@mtaap/mcp 0.2.6 → 0.2.8

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Collab MCP Server
+ *
+ * Model Context Protocol server for AI agent integration.
+ * Uses REST API to communicate with the Collab webapp.
+ */
+declare function createMCPServer(): Promise<void>;
+
+export { createMCPServer };

package/dist/index.js

@@ -37,7 +37,7 @@ var import_mcp = require("@modelcontextprotocol/sdk/server/mcp.js");
 var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 
 // src/version.ts
-var VERSION = "0.2.6";
+var VERSION = "0.2.7";
 
 // src/index.ts
 var import_zod3 = require("zod");
@@ -429,6 +429,7 @@ var ListTasksInputSchema = import_zod2.z.object({
   includeArchived: import_zod2.z.boolean().optional()
 });
 var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
 var GetTaskInputSchema = import_zod2.z.object({
   taskId: cuidOrPrefixedId
 });
@@ -640,6 +641,17 @@ var UpdateTaskMCPInputSchema = import_zod2.z.object({
     description: import_zod2.z.string().min(1).max(500)
   })).optional()
 });
+var ReportBranchInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  branchName: gitBranchName
+});
+var ReportPRInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  pullRequestUrl: import_zod2.z.string().url(),
+  pullRequestNumber: import_zod2.z.number().int().positive()
+});
 
 // ../../packages/core/dist/logging/metrics.js
 var metrics = /* @__PURE__ */ new Map();
@@ -939,6 +951,12 @@ var errorTrackerInstance = new NoOpErrorTracker();
 
 // src/api-client.ts
 var DEFAULT_TIMEOUT = 3e4;
+function sanitizeForLogging(str) {
+  let sanitized = str.replace(/\bcollab_[a-zA-Z0-9_-]+\b/gi, "[REDACTED_API_KEY]");
+  sanitized = sanitized.replace(/\bBearer\s+[a-zA-Z0-9._-]+\b/gi, "Bearer [REDACTED]");
+  sanitized = sanitized.replace(/([?&](api_?key|token|auth|key|secret)=)[^&\s]+/gi, "$1[REDACTED]");
+  return sanitized;
+}
 var ApiError = class extends Error {
   constructor(message, code, status, details) {
     super(message);
@@ -968,7 +986,7 @@ var MCPApiClient = class {
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.timeout);
     if (this.debug) {
-      console.error(`[mcp-api] ${method} ${url}`);
+      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
     }
     try {
       const response = await fetch(url, {
@@ -1003,8 +1021,9 @@ var MCPApiClient = class {
           408
         );
       }
+      const rawMessage = error instanceof Error ? error.message : "Unknown error";
       throw new ApiError(
-        error instanceof Error ? error.message : "Unknown error",
+        sanitizeForLogging(rawMessage),
         "NETWORK_ERROR",
         0
       );
@@ -1102,7 +1121,8 @@ var MCPApiClient = class {
     return this.request("POST", `/api/mcp/tasks/${taskId}/progress`, data);
   }
   /**
-   * Complete task and create PR
+   * Complete task and prepare for PR creation.
+   * Returns PR suggestions for the agent to use when creating the PR locally.
    */
   async completeTask(taskId, projectId, pullRequestTitle, pullRequestBody) {
     return this.request("POST", `/api/mcp/tasks/${taskId}/complete`, {
@@ -1172,11 +1192,23 @@ var MCPApiClient = class {
     });
   }
   /**
-   * Get GitHub token
+   * Report branch created by agent
    */
-  async getGitHubToken(organizationId) {
-    const path = organizationId ? `/api/mcp/github-token?organizationId=${encodeURIComponent(organizationId)}` : "/api/mcp/github-token";
-    return this.request("GET", path);
+  async reportBranch(taskId, projectId, branchName) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/branch`, {
+      projectId,
+      branchName
+    });
+  }
+  /**
+   * Report PR created by agent
+   */
+  async reportPR(taskId, projectId, pullRequestUrl, pullRequestNumber) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/pr`, {
+      projectId,
+      pullRequestUrl,
+      pullRequestNumber
+    });
   }
   /**
    * Verify a DRAFT task to move it to TODO state
@@ -1265,10 +1297,13 @@ TOOL CATEGORIES:
 4. Task Execution (WRITE):
    - assign_task, update_progress, add_note, complete_task, abandon_task, report_error
 
-5. Code Review (WRITE):
+5. Git Operations (WRITE):
+   - report_branch, report_pr
+
+6. Code Review (WRITE):
    - request_changes, approve_task
 
-6. Session Management (READ):
+7. Session Management (READ):
    - check_active_task
 
 WORKFLOWS:
@@ -1277,7 +1312,15 @@ Task Creation & Verification:
   create_task -> get_task_prompt (DRAFT) -> verify_task(approved=true) -> task moves to TODO
 
 Standard Task Workflow:
-  list_projects -> get_project_context -> list_tasks(state=TODO) -> get_task -> get_task_prompt (TODO) -> assign_task -> [update_progress...] -> complete_task
+  list_projects -> get_project_context -> list_tasks(state=TODO) -> get_task -> get_task_prompt (TODO)
+  -> assign_task (returns suggested branch name)
+  -> git checkout -b <branchName> (local git command)
+  -> git push -u origin <branchName> (local git command)
+  -> report_branch (tell server about the branch)
+  -> [update_progress...]
+  -> complete_task (returns PR suggestions)
+  -> gh pr create (local gh command)
+  -> report_pr (tell server about the PR)
 
