@mgsoftwarebv/mg-dashboard-mcp 2.0.0 → 2.0.4

package/dist/index.js

@@ -24,6 +24,133 @@ if (!supabaseUrl || !supabaseKey) {
   process.exit(1);
 }
 var supabase = createClient(supabaseUrl, supabaseKey);
+var RateLimiter = class {
+  buckets = /* @__PURE__ */ new Map();
+  maxAttempts;
+  windowMs;
+  constructor(maxAttempts, windowMs) {
+    this.maxAttempts = maxAttempts;
+    this.windowMs = windowMs;
+  }
+  /**
+   * Check if an action is allowed for the given key.
+   * Increments the counter and returns whether the action should proceed.
+   */
+  check(key) {
+    const now = Date.now();
+    const entry = this.buckets.get(key);
+    if (!entry || now >= entry.resetAt) {
+      this.buckets.set(key, { count: 1, resetAt: now + this.windowMs });
+      return { allowed: true, remaining: this.maxAttempts - 1, retryAfterMs: 0 };
+    }
+    entry.count++;
+    if (entry.count > this.maxAttempts) {
+      return {
+        allowed: false,
+        remaining: 0,
+        retryAfterMs: entry.resetAt - now
+      };
+    }
+    return {
+      allowed: true,
+      remaining: this.maxAttempts - entry.count,
+      retryAfterMs: 0
+    };
+  }
+  /** Periodically remove expired entries to prevent unbounded growth. */
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.buckets) {
+      if (now >= entry.resetAt) this.buckets.delete(key);
+    }
+  }
+};
+var authRateLimiter = new RateLimiter(5, 15 * 60 * 1e3);
+setInterval(() => {
+  authRateLimiter.cleanup();
+}, 5 * 60 * 1e3).unref();
+var MODULE_KEYS = [
+  "users",
+  "emails",
+  "logs",
+  "ssh_servers",
+  "supabase",
+  "wiki",
+  "ci_cd",
+  "source_control",
+  "domains",
+  "google_search_console",
+  "settings"
+];
+var FULL_PERMISSIONS = {
+  modules: Object.fromEntries(MODULE_KEYS.map((k) => [k, true])),
+  resources: { ssh_servers: ["*"], supabase_instances: ["*"] }
+};
+function parsePermissions(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  return raw;
+}
+function resolvePermissions(roleName, roleDefaults, userOverrides) {
+  if (roleName === "superadmin") return FULL_PERMISSIONS;
+  const base = parsePermissions(roleDefaults);
+  const overrides = parsePermissions(userOverrides);
+  const modules = {};
+  for (const key of MODULE_KEYS) {
+    const userVal = overrides?.modules?.[key];
+    const roleVal = base?.modules?.[key];
+    modules[key] = userVal !== void 0 ? userVal : roleVal !== void 0 ? roleVal : false;
+  }
+  const resources = {
+    ssh_servers: overrides?.resources?.ssh_servers ?? base?.resources?.ssh_servers ?? [],
+    supabase_instances: overrides?.resources?.supabase_instances ?? base?.resources?.supabase_instances ?? []
+  };
+  return { modules, resources };
+}
+function intersectServerAccess(keyServerIds, permissionServerIds) {
+  const keyHasRestriction = keyServerIds !== null;
+  const permWildcard = permissionServerIds.includes("*");
+  const permEmpty = permissionServerIds.length === 0;
+  if (!keyHasRestriction && permWildcard) return null;
+  if (!keyHasRestriction && permEmpty) return [];
+  if (!keyHasRestriction) return permissionServerIds;
+  if (permWildcard) return keyServerIds;
+  if (permEmpty) return [];
+  return keyServerIds.filter((id) => permissionServerIds.includes(id));
+}
+var TOOL_MODULE_MAP = {
+  "list-servers": "ssh_servers",
+  "server-status": "ssh_servers",
+  "ssh-execute": "ssh_servers",
+  "server-reboot": "ssh_servers",
+  "server-restart-service": "ssh_servers",
+  "sftp-list": "ssh_servers",
+  "sftp-read": "ssh_servers",
+  "sftp-write": "ssh_servers",
+  "sftp-delete": "ssh_servers",
+  "docker-list": "ssh_servers",
+  "docker-action": "ssh_servers",
+  "docker-logs": "ssh_servers",
+  "db-discover": "ssh_servers",
+  "db-tables": "ssh_servers",
+  "db-describe": "ssh_servers",
+  "db-query": "ssh_servers",
+  "cache-purge": "ssh_servers",
+  "log-list": "ssh_servers",
+  "log-read": "ssh_servers",
+  "cron-list": "ssh_servers",
+  "cron-add": "ssh_servers",
