@open-mercato/ai-assistant 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4

package/src/modules/ai_assistant/lib/__tests__/codemode-tools.test.ts

@@ -1,8 +1,13 @@
 import type { McpToolContext } from '../types'
 import { getApiEndpoints } from '../api-endpoint-index'
+import { fetchWithTimeout } from '@open-mercato/shared/lib/http/fetchWithTimeout'
 import {
   authorizeCodeModeApiRequest,
+  CODE_MODE_MAX_API_CALLS,
+  CODE_MODE_MAX_MUTATION_CALLS,
   CODE_MODE_REQUIRED_FEATURES,
+  createApiRequestFn,
+  isUnsafeHttpMethod,
   matchApiEndpointPath,
 } from '../codemode-tools'
 
@@ -11,7 +16,46 @@ jest.mock('../api-endpoint-index', () => ({
   getRawOpenApiSpec: jest.fn(),
 }))
 
+jest.mock('@open-mercato/shared/lib/http/fetchWithTimeout', () => ({
+  fetchWithTimeout: jest.fn(),
+  resolveTimeoutMs: jest.fn(() => 30000),
+}))
+
 const mockedGetApiEndpoints = jest.mocked(getApiEndpoints)
+const mockedFetchWithTimeout = jest.mocked(fetchWithTimeout)
+
+function okResponse() {
+  return {
+    ok: true,
+    status: 200,
+    text: jest.fn().mockResolvedValue('{}'),
+  } as unknown as Response
+}
+
+/**
+ * Replicate the execute() handler's per-run counters so the regression test
+ * exercises the same accounting that gates real api.request() calls.
+ */
+function createCountingOnCall() {
+  let apiCallCount = 0
+  let mutationCallCount = 0
+  const onCall = (normalizedMethod: string) => {
+    apiCallCount++
+    if (apiCallCount > CODE_MODE_MAX_API_CALLS) {
+      throw new Error(`API call limit exceeded (max ${CODE_MODE_MAX_API_CALLS})`)
+    }
+    if (isUnsafeHttpMethod(normalizedMethod)) {
+      mutationCallCount++
+      if (mutationCallCount > CODE_MODE_MAX_MUTATION_CALLS) {
+        throw new Error(`Mutation API call limit exceeded (max ${CODE_MODE_MAX_MUTATION_CALLS})`)
+      }
+    }
+  }
+  return {
+    onCall,
+    counts: () => ({ apiCallCount, mutationCallCount }),
+  }
+}
 
