@mondaydotcomorg/atp-server 0.19.10 → 0.19.11

package/dist/index.cjs

@@ -10,6 +10,7 @@ var crypto = require('crypto');
 var nanoid = require('nanoid');
 var jwt = require('jsonwebtoken');
 var ivm = require('isolated-vm');
+var async_hooks = require('async_hooks');
 var parser = require('@babel/parser');
 var _traverse = require('@babel/traverse');
 var _generate = require('@babel/generator');
@@ -6948,6 +6949,62 @@ var BOOTSTRAP_CODE = `
 				}
 				};
 `;
+var asyncLocalStorage = new async_hooks.AsyncLocalStorage();
+function runInRequestScope(context, fn) {
+  return asyncLocalStorage.run(context, fn);
+}
+__name(runInRequestScope, "runInRequestScope");
+function getRequestToolRules() {
+  return asyncLocalStorage.getStore()?.toolRules;
+}
+__name(getRequestToolRules, "getRequestToolRules");
+function isGroupAllowed(groupName, rules) {
+  if (!rules) return true;
+  if (rules.allowOnlyApiGroups && rules.allowOnlyApiGroups.length > 0) {
+    return rules.allowOnlyApiGroups.includes(groupName);
+  }
+  if (rules.blockApiGroups && rules.blockApiGroups.length > 0) {
+    return !rules.blockApiGroups.includes(groupName);
+  }
+  return true;
+}
+__name(isGroupAllowed, "isGroupAllowed");
+function isToolAllowed(toolName, groupName, metadata, rules) {
+  if (!rules) return true;
+  const fullName = `${groupName}.${toolName}`;
+  if (rules.allowOnlyTools && rules.allowOnlyTools.length > 0) {
+    return rules.allowOnlyTools.some((t2) => t2 === toolName || t2 === fullName);
+  }
+  if (rules.blockTools && rules.blockTools.length > 0) {
+    if (rules.blockTools.some((t2) => t2 === toolName || t2 === fullName)) {
+      return false;
+    }
+  }
+  if (metadata) {
+    if (rules.blockOperationTypes && metadata.operationType && rules.blockOperationTypes.includes(metadata.operationType)) {
+      return false;
+    }
+    if (rules.blockSensitivityLevels && metadata.sensitivityLevel && rules.blockSensitivityLevels.includes(metadata.sensitivityLevel)) {
+      return false;
+    }
+  }
+  return true;
+}
+__name(isToolAllowed, "isToolAllowed");
+function filterApiGroups(apiGroups, rules) {
+  const effectiveRules = rules ?? getRequestToolRules();
+  if (!effectiveRules) return apiGroups;
+  return apiGroups.filter((group) => isGroupAllowed(group.name, effectiveRules)).map((group) => {
+    if (!group.functions) return group;
+    const filteredFunctions = group.functions.filter((func) => isToolAllowed(func.name, group.name, func.metadata, effectiveRules));
+    if (filteredFunctions.length === 0) return null;
+    return {
+      ...group,
+      functions: filteredFunctions
+    };
+  }).filter((group) => group !== null);
+}
+__name(filterApiGroups, "filterApiGroups");
 var executionHintMaps = /* @__PURE__ */ new Map();
 var executionHintValues = /* @__PURE__ */ new Map();
 function storeHintMap(executionId, hintMap) {
@@ -7223,7 +7280,8 @@ var SandboxBuilder = class {
   }
   createAPIFunctions(logger, executionId, config) {
     const api = {};
-    for (const group of this.apiGroups) {
+    const allowedGroups = filterApiGroups(this.apiGroups, config.toolRules);
+    for (const group of allowedGroups) {
       if (group.functions) {
         const groupObj = this.getOrCreateNestedGroup(api, group.name);
         for (const func of group.functions) {
@@ -7375,7 +7433,28 @@ var SandboxBuilder = class {
               metadata,
               requestContext: config.requestContext
             };
-            const result = await handler(input, handlerContext);
+            const toolCallStartTime = Date.now();
+            let result;
+            let toolCallError;
+            try {
+              result = await handler(input, handlerContext);
+            } catch (error) {
+              toolCallError = error instanceof Error ? error : new Error(String(error));
+              throw error;
+            } finally {
+              if (config.onToolCall) {
+                const duration = Date.now() - toolCallStartTime;
+                config.onToolCall({
+                  toolName: func.name,
+                  apiGroup: group.name,
+                  input,
+                  output: toolCallError ? void 0 : result,
+                  error: toolCallError,
+                  duration,
+                  success: !toolCallError
+                });
+              }
+            }
             try {
               atpRuntime.storeAPICallResult({
                 type: "api",
@@ -9964,12 +10043,14 @@ var SearchEngine = class {
     __name(this, "SearchEngine");
   }
   index = [];
+  apiGroups = [];
   /**
   * Creates a new SearchEngine instance.
