@mondaydotcomorg/atp-server 0.19.10 → 0.19.12

package/src/handlers/execute.handler.ts

@@ -2,9 +2,9 @@ import type { RequestContext, ResolvedServerConfig } from '../core/config.js';
 import type { SandboxExecutor } from '../executor/index.js';
 import type { ExecutionStateManager } from '../execution-state/index.js';
 import type { ClientSessionManager } from '../client-sessions.js';
-import type { AuditSink, AuditEvent } from '@mondaydotcomorg/atp-protocol';
+import type { AuditSink, AuditEvent, ToolCallEvent } from '@mondaydotcomorg/atp-protocol';
 import { ExecutionStatus, ProvenanceMode } from '@mondaydotcomorg/atp-protocol';
-import { nanoid } from 'nanoid';
+import crypto from 'crypto';
 import {
 	captureProvenanceSnapshot,
 	verifyProvenanceHints,
@@ -82,6 +82,33 @@ export async function handleExecute(
 		} catch (error) {}
 	}
 
+	const onToolCall = auditSink
+		? (event: ToolCallEvent) => {
+				const auditEvent: AuditEvent = {
+					eventId: crypto.randomUUID(),
+					timestamp: Date.now(),
+					clientId: ctx.clientId || 'anonymous',
+					eventType: 'tool_call',
+					action: 'complete',
+					toolName: event.toolName,
+					apiGroup: event.apiGroup,
+					input: event.input,
+					output: event.output,
+					status: event.success ? 'success' : 'failed',
+					error: event.error
+						? {
+								message: event.error.message,
+								stack: event.error.stack,
+							}
+						: undefined,
+					metadata: {
+						duration: event.duration,
+					},
+				};
+				auditSink.write(auditEvent).catch(() => {});
+			}
+		: undefined;
+
 	const executionConfig = {
 		timeout: requestConfig.timeout || config.execution.timeout,
 		maxMemory: memoryInBytes,
@@ -93,12 +120,18 @@ export async function handleExecute(
 			requestConfig.provenanceMode || config.execution.provenanceMode || ProvenanceMode.NONE,
 		securityPolicies: config.execution.securityPolicies || [],
 		provenanceHints: requestConfig.provenanceHints,
-		requestContext: requestConfig.requestContext,
+		requestContext: {
+			...requestConfig.requestContext,
+			headers: ctx.headers,
+			path: ctx.path,
+			method: ctx.method,
+		},
+		onToolCall,
 	};
 
 	// Verify provenance hints if provided
 	let hintMap: Map<string, ProvenanceMetadata> | undefined;
-	const prelimExecutionId = nanoid();
+	const prelimExecutionId = crypto.randomUUID();
 	if (
 		executionConfig.provenanceHints &&
 		executionConfig.provenanceHints.length > 0 &&
@@ -142,7 +175,7 @@ export async function handleExecute(
 
 	if (auditSink) {
 		const startEvent: AuditEvent = {
-			eventId: nanoid(),
+			eventId: crypto.randomUUID(),
 			timestamp: startTime,
 			clientId: ctx.clientId || 'anonymous',
 			eventType: 'execution',
@@ -215,7 +248,7 @@ export async function handleExecute(
 
 	if (auditSink) {
 		const endEvent: AuditEvent = {
-			eventId: nanoid(),
+			eventId: crypto.randomUUID(),
 			timestamp: Date.now(),
 			clientId: ctx.clientId || 'anonymous',
 			eventType: 'execution',

package/src/http/request-handler.ts

@@ -4,8 +4,9 @@ import { log } from '@mondaydotcomorg/atp-runtime';
 import type { CacheProvider, AuthProvider, AuditSink } from '@mondaydotcomorg/atp-protocol';
 import { parseBody } from '../core/http.js';
 import { handleError, createContext } from '../utils/index.js';
-import type { RequestContext, Middleware } from '../core/config.js';
+import type { RequestContext, Middleware, ToolRulesProvider } from '../core/config.js';
 import type { ClientSessionManager } from '../client-sessions.js';
+import { runInRequestScope } from '../core/request-scope.js';
 
 export interface RequestHandlerDeps {
 	cacheProvider?: CacheProvider;
@@ -15,6 +16,7 @@ export interface RequestHandlerDeps {
 	middleware: Middleware[];
 	routeHandler: (ctx: RequestContext) => Promise<void>;
 	sessionManager?: ClientSessionManager;
+	toolRulesProvider?: ToolRulesProvider;
 }
 
 export async function handleHTTPRequest(
@@ -34,75 +36,85 @@ export async function handleHTTPRequest(
 	const headers = new Map<string, string>();
 	responseHeaders.set(req, headers);
 