+  "cron-remove": "ssh_servers",
+  "cron-toggle": "ssh_servers",
+  "env-list": "ci_cd",
+  "env-get": "ci_cd",
+  "env-store": "ci_cd",
+  "domain-list": "domains",
+  "domain-get": "domains",
+  "dns-list": "domains",
+  "dns-create": "domains",
+  "dns-update": "domains",
+  "dns-delete": "domains"
+};
 var authContext = null;
 async function validateApiKey(key) {
   if (!key.startsWith("dk_") || key.length !== 67) {
@@ -31,20 +158,42 @@ async function validateApiKey(key) {
     return null;
   }
   const keyHash = createHash("sha256").update(key).digest("hex");
+  const rateCheck = authRateLimiter.check(keyHash);
+  if (!rateCheck.allowed) {
+    const retryMin = Math.ceil(rateCheck.retryAfterMs / 6e4);
+    console.error(`Rate limited: too many failed auth attempts. Retry in ${retryMin} minute(s).`);
+    return null;
+  }
   const { data, error } = await supabase.from("dashboard_mcp_api_key").select("id, created_by, allowed_server_ids, is_active, expires_at").eq("api_key_hash", keyHash).eq("is_active", true).single();
   if (error || !data) {
-    console.error("API key not found or inactive");
+    console.error(`API key not found or inactive (${rateCheck.remaining} attempts remaining)`);
     return null;
   }
   if (data.expires_at && new Date(data.expires_at) < /* @__PURE__ */ new Date()) {
-    console.error("API key has expired");
+    console.error(`API key has expired (${rateCheck.remaining} attempts remaining)`);
+    return null;
+  }
+  const { data: userData, error: userError } = await supabase.from("user").select("permissions, role:role!role_id(name, default_permissions)").eq("id", data.created_by).single();
+  if (userError || !userData) {
+    console.error(`User not found for API key creator: ${data.created_by}`);
     return null;
   }
+  const roleName = userData.role?.name || "user";
+  const roleDefaults = userData.role?.default_permissions ?? {};
+  const userOverrides = userData.permissions ?? null;
+  const permissions = resolvePermissions(roleName, roleDefaults, userOverrides);
+  const allowedServerIds = intersectServerAccess(
+    data.allowed_server_ids,
+    permissions.resources.ssh_servers
+  );
   await supabase.from("dashboard_mcp_api_key").update({ last_used_at: (/* @__PURE__ */ new Date()).toISOString() }).eq("id", data.id);
-  console.error(`Authenticated as user ${data.created_by}`);
+  const moduleCount = MODULE_KEYS.filter((k) => permissions.modules[k]).length;
+  console.error(`Authenticated as user ${data.created_by} (role: ${roleName}, modules: ${moduleCount}/${MODULE_KEYS.length})`);
   return {
     userId: data.created_by,
-    allowedServerIds: data.allowed_server_ids
+    allowedServerIds,
+    permissions,
+    roleName
   };
 }
 function assertServerAccess(serverId) {
@@ -54,6 +203,38 @@ function assertServerAccess(serverId) {
     throw new Error(`Access denied: you do not have permission for server ${serverId}`);
   }
 }
+async function resolveReleaseProfileStageIds(profileName) {
+  const { data: profile, error } = await supabase.from("release_profile").select("id, name").ilike("name", profileName).maybeSingle();
+  if (error) throw new Error(`Failed to look up release profile: ${error.message}`);
+  if (!profile) {
+    const { data: all } = await supabase.from("release_profile").select("name").order("name");
+    const names = (all || []).map((p) => p.name).join(", ");
+    throw new Error(
+      `Release profile "${profileName}" not found. Available profiles: ${names || "(none)"}`
+    );
+  }
+  const { data: stages, error: stageErr } = await supabase.from("release_profile_stage").select("id").eq("release_profile_id", profile.id);
+  if (stageErr) throw new Error(`Failed to look up stages: ${stageErr.message}`);
+  if (!stages || stages.length === 0) {
+    throw new Error(`Release profile "${profile.name}" has no stages configured`);
+  }
+  return { stageIds: stages.map((s) => s.id), profileId: profile.id };
+}