   * @param apiGroups - Array of API group configurations to index
   */
   constructor(apiGroups) {
     if (apiGroups) {
+      this.apiGroups = apiGroups;
       this.buildIndex(apiGroups);
     }
   }
@@ -10002,6 +10083,7 @@ var SearchEngine = class {
   }
   /**
   * Searches for API functions matching the query.
+  * Tool rules are automatically applied from the request scope.
   * @param options - Search options including query and filters
   * @param userId - Optional user ID for scope filtering
   * @param authProvider - Optional auth provider for checking user scopes
@@ -10009,9 +10091,21 @@ var SearchEngine = class {
   * @returns Array of search results sorted by relevance
   */
   async search(options, userId, authProvider, scopeFilteringConfig) {
+    const allowedGroups = filterApiGroups(this.apiGroups);
+    const allowedTools = /* @__PURE__ */ new Set();
+    for (const group of allowedGroups) {
+      if (group.functions) {
+        for (const func of group.functions) {
+          allowedTools.add(`${group.name}:${func.name}`);
+        }
+      }
+    }
     const queryWords = this.extractKeywords(options.query);
     const results = [];
     for (const item of this.index) {
+      if (!allowedTools.has(`${item.apiGroup}:${item.functionName}`)) {
+        continue;
+      }
       if (options.apiGroups && !options.apiGroups.includes(item.apiGroup)) {
         continue;
       }
@@ -10241,7 +10335,9 @@ var ExplorerService = class {
     __name(this, "ExplorerService");
   }
   root;
+  apiGroups;
   constructor(apiGroups) {
+    this.apiGroups = apiGroups;
     this.root = {
       type: "directory",
       name: "/",
@@ -10250,12 +10346,55 @@ var ExplorerService = class {
     this.buildTree(apiGroups);
   }
   /**
+  * Get filtering context based on current request's tool rules.
+  * Returns sets for allowed items and all known items (for filtering).
+  */
+  getFilterContext() {
+    const allowedGroups = filterApiGroups(this.apiGroups);
+    const context = {
+      allowedTypes: /* @__PURE__ */ new Set(),
+      allowedGroups: /* @__PURE__ */ new Set(),
+      allowedTools: /* @__PURE__ */ new Set(),
+      allGroups: new Set(this.apiGroups.map((g) => g.name))
+    };
+    for (const group of allowedGroups) {
+      if (group.type !== "graphql") {
+        context.allowedTypes.add(group.type);
+      }
+      context.allowedGroups.add(group.name);
+      if (group.functions) {
+        for (const func of group.functions) {
+          context.allowedTools.add(`${group.name}:${func.name}`);
+        }
+      }
+    }
+    return context;
+  }
+  /**
+  * Check if a directory should be visible based on filter context.