 type MockRbacService = {
   hasAllFeatures: jest.Mock<boolean, [string[], string[]]>
@@ -242,3 +286,87 @@ describe('authorizeCodeModeApiRequest', () => {
     })
   })
 })
+
+describe('mutation call cap (issue #2724)', () => {
+  beforeEach(() => {
+    mockedGetApiEndpoints.mockReset()
+    mockedFetchWithTimeout.mockReset()
+    mockedFetchWithTimeout.mockResolvedValue(okResponse())
+    // Documented, feature-authorized POST endpoint so RBAC always allows the call.
+    mockedGetApiEndpoints.mockResolvedValue([
+      {
+        id: 'create_company',
+        operationId: 'create_company',
+        method: 'POST',
+        path: '/api/customers/companies',
+        summary: '',
+        description: '',
+        tags: [],
+        requiredFeatures: ['customers.companies.create'],
+        parameters: [],
+        requestBodySchema: null,
+        deprecated: false,
+      },
+    ])
+  })
+
+  function authorizedContext(): McpToolContext {
+    return createContext({
+      userFeatures: ['ai_assistant.view', 'customers.companies.create'],
+    })
+  }
+
+  it('counts a dynamically-built POST method against the mutation cap', async () => {
+    const { onCall, counts } = createCountingOnCall()
+    const apiRequest = createApiRequestFn(authorizedContext(), onCall)
+
+    // The method string is built at runtime — the old static regex never saw it.
+    const dynamicMethod = 'PO' + 'ST'
+    await apiRequest({ method: dynamicMethod, path: '/api/customers/companies', body: {} })
+
+    expect(counts()).toEqual({ apiCallCount: 1, mutationCallCount: 1 })
+  })
+
+  it('refuses once the dynamically-built mutation cap is exceeded', async () => {
+    const { onCall } = createCountingOnCall()
+    const apiRequest = createApiRequestFn(authorizedContext(), onCall)
+
+    const dynamicMethod = ['P', 'O', 'S', 'T'].join('')
+    for (let index = 0; index < CODE_MODE_MAX_MUTATION_CALLS; index++) {
+      await apiRequest({ method: dynamicMethod, path: '/api/customers/companies', body: {} })
+    }
+
+    await expect(
+      apiRequest({ method: dynamicMethod, path: '/api/customers/companies', body: {} })
+    ).rejects.toThrow(`Mutation API call limit exceeded (max ${CODE_MODE_MAX_MUTATION_CALLS})`)
+
+    // Authorized mutations actually hit fetch up to the cap; the cap throws before fetch on the overflow call.
+    expect(mockedFetchWithTimeout).toHaveBeenCalledTimes(CODE_MODE_MAX_MUTATION_CALLS)
+  })
+
+  it('does not charge GET reads against the mutation cap', async () => {
+    mockedGetApiEndpoints.mockResolvedValue([
+      {
+        id: 'list_companies',
+        operationId: 'list_companies',
+        method: 'GET',
+        path: '/api/customers/companies',
+        summary: '',
+        description: '',
+        tags: [],
+        requiredFeatures: [],
+        parameters: [],
+        requestBodySchema: null,
+        deprecated: false,
+      },
+    ])
+    const { onCall, counts } = createCountingOnCall()
+    const apiRequest = createApiRequestFn(createContext(), onCall)
+
+    for (let index = 0; index < CODE_MODE_MAX_MUTATION_CALLS + 5; index++) {
+      await apiRequest({ method: 'get', path: '/api/customers/companies' })
+    }
+
+    expect(counts()).toEqual({ apiCallCount: CODE_MODE_MAX_MUTATION_CALLS + 5, mutationCallCount: 0 })
+  })
+})

package/src/modules/ai_assistant/lib/__tests__/log-redaction.test.ts

@@ -0,0 +1,65 @@
+import { createHash } from 'node:crypto'
+import { redactSecretForLog, deriveApiKeySessionId } from '../log-redaction'
+
+const SESSION_ID_DIGEST_HEX = 16
+
+describe('redactSecretForLog', () => {
+  it('never emits the full session token', () => {
+    const token = `sess_${'a'.repeat(32)}`
+    const redacted = redactSecretForLog(token)
+    expect(redacted).not.toBe(token)
+    expect(redacted).not.toContain(token)
+    expect(token.startsWith(redacted.replace(/\.\.\.$/, ''))).toBe(true)
+  })
+
+  it('reveals at most a short leading fingerprint and never more than half', () => {
+    const token = `sess_${'b'.repeat(32)}`
+    const redacted = redactSecretForLog(token)
+    const visible = redacted.replace(/\.\.\.$/, '')
+    expect(redacted.endsWith('...')).toBe(true)
+    expect(visible.length).toBeLessThanOrEqual(12)
+    expect(visible.length).toBeLessThanOrEqual(Math.floor(token.length / 2))
+    expect(token.startsWith(visible)).toBe(true)
+  })
+
+  it('does not leak short values', () => {
+    expect(redactSecretForLog('abcd')).toBe('ab...')
+  })
+
+  it('returns a placeholder for empty or non-string input', () => {
+    expect(redactSecretForLog('')).toBe('<redacted>')
+    expect(redactSecretForLog(undefined)).toBe('<redacted>')
+    expect(redactSecretForLog(null)).toBe('<redacted>')
+    expect(redactSecretForLog(12345)).toBe('<redacted>')
+  })
+})
+
+describe('deriveApiKeySessionId', () => {
+  it('does not embed any slice of the secret', () => {
+    const secret = 'omk_publicprefix_secretbodythatmustnotleak'
+    const sessionId = deriveApiKeySessionId(secret)
+    expect(sessionId.startsWith('apikey_')).toBe(true)
+    expect(sessionId).not.toContain(secret.slice(0, 16))
+    expect(sessionId).not.toContain('secretbody')
+    const digestPart = sessionId.slice('apikey_'.length)
+    expect(secret).not.toContain(digestPart)
+  })
+
+  it('is stable within a process and shaped as a truncated hex digest', () => {
+    const secret = 'omk_test_secret_value'
+    const sessionId = deriveApiKeySessionId(secret)
+    expect(sessionId).toBe(deriveApiKeySessionId(secret))
+    const digestPart = sessionId.slice('apikey_'.length)
+    expect(digestPart).toMatch(new RegExp(`^[0-9a-f]{${SESSION_ID_DIGEST_HEX}}$`))
+  })
+
+  it('is keyed, not a recomputable unkeyed sha-256 of the secret', () => {
+    const secret = 'omk_test_secret_value'
+    const unkeyed = `apikey_${createHash('sha256').update(secret).digest('hex').slice(0, SESSION_ID_DIGEST_HEX)}`
+    expect(deriveApiKeySessionId(secret)).not.toBe(unkeyed)
+  })
+
+  it('maps distinct secrets to distinct ids', () => {
+    expect(deriveApiKeySessionId('secret-one')).not.toBe(deriveApiKeySessionId('secret-two'))
+  })
+})