+async function getProfileNamesForStageIds(stageIds) {
+  if (stageIds.length === 0) return {};
+  const { data: stages } = await supabase.from("release_profile_stage").select("id, release_profile_id").in("id", stageIds);
+  if (!stages || stages.length === 0) return {};
+  const profileIds = [...new Set(stages.map((s) => s.release_profile_id))];
+  const { data: profiles } = await supabase.from("release_profile").select("id, name").in("id", profileIds);
+  if (!profiles) return {};
+  const profileMap = {};
+  for (const p of profiles) profileMap[p.id] = p.name;
+  const result = {};
+  for (const s of stages) {
+    result[s.id] = profileMap[s.release_profile_id] || "unknown";
+  }
+  return result;
+}
 var ENC_ALGORITHM = "aes-256-gcm";
 var ENC_IV_LENGTH = 16;
 var ENC_TAG_LENGTH = 16;
@@ -88,6 +269,120 @@ function decrypt(payload) {
   decrypted += decipher.final("utf8");
   return decrypted;
 }
+var VERCEL_API = "https://api.vercel.com";
+function parseEnvContent(content) {
+  const result = {};
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let value = trimmed.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key) result[key] = value;
+  }
+  return result;
+}
+function stageToVercelTargets(stageType, customEnvId) {
+  if (stageType === "prod") return { target: ["production"] };
+  if (customEnvId) return { customEnvironmentIds: [customEnvId] };
+  return { target: ["preview"] };
+}
+async function syncEnvVarsToVercel(token, projectId, envVars) {
+  if (envVars.length === 0) return { created: 0, error: null };
+  const res = await fetch(
+    `${VERCEL_API}/v10/projects/${encodeURIComponent(projectId)}/env?upsert=true`,
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(envVars)
+    }
+  );
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    return { created: 0, error: `Vercel API ${res.status}: ${body}` };
+  }
+  const data = await res.json().catch(() => ({}));
+  return { created: data?.created?.length ?? envVars.length, error: null };
+}
+async function attemptVercelSync(appName, environment) {
+  try {
+    const { data: direct } = await supabase.from("env_config").select("release_profile_stage_id").eq("app_name", appName).not("release_profile_stage_id", "is", null).limit(1).single();
+    const stageId = direct?.release_profile_stage_id;
+    if (!stageId) return "Vercel sync skipped: no stage link found";
+    const { data: settings } = await supabase.from("app_setting").select("vercel_token_encrypted").maybeSingle();
+    if (!settings?.vercel_token_encrypted) return "Vercel sync skipped: no Vercel token configured";
+    let token;
+    try {
+      token = decrypt(settings.vercel_token_encrypted);
+    } catch {
+      return "Vercel sync failed: could not decrypt Vercel token";
+    }
+    const { data: stage } = await supabase.from("release_profile_stage").select("id, stage, stage_apps").eq("id", stageId).single();
+    if (!stage) return "Vercel sync skipped: stage not found";
+    const stageType = stage.stage;
+    const stageApps = stage.stage_apps || [];
+    const vercelApps = stageApps.filter(
+      (a) => a.deployMethod === "vercel" && a.enabled && a.vercelProjectId
+    );
+    if (vercelApps.length === 0) return "Vercel sync skipped: no Vercel apps in stage";
+    const { data: envConfigs } = await supabase.from("env_config").select("*").eq("release_profile_stage_id", stageId);
+    if (!envConfigs || envConfigs.length === 0) return "Vercel sync skipped: no env configs for stage";
+    const variantMap = {
+      dev: "development",
+      staging: "staging",
+      prod: "production"
+    };
+    const deployedVariant = variantMap[stageType] ?? stageType;
+    const syncResults = [];
+    for (const app of vercelApps) {
+      const name = app.path.replace("apps/", "");
+      const config = envConfigs.find(
+        (c) => c.app_name === name && c.variant === deployedVariant
+      );
+      if (!config) {
+        syncResults.push(`${app.label}: skipped (no config for variant "${deployedVariant}")`);
