@mgsoftwarebv/mcp-server-bridge 3.5.3 → 3.5.5

package/dist/index.js

@@ -105954,7 +105954,7 @@ var TOOLS = [
   },
   {
     name: "upload-ticket-attachment",
-    description: "Attach a file (image or document) to a ticket. Provide exactly ONE source: `filePath` (absolute local path), `imageUrl` (public URL to download), or `base64Data` (raw or data: URI). To push an image the user pasted into Cursor chat onto the ticket: when the message is sent, Cursor writes the pasted image into the workspace `assets/` folder as `image-<uuid>.png` \u2014 locate the newest `assets/image-*.png` and pass its absolute path as `filePath`. Allowed types: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV. Max 25 MB. Returns the attachment id and a 1-hour download URL.",
+    description: "Attach a file (image or document) to a ticket. Provide exactly ONE source: `filePath` (absolute local path on the MCP runtime), `imageUrl` (URL to download), `uploadId` (from POST /mcp/attachment-upload \u2014 use for Hermes/Telegram gateway cache files over HTTP MCP), or `base64Data` (raw or data: URI, small files only). For Cursor pasted images: locate the newest workspace `assets/image-*.png` and pass its absolute path as `filePath` (stdio MCP). For Hermes cache paths like `/root/.hermes/image_cache/...` over HTTP MCP: POST bytes to `/mcp/attachment-upload` with the same API key, then pass the returned `uploadId`. Optionally set `HERMES_MEDIA_BASE_URL` so Hermes cache `filePath` values are fetched remotely. Allowed types: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV. Max 25 MB. Returns the attachment id and a 1-hour download URL.",
     inputSchema: {
       type: "object",
       properties: {
@@ -105965,11 +105965,15 @@ var TOOLS = [
         },
         filePath: {
           type: "string",
-          description: "Absolute local path to the file. For a pasted image, use the newest workspace assets/image-*.png."
+          description: "Absolute local path on the MCP server. Works for Cursor workspace files with stdio MCP; Hermes gateway paths require uploadId or HERMES_MEDIA_BASE_URL."
         },
         imageUrl: {
           type: "string",
-          description: "Public URL to download and attach."
+          description: "Public or gateway URL to download and attach."
+        },
+        uploadId: {
+          type: "string",
+          description: "Staged upload id from POST /mcp/attachment-upload. Preferred for original Telegram/Hermes media over HTTP MCP."
         },
         base64Data: {
           type: "string",
@@ -105987,6 +105991,22 @@ var TOOLS = [
       required: ["ticketId"]
     }
   },
+  {
+    name: "delete-ticket-attachment",
+    description: "Safely remove a ticket or comment attachment by id. Validates provider/team access and that the attachment belongs to the requested ticket. Hard-deletes the DB row and vault file, and logs ticket activity with the filename. Find attachment ids via get-ticket-by-id.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        ticketId: ticketIdentifierProp,
+        attachmentId: {
+          type: "string",
+          description: "Attachment ID from get-ticket-by-id (ticket or comment attachment)."
+        }
+      },
+      required: ["ticketId", "attachmentId"]
+    }
+  },
   {
     name: "get-customers",
     description: "Get customers with optional search. Each result includes its ID (UUID), name, email, website, phone, status, archived flag, and created date. Archived customers are hidden by default; pass status 'archived' or 'all' to include them.",
@@ -120394,8 +120414,6 @@ var storage = new Proxy({}, {
     return Reflect.get(_storage, prop, _storage);
   }
 });
-
-// src/tools/ticket-attachments.ts
 var ALLOWED_IMAGE_TYPES = [
   "image/jpeg",
   "image/png",
@@ -120434,14 +120452,243 @@ var EXT_MIME = {
   ppt: "application/vnd.ms-powerpoint",
   pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation"
 };
-function textResponse5(text3) {
-  return { content: [{ type: "text", text: text3 }] };
-}
+var HERMES_CACHE_PATH = /(?:^|[\\/])\.hermes[\\/](.+)$/i;
 function mimeFromName(name21) {
   if (!name21) return null;
   const ext = name21.split(/[?#]/)[0]?.split(".").pop()?.toLowerCase();
   return ext && EXT_MIME[ext] ? EXT_MIME[ext] : null;
 }
+function isHermesCachePath(filePath) {
+  return HERMES_CACHE_PATH.test(filePath.replace(/\\/g, "/"));
+}