+  */
+  isDirectoryAllowed(name, currentPath, ctx) {
+    const API_TYPES = [
+      "openapi",
+      "mcp",
+      "custom",
+      "graphql"
+    ];
+    if (currentPath === "/" && API_TYPES.includes(name)) {
+      return ctx.allowedTypes.has(name) || ctx.allowedGroups.has(name);
+    }
+    if (ctx.allGroups.has(name)) {
+      return ctx.allowedGroups.has(name);
+    }
+    return true;
+  }
+  /**
   * Builds the virtual filesystem tree from API groups
   */
   buildTree(apiGroups) {
     for (const group of apiGroups) {
       if (!group.functions || group.functions.length === 0) continue;
-      const groupFolder = group.type === "graphql" ? this.ensureDirectory(this.root, group.name) : this.ensureDirectory(this.ensureDirectory(this.root, group.type), group.name);
+      const groupFolder = group.type === "graphql" ? this.ensureDirectory(this.root, group.name, group.description) : this.ensureDirectory(this.ensureDirectory(this.root, group.type), group.name, group.description);
       for (const func of group.functions) {
         const segments = this.extractSegments(func, group);
         if (segments.length > 1) {
@@ -10338,7 +10477,7 @@ var ExplorerService = class {
   /**
   * Ensures a directory exists at the given path
   */
-  ensureDirectory(parent, name) {
+  ensureDirectory(parent, name, description) {
     if (!parent.children) {
       parent.children = /* @__PURE__ */ new Map();
     }
@@ -10347,9 +10486,12 @@ var ExplorerService = class {
       child = {
         type: "directory",
         name,
+        description,
         children: /* @__PURE__ */ new Map()
       };
       parent.children.set(name, child);
+    } else if (description && !child.description) {
+      child.description = description;
     }
     return child;
   }
@@ -10370,9 +10512,12 @@ var ExplorerService = class {
     });
   }
   /**
-  * Explores the filesystem at the given path
+  * Explores the filesystem at the given path.
+  * Tool rules are automatically applied from the request scope.
+  * @param path - The path to explore
   */
   explore(path) {
+    const ctx = this.getFilterContext();
     const normalizedPath = this.normalizePath(path);
     const segments = normalizedPath === "/" ? [] : normalizedPath.split("/").filter((s) => s);
     let current = this.root;
@@ -10388,10 +10533,21 @@ var ExplorerService = class {
       const items = [];
       if (current.children) {
         for (const [name, node] of current.children) {
-          items.push({
+          if (node.type === "directory") {
+            if (!this.isDirectoryAllowed(name, currentPath, ctx)) continue;
+          } else if (node.type === "function" && node.functionDef) {
+            if (!ctx.allowedTools.has(`${node.functionDef.group}:${name}`)) continue;
+          }
+          const item = {
             name,
             type: node.type
-          });
+          };
+          if (node.description) {
+            item.description = node.description;
+          } else if (node.type === "function" && node.functionDef?.func.description) {
+            item.description = node.functionDef.func.description;
+          }
+          items.push(item);
         }
       }
       items.sort((a, b) => {
@@ -10410,6 +10566,9 @@ var ExplorerService = class {
         return null;
       }
       const { func, group } = current.functionDef;
+      if (!ctx.allowedTools.has(`${group}:${func.name}`)) {
+        return null;
+      }
       const definition = this.generateFunctionDefinition(func, group);
       return {
         type: "function",
@@ -10672,77 +10831,90 @@ async function handleHTTPRequest(req, res, deps, responseHeaders) {
   });
   const headers = /* @__PURE__ */ new Map();
   responseHeaders.set(req, headers);
-  try {
-    if (req.method === "POST" || req.method === "PUT") {
-      const reqWithBody = req;
-      if (reqWithBody.body !== void 0) {
-        ctx.body = reqWithBody.body;
-      } else {
-        ctx.body = await parseBody(req);
-      }
-    }
-    await runMiddleware(ctx, deps.middleware, deps.routeHandler);
+  if (deps.toolRulesProvider) {
     try {
-      if (ctx.clientId && deps.sessionManager && ctx.path !== "/api/init") {
-        try {
-          const newToken = deps.sessionManager.generateToken(ctx.clientId);