package/src/modules/ai_assistant/lib/__tests__/tool-test-runner-pick-default-tenant.test.ts

@@ -0,0 +1,70 @@
+import type { AwilixContainer } from 'awilix'
+import { pickDefaultTenant } from '../tool-test-runner'
+
+type ExecuteCall = { sql: string; params?: unknown[] }
+
+function makeContainer(
+  rowsBySql: (sql: string) => Record<string, unknown>[],
+  calls: ExecuteCall[],
+): AwilixContainer {
+  const connection = {
+    execute: async (sql: string, params?: unknown[]) => {
+      calls.push({ sql, params })
+      return rowsBySql(sql)
+    },
+  }
+  const em = { getConnection: () => connection }
+  return {
+    resolve: (token: string) => {
+      if (token === 'em') return em
+      throw new Error(`[internal] unexpected resolve token: ${token}`)
+    },
+  } as unknown as AwilixContainer
+}
+
+describe('pickDefaultTenant SQL safety (#2725)', () => {
+  it('binds the tenant id as a query parameter instead of interpolating it', async () => {
+    const calls: ExecuteCall[] = []
+    const tenantId = '11111111-2222-3333-4444-555555555555'
+    const orgId = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
+    const userId = 'ffffffff-0000-1111-2222-333333333333'
+    const container = makeContainer((sql) => {
+      if (sql.includes('FROM tenants')) return [{ id: tenantId }]
+      if (sql.includes('FROM organizations')) return [{ id: orgId }]
+      if (sql.includes('FROM users')) return [{ id: userId }]
+      return []
+    }, calls)
+
+    const result = await pickDefaultTenant(container)
+
+    expect(result).toEqual({ tenantId, organizationId: orgId, userId })
+
+    const orgCall = calls.find((call) => call.sql.includes('FROM organizations'))
+    const userCall = calls.find((call) => call.sql.includes('FROM users'))
+    expect(orgCall).toBeDefined()
+    expect(userCall).toBeDefined()
+
+    // Tenant value flows through bound parameters, never string-interpolated.
+    expect(orgCall?.params).toEqual([tenantId])
+    expect(userCall?.params).toEqual([tenantId])
+    expect(orgCall?.sql).toContain('tenant_id = ?')
+    expect(userCall?.sql).toContain('tenant_id = ?')
+
+    // No call may embed the tenant value or hand-rolled quote-escaping in SQL.
+    for (const call of calls) {
+      expect(call.sql).not.toContain(tenantId)
+      expect(call.sql).not.toContain("''")
+    }
+  })
+
+  it('returns null when no tenant exists without issuing scoped lookups', async () => {
+    const calls: ExecuteCall[] = []
+    const container = makeContainer(() => [], calls)
+
+    const result = await pickDefaultTenant(container)
+
+    expect(result).toBeNull()
+    expect(calls).toHaveLength(1)
+    expect(calls[0]?.sql).toContain('FROM tenants')
+  })
+})