+function hermesCacheRelativePath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = HERMES_CACHE_PATH.exec(normalized);
+  return match?.[1] ?? null;
+}
+function getHermesMediaBaseUrl() {
+  const base = process.env.HERMES_MEDIA_BASE_URL?.trim() || process.env.HERMES_GATEWAY_MEDIA_URL?.trim();
+  return base ? base.replace(/\/+$/, "") : null;
+}
+function resolveHermesCacheMediaUrl(filePath) {
+  const base = getHermesMediaBaseUrl();
+  const relative = hermesCacheRelativePath(filePath);
+  if (!base || !relative) return null;
+  return `${base}/${relative.replace(/^\/+/, "")}`;
+}
+function parseMcpStagingStorageKey(uploadId, teamId, userId) {
+  const normalized = uploadId.replace(/\\/g, "/").replace(/^\/+/, "");
+  const prefix = `${teamId}/mcp-staging/${userId}/`;
+  if (!normalized.startsWith(prefix)) return null;
+  const remainder = normalized.slice(prefix.length);
+  if (!remainder || remainder.includes("..")) return null;
+  return normalized;
+}
+function formatFilePathEnoentError(filePath) {
+  const hermesHint = isHermesCachePath(filePath) ? getHermesMediaBaseUrl() ? " Hermes cache paths are fetched via HERMES_MEDIA_BASE_URL when local read fails." : " For Hermes/Telegram cache files over HTTP MCP, POST the bytes to /mcp/attachment-upload and pass the returned uploadId, or set HERMES_MEDIA_BASE_URL so cache paths can be fetched remotely." : " filePath must exist on the MCP server filesystem (works for Cursor workspace paths with stdio MCP, not for gateway-local paths over HTTP MCP).";
+  return `Failed to read the file at "${filePath}": path not found in the MCP runtime (ENOENT).${hermesHint} Alternatives: imageUrl (download URL), uploadId (from POST /mcp/attachment-upload), or base64Data for small files.`;
+}
+function hermesMediaFetchHeaders() {
+  const token = process.env.HERMES_MEDIA_AUTH_TOKEN?.trim() || process.env.HERMES_MEDIA_BEARER_TOKEN?.trim();
+  if (!token) return void 0;
+  return { Authorization: `Bearer ${token}` };
+}
+async function fetchAttachmentUrl(url3, fallbackName, mimeOverride) {
+  const res = await fetch(url3, { headers: hermesMediaFetchHeaders() });
+  if (!res.ok) {
+    return {
+      ok: false,
+      message: `Could not download from URL: HTTP ${res.status}.`
+    };
+  }
+  const headerType = res.headers.get("content-type")?.split(";")[0]?.trim();
+  const buffer2 = Buffer.from(await res.arrayBuffer());
+  const fileName = fallbackName || url3.split("/").pop()?.split(/[?#]/)[0] || `attachment_${Date.now()}`;
+  const mimeType = mimeOverride?.trim() || (headerType && headerType !== "application/octet-stream" ? headerType : null) || mimeFromName(url3) || mimeFromName(fileName) || "application/octet-stream";
+  return { ok: true, buffer: buffer2, fileName, mimeType };
+}
+async function resolveFromFilePath(filePath, fileNameOverride, mimeOverride) {
+  try {
+    const buffer2 = await readFile(filePath);
+    const fileName = fileNameOverride?.trim() || basename(filePath) || "attachment";
+    const mimeType = mimeOverride?.trim() || mimeFromName(fileName) || "application/octet-stream";
+    return { ok: true, buffer: buffer2, fileName, mimeType };
+  } catch (error49) {
+    const code = error49 && typeof error49 === "object" && "code" in error49 ? String(error49.code) : "";
+    if (code !== "ENOENT") {
+      return {
+        ok: false,
+        message: `Failed to read the file: ${error49 instanceof Error ? error49.message : String(error49)}`
+      };
+    }
+    const hermesUrl = resolveHermesCacheMediaUrl(filePath);
+    if (hermesUrl) {
+      const fetched = await fetchAttachmentUrl(
+        hermesUrl,
+        fileNameOverride?.trim() || basename(filePath) || void 0,
+        mimeOverride
+      );
+      if (fetched.ok) {
+        return {
+          ok: true,
+          buffer: fetched.buffer,
+          fileName: fetched.fileName,
+          mimeType: fetched.mimeType
+        };
+      }
+      return {
+        ok: false,
+        message: `${formatFilePathEnoentError(filePath)} Hermes media fetch also failed: ${fetched.message}`
+      };
+    }
+    return { ok: false, message: formatFilePathEnoentError(filePath) };
+  }
+}
+async function resolveFromUploadId(uploadId, teamId, userId, fileNameOverride, mimeOverride) {
+  const storageKey = parseMcpStagingStorageKey(uploadId, teamId, userId);
+  if (!storageKey) {
+    return {
+      ok: false,
+      message: "Invalid uploadId. Use the uploadId returned by POST /mcp/attachment-upload for your API key user."