 Resume Workflow:
   check_active_task -> (if active) get_task -> get_task_prompt (IN_PROGRESS) -> update_progress -> complete_task
@@ -1289,9 +1332,15 @@ Task Editing:
   update_task (DRAFT/TODO only) -> if was TODO, reverts to DRAFT -> verify_task again
 
 Error Recovery:
-  report_error -> abandon_task(deleteBranch=false) -> list_tasks -> assign_task (retry or pick different task)
+  report_error -> abandon_task -> list_tasks -> assign_task (retry or pick different task)
   (abandon_task returns IN_PROGRESS tasks to TODO state)
 
+GIT OPERATIONS NOTE:
+  The agent handles all git operations locally. After assign_task returns a suggested branch name,
+  the agent creates the branch with git, pushes it, and reports it via report_branch.
+  After complete_task returns PR suggestions, the agent creates the PR with gh, and reports it via report_pr.
+  This eliminates the need for GitHub tokens on the server.
+
 TASK STATE FLOW:
   DRAFT -> TODO -> IN_PROGRESS -> REVIEW -> DONE
   (verify_task: DRAFT -> TODO)
@@ -1308,7 +1357,8 @@ CONSTRAINTS:
 - complete_task requires IN_PROGRESS state
 - request_changes/approve_task require REVIEW state
 - Always check_active_task before starting new work
-- Call update_progress frequently to checkpoint`;
+- Call update_progress frequently to checkpoint
+- Agent must have git/gh CLI configured for local git operations`;
 async function createMCPServer() {
   const server = new import_mcp.McpServer(
     {
@@ -1498,7 +1548,7 @@ async function createMCPServer() {
   server.registerTool(
     "complete_task",
     {
-      description: "Finish task and create pull request. Moves task to REVIEW. Requires IN_PROGRESS state.",
+      description: "Prepare task for PR creation. Returns PR suggestions. After creating PR locally, call report_pr to transition to REVIEW. Requires IN_PROGRESS state.",
       inputSchema: {
         projectId: import_zod3.z.string().describe("The project ID"),
         taskId: import_zod3.z.string().describe("The task ID to complete"),
@@ -1689,6 +1739,80 @@ async function createMCPServer() {
       }
     }
   );
+  server.registerTool(
+    "report_branch",
+    {
+      description: "Report a branch created by the agent. Call after using git to create and push a branch. Task must be IN_PROGRESS.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID"),
+        branchName: import_zod3.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "report_branch"
+      );
+      const validated = ReportBranchInputSchema.parse(args);
+      try {
+        const result = await apiClient.reportBranch(
+          validated.taskId,
+          validated.projectId,
+          validated.branchName
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "report_pr",
+    {
+      description: "Report a PR created by the agent. Call after using gh pr create. Transitions task to REVIEW state.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID"),
+        pullRequestUrl: import_zod3.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
+        pullRequestNumber: import_zod3.z.number().describe("PR number (e.g., 123)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "report_pr"
+      );
+      const validated = ReportPRInputSchema.parse(args);
+      try {
+        const result = await apiClient.reportPR(
+          validated.taskId,
+          validated.projectId,
+          validated.pullRequestUrl,
+          validated.pullRequestNumber
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
   server.registerTool(
     "archive_task",
     {
@@ -2085,22 +2209,76 @@ function handleApiError(error) {
     isError: true
   };
 }
+var ActiveTaskSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  projectId: import_zod3.z.string().min(1),
+  branchName: import_zod3.z.string().optional(),
+  startedAt: import_zod3.z.string().optional()
+});
 async function checkActiveTask() {
   const fs = await import("fs");
   const path = await import("path");
-  const activeTaskPath = path.join(process.cwd(), ".collab", "active-task.json");
+  const cwd = process.cwd();
+  const collabDir = path.join(cwd, ".collab");
+  const activeTaskPath = path.join(collabDir, "active-task.json");
   try {
-    await fs.promises.access(activeTaskPath);
+    const resolvedPath = path.resolve(activeTaskPath);
+    const resolvedCollabDir = path.resolve(collabDir);
+    if (!resolvedPath.startsWith(resolvedCollabDir + path.sep) && resolvedPath !== resolvedCollabDir) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid active task path"
+      };
+    }
+    const stats = await fs.promises.lstat(activeTaskPath);
+    if (stats.isSymbolicLink()) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Symlinks not allowed for active task file"
+      };
+    }
+    if (!stats.isFile()) {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     const content = await fs.promises.readFile(activeTaskPath, "utf-8");
-    const activeTask = JSON.parse(content);
+    let parsed;
+    try {
+      parsed = JSON.parse(content);
+    } catch {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid JSON in active task file"
+      };
+    }
+    const validationResult = ActiveTaskSchema.safeParse(parsed);
+    if (!validationResult.success) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Active task file has invalid structure"
+      };
+    }
     return {
       hasActiveTask: true,
-      task: activeTask
+      task: validationResult.data
     };
-  } catch {
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
     return {
       hasActiveTask: false,
-      task: null
+      task: null,
+      error: "Failed to read active task file"
     };
   }
 }