+        continue;
+      }
+      let envContent;
+      try {
+        envContent = decrypt(config.env_data_encrypted);
+      } catch {
+        syncResults.push(`${app.label}: decrypt failed`);
+        continue;
+      }
+      const pairs = parseEnvContent(envContent);
+      const keys = Object.keys(pairs);
+      if (keys.length === 0) {
+        syncResults.push(`${app.label}: empty config`);
+        continue;
+      }
+      const targeting = stageToVercelTargets(stageType, app.vercelCustomEnvId);
+      const envVars = keys.map((key) => ({
+        key,
+        value: pairs[key],
+        type: "encrypted",
+        ...targeting
+      }));
+      const { created, error } = await syncEnvVarsToVercel(token, app.vercelProjectId, envVars);
+      if (error) {
+        syncResults.push(`${app.label}: FAILED - ${error}`);
+      } else {
+        syncResults.push(`${app.label}: ${created} vars synced`);
+      }
+    }
+    return `Vercel sync: ${syncResults.join("; ")}`;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return `Vercel sync error: ${msg}`;
+  }
+}
 async function getServerConnection(serverId) {
   assertServerAccess(serverId);
   const { data, error } = await supabase.from("ssh_server").select("hostname, port, username, password_encrypted, ssh_key_encrypted, ssh_key_passphrase_encrypted").eq("id", serverId).single();
@@ -794,8 +1089,13 @@ var TOOLS = [
   },
   {
     name: "env-list",
-    description: "List all stored environment configurations (app name, environment, description).",
-    inputSchema: { type: "object", properties: {}, required: [] }
+    description: "List all stored environment configurations with their release profile names.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        releaseProfile: { type: "string", description: "Release profile name to filter by (usually matches the project folder name or git repo name, e.g. prefabaanbouw). Omit to list all." }
+      }
+    }
   },
   {
     name: "env-get",
@@ -804,7 +1104,8 @@ var TOOLS = [
       type: "object",
       properties: {
         appName: { type: "string", description: "Application name (e.g. backoffice, api, web)" },
-        environment: { type: "string", description: "Environment name (e.g. production, staging, development)" }
+        environment: { type: "string", description: "Environment name (e.g. production, staging, development, local)" },
+        releaseProfile: { type: "string", description: "Release profile name (usually matches the project folder name or git repo name, e.g. prefabaanbouw). Required when multiple profiles exist. Use env-list to discover available profiles." }
       },
       required: ["appName", "environment"]
     }
@@ -816,9 +1117,10 @@ var TOOLS = [
       type: "object",
       properties: {
         appName: { type: "string", description: "Application name (e.g. backoffice, api, web)" },
-        environment: { type: "string", description: "Environment name (e.g. production, staging, development)" },
+        environment: { type: "string", description: "Environment name (e.g. production, staging, development, local)" },
         content: { type: "string", description: "The .env file content to store" },
-        description: { type: "string", description: "Optional description" }
+        description: { type: "string", description: "Optional description" },
+        releaseProfile: { type: "string", description: "Release profile name (usually matches the project folder name or git repo name, e.g. prefabaanbouw). Required when multiple profiles exist. Use env-list to discover available profiles." }
       },
       required: ["appName", "environment", "content"]
     }
@@ -992,13 +1294,30 @@ var server = new Server(
   { name: "mg-dashboard-mcp", version: "1.7.0" },
   { capabilities: { tools: {} } }
 );
-server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
+server.setRequestHandler(ListToolsRequestSchema, async () => {