+    };
+  }
+  let downloaded;
+  try {
+    downloaded = await storage.download({ bucket: "vault", path: storageKey });
+  } catch (error49) {
+    return {
+      ok: false,
+      message: `Staged upload not found or expired (${uploadId}): ${error49 instanceof Error ? error49.message : String(error49)}`
+    };
+  }
+  const buffer2 = Buffer.from(await downloaded.blob.arrayBuffer());
+  const defaultName = storageKey.split("/").pop() || "attachment";
+  const fileName = fileNameOverride?.trim() || defaultName;
+  const mimeType = mimeOverride?.trim() || downloaded.contentType || mimeFromName(fileName) || "application/octet-stream";
+  return {
+    ok: true,
+    buffer: buffer2,
+    fileName,
+    mimeType,
+    stagingStorageKey: storageKey
+  };
+}
+async function resolveAttachmentSource(input) {
+  const sources = [
+    input.filePath,
+    input.imageUrl,
+    input.base64Data,
+    input.uploadId
+  ].filter((v2) => typeof v2 === "string" && v2.trim().length > 0);
+  if (sources.length === 0) {
+    return {
+      ok: false,
+      message: "Provide exactly one source: filePath, imageUrl, uploadId (from POST /mcp/attachment-upload), or base64Data."
+    };
+  }
+  if (sources.length > 1) {
+    return {
+      ok: false,
+      message: "Provide only one source (filePath, imageUrl, uploadId, or base64Data), not several."
+    };
+  }
+  if (input.uploadId) {
+    return resolveFromUploadId(
+      input.uploadId.trim(),
+      input.teamId,
+      input.userId,
+      input.fileName,
+      input.mimeType
+    );
+  }
+  if (input.filePath) {
+    return resolveFromFilePath(input.filePath, input.fileName, input.mimeType);
+  }
+  if (input.imageUrl) {
+    const fetched = await fetchAttachmentUrl(
+      input.imageUrl,
+      input.fileName,
+      input.mimeType
+    );
+    if (!fetched.ok) return fetched;
+    return {
+      ok: true,
+      buffer: fetched.buffer,
+      fileName: fetched.fileName,
+      mimeType: fetched.mimeType
+    };
+  }
+  let b64 = input.base64Data;
+  let mimeType = input.mimeType?.trim() ?? "";
+  const dataUri = b64.match(/^data:([^;]+);base64,(.*)$/s);
+  if (dataUri) {
+    if (!mimeType) mimeType = dataUri[1] ?? "";
+    b64 = dataUri[2] ?? "";
+  } else if (b64.includes(",")) {
+    b64 = b64.split(",")[1] || b64;
+  }
+  const buffer2 = Buffer.from(b64, "base64");
+  const fileName = input.fileName?.trim() || `attachment_${Date.now()}`;
+  if (!mimeType) {
+    mimeType = mimeFromName(fileName) ?? "application/octet-stream";
+  }
+  return { ok: true, buffer: buffer2, fileName, mimeType };
+}
+function validateAttachmentBuffer(buffer2, mimeType) {
+  if (buffer2.byteLength === 0) {
+    return { ok: false, message: "The file is empty (0 bytes); nothing to upload." };
+  }
+  if (buffer2.byteLength > MAX_FILE_SIZE) {
+    return {
+      ok: false,
+      message: `File too large (${(buffer2.byteLength / 1024 / 1024).toFixed(
+        1
+      )} MB). Max: 25 MB.`
+    };
+  }
+  if (!ALLOWED_MIME_TYPES.has(mimeType)) {
+    return {
+      ok: false,
+      message: `Unsupported file type: ${mimeType}. Allowed: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV.`
+    };
+  }
+  return null;
+}
+
+// src/tools/ticket-attachment-delete-util.ts
+function validateDeleteAttachmentInput(attachmentId) {
+  if (!attachmentId?.trim()) {
+    return "missing_attachment_id";
+  }
+  return null;
+}
+function validateAttachmentBelongsToTicket(attachmentTicketId, requestedTicketId) {
+  return attachmentTicketId === requestedTicketId;
+}
+function buildDeleteAttachmentResult(input) {
+  return {
+    deleted: true,
+    attachmentId: input.attachmentId,
+    ticketId: input.ticketId,
+    fileName: input.fileName,
+    source: input.source
+  };
+}
+function formatDeleteAttachmentRefusal(reason, context2) {
+  switch (reason) {
+    case "missing_attachment_id":
+      return "attachmentId is required. Use get-ticket-by-id to list attachment ids.";
+    case "attachment_not_found":
+      return `Attachment not found: ${context2.attachmentId}. Use get-ticket-by-id on ${context2.ticketNumber} to list valid attachment ids.`;
+    case "wrong_ticket":
+      return `Attachment ${context2.attachmentId} (${context2.fileName ?? "unknown file"}) belongs to ticket ${context2.actualTicketId}, not ${context2.ticketNumber}. Pass the correct ticketId or choose an attachment id from that ticket.`;
+  }
+}
+
+// src/tools/ticket-attachments.ts
+function textResponse5(text3) {
+  return { content: [{ type: "text", text: text3 }] };
+}
 async function findAttachment(attachmentId) {
   const [ticketAtt] = await db.select({
     ticketId: schema_exports.ticketAttachments.ticketId,
@@ -120510,82 +120757,30 @@ ${url3}`
   };
 }
 async function handleUploadTicketAttachment(input) {
-  const ctx = getAuthContext();
-  const sources = [input.filePath, input.imageUrl, input.base64Data].filter(
-    (v2) => typeof v2 === "string" && v2.trim().length > 0
-  );
-  if (sources.length === 0) {
-    return textResponse5(
-      "Provide exactly one source: filePath (absolute local path), imageUrl, or base64Data."