package/src/modules/ai_assistant/lib/auth.ts

@@ -1,6 +1,7 @@
 import type { AwilixContainer } from 'awilix'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import { hasAllFeatures } from '@open-mercato/shared/lib/auth/featureMatch'
 
 /**
  * Successful authentication result.
@@ -118,7 +119,8 @@ export async function authenticateMcpRequest(
  * - Super admin bypass (always returns true)
  * - Direct feature match (e.g., 'customers.view')
  * - Global wildcard ('*' grants all features)
- * - Prefix wildcard (e.g., 'customers.*' grants 'customers.people.view')
+ * - Prefix wildcard (e.g., 'customers.*' grants 'customers.people.view' and the
+ *   bare 'customers' segment itself)
  *
  * @param requiredFeatures - List of features required for access
  * @param userFeatures - List of features the user has
@@ -140,20 +142,12 @@ export function hasRequiredFeatures(
     return rbacService.hasAllFeatures(requiredFeatures, userFeatures)
   }
 
-  // Fallback for cases without rbacService (keeps backward compatibility)
-  return requiredFeatures.every((required) => {
-    if (userFeatures.includes(required)) return true
-    if (userFeatures.includes('*')) return true
-
-    // Check wildcard patterns (e.g., 'customers.*' grants 'customers.people.view')
-    return userFeatures.some((feature) => {
-      if (feature.endsWith('.*')) {
-        const prefix = feature.slice(0, -2)
-        return required.startsWith(prefix + '.')
-      }
-      return false
-    })
-  })
+  // Fallback for cases without rbacService: delegate to the canonical
+  // wildcard-aware matcher so this path stays consistent with
+  // RbacService.hasAllFeatures (which uses the same helper). The previous
+  // bespoke loop rejected a bare-segment requirement (e.g. 'entities')
+  // against an 'entities.*' grant, diverging from the canonical matcher.
+  return hasAllFeatures(requiredFeatures, userFeatures)
 }
 
 /**

package/src/modules/ai_assistant/lib/codemode-tools.ts

@@ -550,22 +550,10 @@ function buildEntitySchemas(graph: EntityGraph) {
   })
 }
 
-/**
- * Detect mutation HTTP methods in code via static analysis.
- * Returns which methods were found (POST, PUT, PATCH, DELETE).
- */
-function detectMutationInCode(code: string): { hasMutation: boolean; methods: string[] } {
-  const methods: string[] = []
-  const pattern = /method:\s*['"](\w+)['"]/gi
-  let match
-  while ((match = pattern.exec(code)) !== null) {
-    const method = match[1].toUpperCase()
-    if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
-      methods.push(method)
-    }
-  }
-  return { hasMutation: methods.length > 0, methods }
-}
+/** Maximum api.request() calls allowed per execute() run, regardless of method. */
+export const CODE_MODE_MAX_API_CALLS = 50
+/** Maximum mutation (non-GET/HEAD/OPTIONS) api.request() calls allowed per execute() run. */
+export const CODE_MODE_MAX_MUTATION_CALLS = 20
 
 /**
  * Load and register the two Code Mode tools.
@@ -701,19 +689,24 @@ RULES: For FIND/LIST → GET only (1 call). For UPDATE → PUT to collection pat
           }
         }
 