+  if (!authContext) return { tools: TOOLS };
+  const accessible = TOOLS.filter((tool) => {
+    const requiredModule = TOOL_MODULE_MAP[tool.name];
+    if (!requiredModule) return true;
+    return authContext.permissions.modules[requiredModule] === true;
+  });
+  return { tools: accessible };
+});
 server.setRequestHandler(CallToolRequestSchema, async (request) => {
   if (!authContext) {
     return { content: [{ type: "text", text: "Error: not authenticated" }] };
   }
   const { name, arguments: toolArgs } = request.params;
   const a = toolArgs || {};
+  const requiredModule = TOOL_MODULE_MAP[name];
+  if (requiredModule && authContext.permissions.modules[requiredModule] !== true) {
+    return {
+      content: [{
+        type: "text",
+        text: `Access denied: you do not have permission for the "${requiredModule}" module (tool: ${name})`
+      }]
+    };
+  }
   try {
     switch (name) {
       // ----- Servers -----
@@ -1135,44 +1454,95 @@ ${result.stderr}`);
       }
       // ----- Env Config -----
       case "env-list": {
-        const { data, error } = await supabase.from("env_config").select("id, app_name, environment, description, updated_at").order("app_name").order("environment");
+        let query = supabase.from("env_config").select("id, app_name, environment, description, updated_at, release_profile_stage_id").order("app_name").order("environment");
+        if (a.releaseProfile) {
+          const { stageIds: stageIds2 } = await resolveReleaseProfileStageIds(String(a.releaseProfile));
+          query = query.in("release_profile_stage_id", stageIds2);
+        }
+        const { data, error } = await query;
         if (error) throw new Error(error.message);
-        const lines = (data || []).map(
-          (e) => `${e.app_name}/${e.environment}  ${e.description || ""}  (updated: ${e.updated_at})`
-        );
+        const stageIds = (data || []).map((e) => e.release_profile_stage_id).filter(Boolean);
+        const profileNames = await getProfileNamesForStageIds(stageIds);
+        const lines = (data || []).map((e) => {
+          const profile = e.release_profile_stage_id ? profileNames[e.release_profile_stage_id] || "unknown" : "unlinked";
+          return `${e.app_name}/${e.environment}  [${profile}]  (updated: ${e.updated_at})`;
+        });
         return { content: [{ type: "text", text: lines.length ? lines.join("\n") : "No environment configs stored" }] };
       }
       case "env-get": {
-        const { data, error } = await supabase.from("env_config").select("env_data_encrypted").eq("app_name", String(a.appName)).eq("environment", String(a.environment)).single();
-        if (error || !data) throw new Error(`Env config not found: ${a.appName}/${a.environment}`);
-        const decrypted = decrypt(data.env_data_encrypted);
+        let query = supabase.from("env_config").select("env_data_encrypted, release_profile_stage_id").eq("app_name", String(a.appName)).eq("environment", String(a.environment));
+        if (a.releaseProfile) {
+          const { stageIds } = await resolveReleaseProfileStageIds(String(a.releaseProfile));
+          query = query.in("release_profile_stage_id", stageIds);
+        }
+        const { data, error } = await query;
+        if (error) throw new Error(`Env config query failed: ${error.message}`);
+        if (!data || data.length === 0) {
+          throw new Error(`Env config not found: ${a.appName}/${a.environment}${a.releaseProfile ? ` (profile: ${a.releaseProfile})` : ""}`);
+        }
+        if (data.length > 1) {
+          const stageIds = data.map((r) => r.release_profile_stage_id).filter(Boolean);
+          const profileNames = await getProfileNamesForStageIds(stageIds);
+          const names = [...new Set(Object.values(profileNames))].join(", ");
+          throw new Error(
+            `Multiple env configs found for ${a.appName}/${a.environment} across profiles: ${names}. Pass releaseProfile parameter to select one (e.g. releaseProfile: "${Object.values(profileNames)[0] || "..."}")`