-    );
-  }
-  if (sources.length > 1) {
-    return textResponse5(
-      "Provide only one source (filePath, imageUrl, or base64Data), not several."
-    );
+  const ctx = getAuthContext() ?? authContext;
+  if (!ctx) {
+    return textResponse5("Error: Not authenticated.");
   }
   const access = await loadAccessibleTicket(input.teamId, input.ticketId);
   if (!access.ok) return access.response;
   const ticket = access.ticket;
-  let buffer2;
-  let fileName = input.fileName?.trim() ?? "";
-  let mimeType = input.mimeType?.trim() ?? "";
-  try {
-    if (input.filePath) {
-      buffer2 = await readFile(input.filePath);
-      if (!fileName) fileName = basename(input.filePath) || "attachment";
-      if (!mimeType) {
-        mimeType = mimeFromName(fileName) ?? "application/octet-stream";
-      }
-    } else if (input.imageUrl) {
-      const res = await fetch(input.imageUrl);
-      if (!res.ok) {
-        return textResponse5(
-          `Could not download from URL: HTTP ${res.status}.`
-        );
-      }
-      const headerType = res.headers.get("content-type")?.split(";")[0]?.trim();
-      buffer2 = Buffer.from(await res.arrayBuffer());
-      if (!fileName) {
-        fileName = input.imageUrl.split("/").pop()?.split(/[?#]/)[0] || `attachment_${Date.now()}`;
-      }
-      if (!mimeType) {
-        mimeType = (headerType && headerType !== "application/octet-stream" ? headerType : null) ?? mimeFromName(input.imageUrl) ?? mimeFromName(fileName) ?? "application/octet-stream";
-      }
-    } else {
-      let b64 = input.base64Data;
-      const dataUri = b64.match(/^data:([^;]+);base64,(.*)$/s);
-      if (dataUri) {
-        if (!mimeType) mimeType = dataUri[1] ?? "";
-        b64 = dataUri[2] ?? "";
-      } else if (b64.includes(",")) {
-        b64 = b64.split(",")[1] || b64;
-      }
-      buffer2 = Buffer.from(b64, "base64");
-      if (!fileName) fileName = `attachment_${Date.now()}`;
-      if (!mimeType) {
-        mimeType = mimeFromName(fileName) ?? "application/octet-stream";
-      }
-    }
-  } catch (error49) {
-    return textResponse5(
-      `Failed to read the file: ${error49 instanceof Error ? error49.message : String(error49)}`
-    );
-  }
-  if (buffer2.byteLength === 0) {
-    return textResponse5("The file is empty (0 bytes); nothing to upload.");
-  }
-  if (buffer2.byteLength > MAX_FILE_SIZE) {
-    return textResponse5(
-      `File too large (${(buffer2.byteLength / 1024 / 1024).toFixed(
-        1
-      )} MB). Max: 25 MB.`
-    );
+  const resolved = await resolveAttachmentSource({
+    filePath: input.filePath,
+    imageUrl: input.imageUrl,
+    base64Data: input.base64Data,
+    uploadId: input.uploadId,
+    fileName: input.fileName,
+    mimeType: input.mimeType,
+    teamId: ctx.teamId,
+    userId: ctx.userId
+  });
+  if (!resolved.ok) {
+    return textResponse5(resolved.message);
   }
-  if (!ALLOWED_MIME_TYPES.has(mimeType)) {
-    return textResponse5(
-      `Unsupported file type: ${mimeType}. Allowed: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV.`
-    );
+  const { buffer: buffer2, fileName, mimeType, stagingStorageKey } = resolved;
+  const validationError = validateAttachmentBuffer(buffer2, mimeType);
+  if (validationError) {
+    return textResponse5(validationError.message);
   }
   const storageKey = `${ticket.teamId}/tickets/${ticket.id}/${Date.now()}_${fileName}`;
   try {
@@ -120600,6 +120795,12 @@ async function handleUploadTicketAttachment(input) {
       `Upload failed: ${error49 instanceof Error ? error49.message : String(error49)}`