-          const expiresAt = Date.now() + 60 * 60 * 1e3;
-          headers.set("X-ATP-Token", newToken);
-          headers.set("X-ATP-Token-Expires", expiresAt.toString());
-        } catch (error) {
-        }
-      }
-      const isStringResponse = typeof ctx.responseBody === "string";
-      res.writeHead(ctx.status, {
-        "Content-Type": isStringResponse ? "text/plain; charset=utf-8" : "application/json",
-        ...Object.fromEntries(headers)
+      ctx.toolRules = deps.toolRulesProvider(ctx);
+    } catch (error) {
+      atpRuntime.log.warn("Tool rules provider failed", {
+        error
       });
-      res.end(isStringResponse ? ctx.responseBody : JSON.stringify(ctx.responseBody));
-    } catch (writeError) {
     }
-  } catch (error) {
+  }
+  await runInRequestScope({
+    toolRules: ctx.toolRules
+  }, async () => {
     try {
-      if (ctx.clientId && deps.sessionManager && ctx.path !== "/api/init") {
-        try {
-          const newToken = deps.sessionManager.generateToken(ctx.clientId);
-          const expiresAt = Date.now() + 60 * 60 * 1e3;
-          headers.set("X-ATP-Token", newToken);
-          headers.set("X-ATP-Token-Expires", expiresAt.toString());
-          atpRuntime.log.debug("Token refresh headers set on error", {
-            clientId: ctx.clientId,
-            path: ctx.path,
-            hasSessionManager: !!deps.sessionManager,
-            headerCount: headers.size
-          });
-        } catch (tokenError) {
-          atpRuntime.log.warn("Token refresh failed on error", {
-            error: tokenError
-          });
+      if (req.method === "POST" || req.method === "PUT") {
+        const reqWithBody = req;
+        if (reqWithBody.body !== void 0) {
+          ctx.body = reqWithBody.body;
+        } else {
+          ctx.body = await parseBody(req);
         }
-      } else {
-        atpRuntime.log.debug("Token refresh skipped on error", {
-          hasClientId: !!ctx.clientId,
-          hasSessionManager: !!deps.sessionManager,
-          path: ctx.path
+      }
+      await runMiddleware(ctx, deps.middleware, deps.routeHandler);
+      try {
+        if (ctx.clientId && deps.sessionManager && ctx.path !== "/api/init") {
+          try {
+            const newToken = deps.sessionManager.generateToken(ctx.clientId);
+            const expiresAt = Date.now() + 60 * 60 * 1e3;
+            headers.set("X-ATP-Token", newToken);
+            headers.set("X-ATP-Token-Expires", expiresAt.toString());
+          } catch (error) {
+          }
+        }
+        const isStringResponse = typeof ctx.responseBody === "string";
+        res.writeHead(ctx.status, {
+          "Content-Type": isStringResponse ? "text/plain; charset=utf-8" : "application/json",
+          ...Object.fromEntries(headers)
         });
+        res.end(isStringResponse ? ctx.responseBody : JSON.stringify(ctx.responseBody));
+      } catch (writeError) {
       }
-      handleError(res, error, nanoid.nanoid(), headers);
-    } catch (handlerError) {
+    } catch (error) {
       try {
-        if (!res.headersSent) {
-          res.writeHead(500, {
-            "Content-Type": "application/json"
+        if (ctx.clientId && deps.sessionManager && ctx.path !== "/api/init") {
+          try {
+            const newToken = deps.sessionManager.generateToken(ctx.clientId);
+            const expiresAt = Date.now() + 60 * 60 * 1e3;
+            headers.set("X-ATP-Token", newToken);
+            headers.set("X-ATP-Token-Expires", expiresAt.toString());
+            atpRuntime.log.debug("Token refresh headers set on error", {
+              clientId: ctx.clientId,
+              path: ctx.path,
+              hasSessionManager: !!deps.sessionManager,
+              headerCount: headers.size
+            });
+          } catch (tokenError) {
+            atpRuntime.log.warn("Token refresh failed on error", {
+              error: tokenError
+            });
+          }
+        } else {
+          atpRuntime.log.debug("Token refresh skipped on error", {
+            hasClientId: !!ctx.clientId,
+            hasSessionManager: !!deps.sessionManager,
+            path: ctx.path
           });
-          res.end(JSON.stringify({
-            error: "Internal server error"
-          }));
         }