+          );
+        }
+        const decrypted = decrypt(data[0].env_data_encrypted);
         return { content: [{ type: "text", text: decrypted }] };
       }
       case "env-store": {
         const appName = String(a.appName);
         const environment = String(a.environment);
         const encrypted = encrypt(String(a.content));
-        const { data: existing } = await supabase.from("env_config").select("id").eq("app_name", appName).eq("environment", environment).single();
+        let resolvedStageIds = null;
+        if (a.releaseProfile) {
+          const { stageIds } = await resolveReleaseProfileStageIds(String(a.releaseProfile));
+          resolvedStageIds = stageIds;
+        }
+        let existQuery = supabase.from("env_config").select("id, release_profile_stage_id").eq("app_name", appName).eq("environment", environment);
+        if (resolvedStageIds) {
+          existQuery = existQuery.in("release_profile_stage_id", resolvedStageIds);
+        }
+        const { data: existingRows, error: existErr } = await existQuery;
+        if (existErr) throw new Error(`Lookup failed: ${existErr.message}`);
+        if (existingRows && existingRows.length > 1 && !resolvedStageIds) {
+          const stageIds = existingRows.map((r) => r.release_profile_stage_id).filter(Boolean);
+          const profileNames = await getProfileNamesForStageIds(stageIds);
+          const names = [...new Set(Object.values(profileNames))].join(", ");
+          throw new Error(
+            `Multiple env configs found for ${appName}/${environment} across profiles: ${names}. Pass releaseProfile parameter to select one.`
+          );
+        }
+        const existing = existingRows?.[0] ?? null;
+        let saveMsg;
         if (existing) {
-          const { error: error2 } = await supabase.from("env_config").update({
+          const { error } = await supabase.from("env_config").update({
             env_data_encrypted: encrypted,
             description: a.description ? String(a.description) : void 0,
             updated_by: authContext.userId,
             updated_at: (/* @__PURE__ */ new Date()).toISOString()
           }).eq("id", existing.id);
-          if (error2) throw new Error(error2.message);
-          return { content: [{ type: "text", text: `Updated env config: ${appName}/${environment}` }] };
+          if (error) throw new Error(error.message);
+          saveMsg = `Updated env config: ${appName}/${environment}`;
+        } else {
+          const insertData = {
+            app_name: appName,
+            environment,
+            env_data_encrypted: encrypted,
+            description: a.description ? String(a.description) : null,
+            created_by: authContext.userId,
+            updated_by: authContext.userId
+          };
+          if (resolvedStageIds?.[0]) {
+            insertData.release_profile_stage_id = resolvedStageIds[0];
+          }
+          const { error } = await supabase.from("env_config").insert(insertData);
+          if (error) throw new Error(error.message);
+          saveMsg = `Stored env config: ${appName}/${environment}`;
         }
-        const { error } = await supabase.from("env_config").insert({
-          app_name: appName,
-          environment,
-          env_data_encrypted: encrypted,
-          description: a.description ? String(a.description) : null,
-          created_by: authContext.userId,
-          updated_by: authContext.userId
-        });
-        if (error) throw new Error(error.message);
-        return { content: [{ type: "text", text: `Stored env config: ${appName}/${environment}` }] };
+        const vercelStatus = await attemptVercelSync(appName, environment);
+        return { content: [{ type: "text", text: `${saveMsg}. ${vercelStatus}` }] };
       }
       // ----- Cache Purge -----
       case "cache-purge": {