx: AppContext
   ): Promise<ActionResultOutput> {
     try {
+      // Check API key scope authorization for action execution
+      await this.CheckAPIKeyScopeAuthorization('action:execute', input.ActionID, ctx.userPayload);
       // Get the user from context
       const user = ctx.userPayload.userRecord;
       if (!user) {
@@ -326,6 +330,9 @@ export class ActionResolver {
     @Ctx() ctx: AppContext
   ): Promise<ActionResultOutput> {
     try {
+      // Check API key scope authorization for entity action execution
+      await this.CheckAPIKeyScopeAuthorization('action:execute', input.EntityActionID, ctx.userPayload);
       const user = ctx.userPayload.userRecord;
       if (!user) {
         throw new Error("User is not authenticated");

package/src/resolvers/DatasetResolver.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { Arg, Ctx, Field, InputType, Int, ObjectType, Query, Resolver } from 'ty
 import { AppContext } from '../types.js';
 import { LogError, Metadata } from '@memberjunction/core';
 import { GetReadOnlyProvider } from '../util.js';
+import { ResolverBase } from '../generic/ResolverBase.js';
 @ObjectType()
 export class DatasetResultType {
@@ -35,13 +36,16 @@ export class DatasetItemFilterTypeGQL {
 @Resolver(DatasetResultType)
-export class DatasetResolverExtended {
+export class DatasetResolverExtended extends ResolverBase {
   @Query(() => DatasetResultType)
   async GetDatasetByName(
     @Arg('DatasetName', () => String) DatasetName: string,
-    @Ctx() {providers}: AppContext,
+    @Ctx() { providers, userPayload }: AppContext,
     @Arg('ItemFilters', () => [DatasetItemFilterTypeGQL], { nullable: 'itemsAndList' }) ItemFilters?: DatasetItemFilterTypeGQL[]
   ) {
+    // Check API key scope authorization for dataset read
+    await this.CheckAPIKeyScopeAuthorization('dataset:read', DatasetName, userPayload);
     try {
       const md = GetReadOnlyProvider(providers, {allowFallbackToReadWrite: true});
       const result = await md.GetDatasetByName(DatasetName, ItemFilters);
@@ -86,13 +90,16 @@ export class DatasetStatusResultType {
 }
 @Resolver(DatasetStatusResultType)
-export class DatasetStatusResolver {
+export class DatasetStatusResolver extends ResolverBase {
   @Query(() => DatasetStatusResultType)
   async GetDatasetStatusByName(
     @Arg('DatasetName', () => String) DatasetName: string,
-    @Ctx() {providers}: AppContext,
+    @Ctx() { providers, userPayload }: AppContext,
     @Arg('ItemFilters', () => [DatasetItemFilterTypeGQL], { nullable: 'itemsAndList' }) ItemFilters?: DatasetItemFilterTypeGQL[]
   ) {
+    // Check API key scope authorization for dataset read
+    await this.CheckAPIKeyScopeAuthorization('dataset:read', DatasetName, userPayload);
     try {
       const md = GetReadOnlyProvider(providers, {allowFallbackToReadWrite: true});
       const result = await md.GetDatasetStatusByName(DatasetName, ItemFilters);

package/src/resolvers/EntityCommunicationsResolver.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import { GraphQLJSONObject } from 'graphql-type-json';
 import { TemplateEngineServer } from '@memberjunction/templates';
 import { EntityCommunicationParams } from '@memberjunction/entity-communications-base';
 import { z } from 'zod';
+import { ResolverBase } from '../generic/ResolverBase.js';
 @InputType()
 export class CommunicationProviderMessageType {
@@ -166,7 +167,7 @@ export class RunEntityCommunicationResultType {
 }
 @Resolver(RunEntityCommunicationResultType)
-export class ReportResolver {
+export class ReportResolver extends ResolverBase {
   @Query(() => RunEntityCommunicationResultType)
   async RunEntityCommunicationByViewID(
     @Arg('entityID', () => String) entityID: string,
@@ -178,6 +179,9 @@ export class ReportResolver {
     @Arg('includeProcessedMessages', () => Boolean) includeProcessedMessages: boolean,
     @Ctx() { userPayload }: AppContext
   ): Promise<RunEntityCommunicationResultType> {
+    // Check API key scope authorization for communication send
+    await this.CheckAPIKeyScopeAuthorization('communication:send', entityID, userPayload);
     try {
       await EntityCommunicationsEngine.Instance.Config(false, userPayload.userRecord);
       const newMessage = new Message(message as unknown as Message);

package/src/resolvers/GetDataContextDataResolver.ts CHANGED Viewed

@@ -1,9 +1,10 @@
-import { Arg, Ctx, Field, ObjectType, Query } from "type-graphql";
+import { Arg, Ctx, Field, ObjectType, Query, Resolver } from "type-graphql";
 import { AppContext } from "../types.js";
 import { DataContext } from "@memberjunction/data-context";
 import { GetReadOnlyDataSource, GetReadOnlyProvider } from "../util.js";
 import { Metadata } from "@memberjunction/core";
 import { DataContextItemEntity } from "@memberjunction/core-entities";
+import { ResolverBase } from "../generic/ResolverBase.js";
 @ObjectType()
 export class GetDataContextItemDataOutputType {
@@ -39,16 +40,20 @@ export class GetDataContextDataOutputType {
 }
-export class GetDataContextDataResolver {
+@Resolver()
+export class GetDataContextDataResolver extends ResolverBase {
     /**
-     * Returns data for a given data context item.
-     * @param DataContextItemID
+     * Returns data for a given data context item.
+     * @param DataContextItemID
      */
     @Query(() => GetDataContextItemDataOutputType)
     async GetDataContextItemData(
         @Arg('DataContextItemID', () => String) DataContextItemID: string,
         @Ctx() appCtx: AppContext
     ) {
+        // Check API key scope authorization for data context read
+        await this.CheckAPIKeyScopeAuthorization('datacontext:read', DataContextItemID, appCtx.userPayload);
         try {
             const ds = GetReadOnlyDataSource(appCtx.dataSources, {
                 allowFallbackToReadWrite: true,
@@ -92,14 +97,17 @@ export class GetDataContextDataResolver {
     }
     /**
-     * Returns data for a given data context.
-     * @param DataContextID
+     * Returns data for a given data context.
+     * @param DataContextID
      */
     @Query(() => GetDataContextDataOutputType)
     async GetDataContextData(
         @Arg('DataContextID', () => String) DataContextID: string,
         @Ctx() appCtx: AppContext
     ) {
+        // Check API key scope authorization for data context read
+        await this.CheckAPIKeyScopeAuthorization('datacontext:read', DataContextID, appCtx.userPayload);
         try {
             // our job here is to load the entire data context, so we do that with the Data Context object
             const dc = new DataContext();

package/src/resolvers/InfoResolver.ts CHANGED Viewed

@@ -1,9 +1,13 @@
 import { Field, ObjectType, Int, Query, Resolver, Ctx, Info as RequestInfo } from 'type-graphql';
 import { Public, RequireSystemUser } from '../directives/index.js';
-import packageJson from '../../package.json' with { type: 'json' };
+import { createRequire } from 'node:module';
 import { AppContext } from '../types.js';
 import os from 'node:os';
+// Use createRequire to import JSON (compatible with module: es2022)
+const require = createRequire(import.meta.url);
+const packageJson = require('../../package.json') as { version: string };
 @ObjectType()
 export class Info {
   @Public()