-	try {
-		if (req.method === 'POST' || req.method === 'PUT') {
-			const reqWithBody = req as IncomingMessage & { body?: unknown };
-			if (reqWithBody.body !== undefined) {
-				ctx.body = reqWithBody.body;
-			} else {
-				ctx.body = await parseBody(req);
-			}
+	if (deps.toolRulesProvider) {
+		try {
+			ctx.toolRules = deps.toolRulesProvider(ctx);
+		} catch (error) {
+			log.warn('Tool rules provider failed', { error });
 		}
+	}
 
-		await runMiddleware(ctx, deps.middleware, deps.routeHandler);
-
+	await runInRequestScope({ toolRules: ctx.toolRules }, async () => {
 		try {
-			if (ctx.clientId && deps.sessionManager && ctx.path !== '/api/init') {
-				try {
-					const newToken = deps.sessionManager.generateToken(ctx.clientId);
-					const expiresAt = Date.now() + 60 * 60 * 1000;
-
-					headers.set('X-ATP-Token', newToken);
-					headers.set('X-ATP-Token-Expires', expiresAt.toString());
-				} catch (error) {}
+			if (req.method === 'POST' || req.method === 'PUT') {
+				const reqWithBody = req as IncomingMessage & { body?: unknown };
+				if (reqWithBody.body !== undefined) {
+					ctx.body = reqWithBody.body;
+				} else {
+					ctx.body = await parseBody(req);
+				}
 			}
 
-			const isStringResponse = typeof ctx.responseBody === 'string';
-			res.writeHead(ctx.status, {
-				'Content-Type': isStringResponse ? 'text/plain; charset=utf-8' : 'application/json',
-				...Object.fromEntries(headers),
-			});
-			res.end(isStringResponse ? ctx.responseBody : JSON.stringify(ctx.responseBody));
-		} catch (writeError) {}
-	} catch (error) {
-		try {
-			if (ctx.clientId && deps.sessionManager && ctx.path !== '/api/init') {
-				try {
-					const newToken = deps.sessionManager.generateToken(ctx.clientId);
-					const expiresAt = Date.now() + 60 * 60 * 1000;
+			await runMiddleware(ctx, deps.middleware, deps.routeHandler);
 
-					headers.set('X-ATP-Token', newToken);
-					headers.set('X-ATP-Token-Expires', expiresAt.toString());
+			try {
+				if (ctx.clientId && deps.sessionManager && ctx.path !== '/api/init') {
+					try {
+						const newToken = deps.sessionManager.generateToken(ctx.clientId);
+						const expiresAt = Date.now() + 60 * 60 * 1000;
 
-					log.debug('Token refresh headers set on error', {
-						clientId: ctx.clientId,
-						path: ctx.path,
-						hasSessionManager: !!deps.sessionManager,
-						headerCount: headers.size,
-					});
-				} catch (tokenError) {
-					log.warn('Token refresh failed on error', { error: tokenError });
+						headers.set('X-ATP-Token', newToken);
+						headers.set('X-ATP-Token-Expires', expiresAt.toString());
+					} catch (error) {}
 				}
-			} else {
-				log.debug('Token refresh skipped on error', {
-					hasClientId: !!ctx.clientId,
-					hasSessionManager: !!deps.sessionManager,
-					path: ctx.path,
-				});
-			}
 