-        // Detect mutations via static analysis — cap API calls for safety
-        const mutationInfo = detectMutationInCode(input.code)
-        const maxApiCalls = mutationInfo.hasMutation ? 20 : 50
-        if (mutationInfo.hasMutation) {
-          console.error(`[AI Usage] execute: MUTATION DETECTED (${mutationInfo.methods.join(',')}) — capping API calls to ${maxApiCalls}`)
-        }
+        // Cap API calls for safety. The mutation cap is enforced against the
+        // actually-observed HTTP method, not a static scan of the source — so a
+        // dynamically-built method (e.g. 'PO' + 'ST') can never escape it.
+        const maxApiCalls = CODE_MODE_MAX_API_CALLS
         let apiCallCount = 0
+        let mutationCallCount = 0
 
-        const apiRequestFn = createApiRequestFn(ctx, () => {
+        const apiRequestFn = createApiRequestFn(ctx, (normalizedMethod) => {
           apiCallCount++
           if (apiCallCount > maxApiCalls) {
             throw new Error(`API call limit exceeded (max ${maxApiCalls})`)
           }
+          if (isUnsafeHttpMethod(normalizedMethod)) {
+            mutationCallCount++
+            if (mutationCallCount > CODE_MODE_MAX_MUTATION_CALLS) {
+              throw new Error(`Mutation API call limit exceeded (max ${CODE_MODE_MAX_MUTATION_CALLS})`)
+            }
+          }
         })
 
         const context = {
@@ -761,9 +754,9 @@ RULES: For FIND/LIST → GET only (1 call). For UPDATE → PUT to collection pat
 /**
  * Create the api.request() function for the execute sandbox.
  */
-function createApiRequestFn(
+export function createApiRequestFn(
   ctx: McpToolContext,
-  onCall: () => void
+  onCall: (normalizedMethod: string) => void
 ): (params: {
   method: string
   path: string
@@ -777,11 +770,10 @@ function createApiRequestFn(
     'http://localhost:3000'
 
   return async (params) => {
-    onCall()
-
     const { method, path, query, body } = params
     const callStart = Date.now()
-    const normalizedMethod = method.toUpperCase()
+    const normalizedMethod = String(method ?? '').toUpperCase()
+    onCall(normalizedMethod)
     const apiPath = normalizeApiRequestPath(path)
     const authorization = await authorizeCodeModeApiRequest(ctx, normalizedMethod, apiPath)
 
@@ -995,7 +987,7 @@ function isPathParameterSegment(segment: string): boolean {
   )
 }
 
-function isUnsafeHttpMethod(method: string): boolean {
+export function isUnsafeHttpMethod(method: string): boolean {
   return !['GET', 'HEAD', 'OPTIONS'].includes(method.toUpperCase())
 }
 

package/src/modules/ai_assistant/lib/http-server.ts

@@ -9,6 +9,7 @@ import { executeTool } from './tool-executor'
 import { loadAllModuleTools, indexToolsForSearch } from './tool-loader'
 import { authenticateMcpRequest, extractApiKeyFromHeaders, hasRequiredFeatures } from './auth'
 import { jsonSchemaToZod, toSafeZodSchema } from './schema-utils'
+import { redactSecretForLog, deriveApiKeySessionId } from './log-redaction'
 import type { McpServerConfig, McpToolContext } from './types'
 import type { SearchService } from '@open-mercato/search/service'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
@@ -42,7 +43,7 @@ async function resolveSessionContext(
     const sessionResult = await findSessionApiKeyWithSecret(em, sessionToken)
     if (!sessionResult) {
       if (debug) {
-        console.error(`[MCP HTTP] Session token not found, expired, or secret unavailable: ${sessionToken}`)
+        console.error(`[MCP HTTP] Session token not found, expired, or secret unavailable: ${redactSecretForLog(sessionToken)}`)
       }
       return null
     }
@@ -277,7 +278,7 @@ function createMcpServerForRequest(
             if (!effectiveContext.sessionId && effectiveContext.apiKeySecret) {
               effectiveContext = {
                 ...effectiveContext,
-                sessionId: 'apikey_' + effectiveContext.apiKeySecret.slice(0, 16),
+                sessionId: deriveApiKeySessionId(effectiveContext.apiKeySecret),
               }
             }
           }