     );
   }
+  if (stagingStorageKey) {
+    try {
+      await storage.remove({ bucket: "vault", paths: [stagingStorageKey] });
+    } catch {
+    }
+  }
   const [row] = await db.insert(schema_exports.ticketAttachments).values({
     ticketId: ticket.id,
     teamId: ticket.teamId,
@@ -120630,6 +120831,72 @@ Download URL (valid 1 hour):
 ${url3}` : "")
   );
 }
+async function handleDeleteTicketAttachment(input) {
+  const ctx = getAuthContext() ?? authContext;
+  if (!ctx) {
+    return textResponse5("Error: Not authenticated.");
+  }
+  const inputError = validateDeleteAttachmentInput(input.attachmentId);
+  if (inputError) {
+    return textResponse5(formatDeleteAttachmentRefusal(inputError, { ticketNumber: input.ticketId }));
+  }
+  const access = await loadAccessibleTicket(input.teamId, input.ticketId);
+  if (!access.ok) return access.response;
+  const ticket = access.ticket;
+  const attachment = await findAttachment(input.attachmentId);
+  if (!attachment) {
+    return textResponse5(
+      formatDeleteAttachmentRefusal("attachment_not_found", {
+        attachmentId: input.attachmentId,
+        ticketNumber: ticket.ticketNumber
+      })
+    );
+  }
+  if (!validateAttachmentBelongsToTicket(attachment.ticketId, ticket.id)) {
+    return textResponse5(
+      formatDeleteAttachmentRefusal("wrong_ticket", {
+        attachmentId: input.attachmentId,
+        ticketNumber: ticket.ticketNumber,
+        fileName: attachment.fileName,
+        actualTicketId: attachment.ticketId
+      })
+    );
+  }
+  const table = attachment.source === "ticket" ? schema_exports.ticketAttachments : schema_exports.ticketCommentAttachments;
+  const [deletedRow] = await db.delete(table).where(eq(table.id, input.attachmentId)).returning({ id: table.id });
+  if (!deletedRow) {
+    return textResponse5(
+      `Failed to delete attachment ${input.attachmentId}. It may have been removed already.`
+    );
+  }
+  try {
+    await storage.remove({
+      bucket: "vault",
+      paths: [attachment.storageKey]
+    });
+  } catch {
+  }
+  await db.insert(schema_exports.ticketActivity).values({
+    ticketId: ticket.id,
+    teamId: ticket.teamId,
+    userId: ctx.userId,
+    activityType: "attachment_removed",
+    metadata: {
+      attachmentId: input.attachmentId,
+      fileName: attachment.fileName,
+      source: attachment.source,
+      removedBy: "mcp"
+    }
+  });
+  await db.update(schema_exports.tickets).set({ updatedAt: sql`NOW()`, updatedBy: ctx.userId }).where(eq(schema_exports.tickets.id, ticket.id));
+  const result = buildDeleteAttachmentResult({
+    attachmentId: input.attachmentId,
+    ticketId: ticket.id,
+    fileName: attachment.fileName,
+    source: attachment.source
+  });
+  return textResponse5(JSON.stringify(result, null, 2));
+}
 
 // src/tools/tiptap-text.ts
 function renderNode(node) {
@@ -122624,7 +122891,7 @@ ${tagErrors.map((e6) => `   \u2022 ${e6}`).join("\n")}
 }
 
 // src/server.ts
-var SERVER_VERSION = "3.5.1";
+var SERVER_VERSION = "3.5.4";
 function createMcpServer() {
   const server = new Server(
     {
@@ -122706,6 +122973,10 @@ function createMcpServer() {
           return await handleUploadTicketAttachment(
             asToolArgs(toolArgs)
           );
+        case "delete-ticket-attachment":
+          return await handleDeleteTicketAttachment(
+            asToolArgs(toolArgs)
+          );
         case "get-customers":
           return await handleGetCustomers(asToolArgs(toolArgs));
         case "create-customer":