-      } catch {
+        handleError(res, error, nanoid.nanoid(), headers);
+      } catch (handlerError) {
+        try {
+          if (!res.headersSent) {
+            res.writeHead(500, {
+              "Content-Type": "application/json"
+            });
+            res.end(JSON.stringify({
+              error: "Internal server error"
+            }));
+          }
+        } catch {
+        }
       }
+    } finally {
+      responseHeaders.delete(req);
     }
-  } finally {
-    responseHeaders.delete(req);
-  }
+  });
 }
 __name(handleHTTPRequest, "handleHTTPRequest");
 async function runMiddleware(ctx, middleware, routeHandler) {
@@ -11057,6 +11229,29 @@ async function handleExecute(ctx, executor, stateManager, config, auditSink, ses
     } catch (error) {
     }
   }
+  const onToolCall = auditSink ? (event) => {
+    const auditEvent = {
+      eventId: nanoid.nanoid(),
+      timestamp: Date.now(),
+      clientId: ctx.clientId || "anonymous",
+      eventType: "tool_call",
+      action: "complete",
+      toolName: event.toolName,
+      apiGroup: event.apiGroup,
+      input: event.input,
+      output: event.output,
+      status: event.success ? "success" : "failed",
+      error: event.error ? {
+        message: event.error.message,
+        stack: event.error.stack
+      } : void 0,
+      metadata: {
+        duration: event.duration
+      }
+    };
+    auditSink.write(auditEvent).catch(() => {
+    });
+  } : void 0;
   const executionConfig = {
     timeout: requestConfig.timeout || config.execution.timeout,
     maxMemory: memoryInBytes,
@@ -11067,7 +11262,8 @@ async function handleExecute(ctx, executor, stateManager, config, auditSink, ses
     provenanceMode: requestConfig.provenanceMode || config.execution.provenanceMode || atpProtocol.ProvenanceMode.NONE,
     securityPolicies: config.execution.securityPolicies || [],
     provenanceHints: requestConfig.provenanceHints,
-    requestContext: requestConfig.requestContext
+    requestContext: requestConfig.requestContext,
+    onToolCall
   };
   let hintMap;
   const prelimExecutionId = nanoid.nanoid();
@@ -11734,11 +11930,12 @@ export { api };
 
 // src/handlers/definitions.handler.ts
 async function getDefinitions(apiGroups) {
-  const aggregator = new APIAggregator(apiGroups);
+  const filteredGroups = filterApiGroups(apiGroups);
+  const aggregator = new APIAggregator(filteredGroups);
   const typescript = await aggregator.generateTypeScript();
   return {
     typescript,
-    apiGroups: apiGroups.map((g) => g.name),
+    apiGroups: filteredGroups.map((g) => g.name),
     version: "1.0.0"
   };
 }
@@ -21346,6 +21543,7 @@ var AgentToolProtocolServer = class {
   auditSink;
   compiler;
   customLogger;
+  toolRulesProvider;
   constructor(config = {}) {
     const initialPolicies = config.execution?.securityPolicies ?? [];
     this.policyRegistry = new atpProvenance.DynamicPolicyRegistry(initialPolicies);
@@ -21396,6 +21594,10 @@ var AgentToolProtocolServer = class {
       },
       logger: config.logger ?? "info"
     };
+    if (config.toolRulesProvider) {
+      this.toolRulesProvider = config.toolRulesProvider;
+      atpRuntime.log.info("Tool rules provider configured");
+    }
     if (config.providers) {
       if (config.providers.cache) {
         this.cacheProvider = config.providers.cache;
@@ -21665,7 +21867,8 @@ var AgentToolProtocolServer = class {
         customLogger: this.customLogger,
         middleware: this.middleware,
         routeHandler: /* @__PURE__ */ __name((ctx) => handleRoute(ctx, this), "routeHandler"),
-        sessionManager: this.sessionManager
+        sessionManager: this.sessionManager,
+        toolRulesProvider: this.toolRulesProvider
       }, this.responseHeaders).catch((error) => {
         atpRuntime.log.error("Unhandled error in HTTP request handler:", error);
         try {
@@ -21865,7 +22068,8 @@ var AgentToolProtocolServer = class {
         customLogger: this.customLogger,
         middleware: this.middleware,
         routeHandler: /* @__PURE__ */ __name((ctx) => handleRoute(ctx, this), "routeHandler"),
-        sessionManager: this.sessionManager
+        sessionManager: this.sessionManager,
+        toolRulesProvider: this.toolRulesProvider
       }, this.responseHeaders);
     };
   }