package/src/modules/ai_assistant/lib/log-redaction.ts

@@ -0,0 +1,41 @@
+import { pbkdf2Sync, randomBytes } from 'node:crypto'
+
+/**
+ * Redact a bearer-style secret (session token, API key) for safe logging.
+ * Reveals at most a short leading fingerprint and never more than half of the
+ * value, so durable logs never carry a replayable credential.
+ */
+export function redactSecretForLog(value: unknown): string {
+  if (typeof value !== 'string' || value.length === 0) return '<redacted>'
+  const prefixLength = Math.min(12, Math.floor(value.length / 2))
+  if (prefixLength <= 0) return '<redacted>'
+  return `${value.slice(0, prefixLength)}...`
+}
+
+// Per-process random key so the API key secret is fingerprinted through a keyed
+// HMAC rather than a fast, unkeyed digest. The session id is only an in-process
+// grouping key for the session-memory cache (a process-local Map), so a key that
+// lives for the process lifetime keeps the same-secret-maps-to-same-id guarantee
+// within an MCP connection while ensuring the digest is not derivable from the
+// secret alone. Mirrors the secret fingerprinter in apiKeyAuthCache.ts.
+const sessionIdHmacKey = randomBytes(32)
+const SESSION_ID_PBKDF2_ITERATIONS = 210000
+// 8 bytes → 16 hex chars: a short in-process grouping key, not a security token.
+const SESSION_ID_PBKDF2_KEYLEN = 8
+
+/**
+ * Derive a stable, non-reversible session-memory id from an API key secret.
+ * The same secret always maps to the same id within a process (so tool calls on
+ * one MCP connection share a memory cache), but no secret material is exposed:
+ * the id is derived with PBKDF2 (slow KDF) using a per-process random salt.
+ */
+export function deriveApiKeySessionId(apiKeySecret: string): string {
+  const digest = pbkdf2Sync(
+    apiKeySecret,
+    sessionIdHmacKey,
+    SESSION_ID_PBKDF2_ITERATIONS,
+    SESSION_ID_PBKDF2_KEYLEN,
+    'sha256'
+  ).toString('hex')
+  return `apikey_${digest}`
+}

package/src/modules/ai_assistant/lib/tool-test-runner.ts

@@ -212,14 +212,18 @@ async function loadGeneratedTools(): Promise<{ moduleId: string; tools: AiToolDe
   return result
 }
 
-async function pickDefaultTenant(
+export async function pickDefaultTenant(
   container: AwilixContainer,
 ): Promise<{ tenantId: string; organizationId: string | null; userId: string | null } | null> {
   try {
     const em = container.resolve<{
-      getConnection: () => { execute: (sql: string) => Promise<unknown[]> }
+      getConnection: () => {
+        execute: (sql: string, params?: unknown[]) => Promise<Record<string, unknown>[]>
+      }
     }>('em') as unknown as {
-      getConnection: () => { execute: (sql: string) => Promise<Record<string, unknown>[]> }
+      getConnection: () => {
+        execute: (sql: string, params?: unknown[]) => Promise<Record<string, unknown>[]>
+      }
     }
     const conn = em.getConnection()
     const tenantRows = await conn.execute(
@@ -230,16 +234,17 @@ async function pickDefaultTenant(
         ? String((tenantRows[0] as Record<string, unknown>).id)
         : null
     if (!tenantId) return null
-    const escaped = tenantId.replace(/'/g, "''")
     const orgRows = await conn.execute(
-      `SELECT id FROM organizations WHERE tenant_id = '${escaped}' AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,
+      `SELECT id FROM organizations WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,
+      [tenantId],
     )
     const organizationId =
       Array.isArray(orgRows) && orgRows[0]
         ? String((orgRows[0] as Record<string, unknown>).id)
         : null
     const userRows = await conn.execute(
-      `SELECT id FROM users WHERE tenant_id = '${escaped}' AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,
+      `SELECT id FROM users WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,
+      [tenantId],
     )
     const userId =
       Array.isArray(userRows) && userRows[0]