-			handleError(res, error as Error, nanoid(), headers);
-		} catch (handlerError) {
+				const isStringResponse = typeof ctx.responseBody === 'string';
+				res.writeHead(ctx.status, {
+					'Content-Type': isStringResponse ? 'text/plain; charset=utf-8' : 'application/json',
+					...Object.fromEntries(headers),
+				});
+				res.end(isStringResponse ? ctx.responseBody : JSON.stringify(ctx.responseBody));
+			} catch (writeError) {}
+		} catch (error) {
 			try {
-				if (!res.headersSent) {
-					res.writeHead(500, { 'Content-Type': 'application/json' });
-					res.end(JSON.stringify({ error: 'Internal server error' }));
+				if (ctx.clientId && deps.sessionManager && ctx.path !== '/api/init') {
+					try {
+						const newToken = deps.sessionManager.generateToken(ctx.clientId);
+						const expiresAt = Date.now() + 60 * 60 * 1000;
+
+						headers.set('X-ATP-Token', newToken);
+						headers.set('X-ATP-Token-Expires', expiresAt.toString());
+
+						log.debug('Token refresh headers set on error', {
+							clientId: ctx.clientId,
+							path: ctx.path,
+							hasSessionManager: !!deps.sessionManager,
+							headerCount: headers.size,
+						});
+					} catch (tokenError) {
+						log.warn('Token refresh failed on error', { error: tokenError });
+					}
+				} else {
+					log.debug('Token refresh skipped on error', {
+						hasClientId: !!ctx.clientId,
+						hasSessionManager: !!deps.sessionManager,
+						path: ctx.path,
+					});
 				}
-			} catch {}
+
+				handleError(res, error as Error, nanoid(), headers);
+			} catch (handlerError) {
+				try {
+					if (!res.headersSent) {
+						res.writeHead(500, { 'Content-Type': 'application/json' });
+						res.end(JSON.stringify({ error: 'Internal server error' }));
+					}
+				} catch {}
+			}
+		} finally {
+			responseHeaders.delete(req);
 		}
-	} finally {
-		responseHeaders.delete(req);
-	}
+	});
 }
 
 async function runMiddleware(

package/src/index.ts

@@ -13,6 +13,7 @@ export type {
 	RequestContext,
 } from './core/config.js';
 export { MB, GB, SECOND, MINUTE, HOUR, DAY } from './core/config.js';
+export type { ToolRulesProvider } from './core/config.js';
 
 export type {
 	ProvenanceMetadata,

package/src/search/index.ts

@@ -5,6 +5,7 @@ import type {
 	AuthProvider,
 	ScopeFilteringConfig,
 } from '@mondaydotcomorg/atp-protocol';
+import { filterApiGroups } from '../core/request-scope.js';
 
 interface IndexedFunction {
 	apiGroup: string;
@@ -24,6 +25,7 @@ interface IndexedFunction {
  */
 export class SearchEngine {
 	private index: IndexedFunction[] = [];
+	private apiGroups: APIGroupConfig[] = [];
 
 	/**
 	 * Creates a new SearchEngine instance.
@@ -31,6 +33,7 @@ export class SearchEngine {
 	 */
 	constructor(apiGroups?: APIGroupConfig[]) {
 		if (apiGroups) {
+			this.apiGroups = apiGroups;
 			this.buildIndex(apiGroups);
 		}
 	}
@@ -67,6 +70,7 @@ export class SearchEngine {
 
 	/**
 	 * Searches for API functions matching the query.
+	 * Tool rules are automatically applied from the request scope.
 	 * @param options - Search options including query and filters
 	 * @param userId - Optional user ID for scope filtering
 	 * @param authProvider - Optional auth provider for checking user scopes
@@ -79,10 +83,24 @@ export class SearchEngine {
 		authProvider?: AuthProvider,
 		scopeFilteringConfig?: ScopeFilteringConfig
 	): Promise<SearchResult[]> {
+		const allowedGroups = filterApiGroups(this.apiGroups);
+		const allowedTools = new Set<string>();
+		for (const group of allowedGroups) {
+			if (group.functions) {
+				for (const func of group.functions) {
+					allowedTools.add(`${group.name}:${func.name}`);
+				}
+			}
+		}
+
 		const queryWords = this.extractKeywords(options.query);
 		const results: Array<{ result: SearchResult; score: number }> = [];
 
 		for (const item of this.index) {
+			if (!allowedTools.has(`${item.apiGroup}:${item.functionName}`)) {
+				continue;
+			}
+
 			if (options.apiGroups && !options.apiGroups.includes(item.apiGroup)) {
 				continue;
 			}