@rblez/authly 0.1.0

package/src/mcp/server.js

@@ -0,0 +1,281 @@
+/**
+ * Authly MCP Server
+ *
+ * Exposes Supabase operations as MCP tools so an AI agent
+ * (or the dashboard UI) can manage the user's Supabase project
+ * through authly — no direct Supabase credentials needed.
+ *
+ * Protocol: MCP Streamable HTTP at /mcp
+ * When authorized, an AI connecting to this endpoint gets:
+ *   execute_sql, list_tables, describe_table, list_auth_users,
+ *   list_roles, assign_role, revoke_role, get_user_roles,
+ *   list_migrations, get_migration_sql, run_migration
+ */
+
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { z } from "zod";
+import { getSupabaseClient, fetchUsers } from "../lib/supabase.js";
+import { listRoles, assignRoleToUser, revokeRoleFromUser, getUserRoles } from "../generators/roles.js";
+import { listMigrations, getMigration, migrations } from "../generators/migrations.js";
+
+// ── MCP Server Instance ──────────────────────────────
+
+export function createMcpServer() {
+  const server = new McpServer(
+    { name: "authly", version: "0.1.0" },
+    { capabilities: { tools: {} } }
+  );
+
+  // ── SQL ──────────────────────────────────────────
+  server.tool(
+    "execute_sql",
+    "Execute arbitrary SQL against the connected Supabase database. Use for queries too complex for other tools.",
+    { sql: z.string().describe("The SQL query to execute") },
+    async ({ sql }) => {
+      const { client, errors } = getSupabaseClient();
+      if (!client) return fail(`Not connected to Supabase: ${errors.join(", ")}`);
+      try {
+        const result = await execSql(sql);
+        return text(JSON.stringify(result, null, 2));
+      } catch (e) {
+        return text(`SQL error: ${e.message}`, true);
+      }
+    }
+  );
+
+  // ── Tables ───────────────────────────────────────
+  server.tool(
+    "list_tables",
+    "List all tables in the public schema of the connected Supabase database.",
+    {},
+    async () => {
+      const { client, errors } = getSupabaseClient();
+      if (!client) return fail(`Not connected: ${errors.join(", ")}`);
+      const { data, error } = await client
+        .from("information_schema.tables")
+        .select("table_schema, table_name")
+        .eq("table_schema", "public");
+      if (error) return text(error.message, true);
+      return text(data.map(t => `  ${t.table_schema}.${t.table_name}`).join("\n") || "  (no tables)");
+    }
+  );
+
+  server.tool(
+    "describe_table",
+    "Show column definitions for a specific table.",
+    { table: z.string() },
+    async ({ table }) => {
+      const { client, errors } = getSupabaseClient();
+      if (!client) return fail(`Not connected: ${errors.join(", ")}`);
+      const { data, error } = await client
+        .from("information_schema.columns")
+        .select("column_name, data_type, is_nullable, column_default")
+        .eq("table_schema", "public")
+        .eq("table_name", table);
+      if (error) return text(error.message, true);
+      return text(data.map(c =>
+        `  ${c.column_name.padEnd(24)} ${c.data_type.padEnd(20)} ${c.is_nullable === "YES" ? "NULL" : "NOT NULL"}${c.column_default ? " DEFAULT " + c.column_default : ""}`
+      ).join("\n") || `Table '${table}' not found`);
+    }
+  );
+
+  // ── Auth users ───────────────────────────────────
+  server.tool(
+    "list_auth_users",
+    "List users registered via Supabase Auth. Returns id, email, role, created_at.",
+    { limit: z.number().default(50) },
+    async ({ limit }) => {
+      const { users, error } = await fetchUsers({ limit });
+      if (error) return text(error, true);
+      if (!users.length) return text("No users registered");
+      return text(users.map(u =>
+        `  ${u.id.slice(0, 8)}…  ${(u.email || "—").padEnd(32)} role:${u.raw_user_meta_data?.role ?? "user"}  created:${u.created_at?.slice(0, 10) ?? "?"}`
+      ).join("\n"));
+    }
+  );
+
+  // ── RBAC ─────────────────────────────────────────
+  server.tool(
+    "list_roles",
+    "List all defined authorization roles in the database.",
+    {},
+    async () => {
+      const { roles, error } = await listRoles();
+      if (error) return text(error, true);
+      if (!roles.length) return text("No roles defined. Run migration '001_create_roles_table' first.");
+      return text(roles.map(r => `  ${r.name.padEnd(12)} ${r.description || ""}`).join("\n"));
+    }
+  );
+
+  server.tool(
+    "assign_role_to_user",
+    "Grant a role to a user by their Supabase user ID.",
+    { userId: z.string(), role: z.string() },
+    async ({ userId, role }) => {
+      const { success, error } = await assignRoleToUser(userId, role);
+      if (!success) return text(error, true);
+      return text(`Assigned '${role}' to ${userId.slice(0, 8)}…`);
+    }
+  );
+
+  server.tool(
+    "revoke_role_from_user",
+    "Remove a role from a user.",
+    { userId: z.string(), role: z.string() },
+    async ({ userId, role }) => {
+      const { success, error } = await revokeRoleFromUser(userId, role);
+      if (!success) return text(error, true);
+      return text(`Revoked '${role}' from ${userId.slice(0, 8)}…`);
+    }
+  );
+
+  server.tool(
+    "get_user_roles",
+    "Get all roles assigned to a specific user.",
+    { userId: z.string() },
+    async ({ userId }) => {
+      const { roles, error } = await getUserRoles(userId);
+      if (error) return text(error, true);
+      return text(roles.length ? `  ${roles.join(", ")}` : "  (no roles)");
+    }
+  );
+
+  // ── Migrations ───────────────────────────────────
+  server.tool(
+    "list_migrations",
+    "List available SQL migrations.",
+    {},
+    async () => {
+      return text(migrations.map(m => `  ${m.name} — ${m.description}`).join("\n"));
+    }
+  );
+
+  server.tool(
+    "get_migration_sql",
+    "View the SQL for a specific migration.",
+    { name: z.string() },
+    async ({ name }) => {
+      const sql = getMigration(name);
+      if (!sql) return text(`Migration '${name}' not found`, true);
+      return text("```sql\n" + sql.trim() + "\n```");
+    }
+  );
+
+  server.tool(
+    "run_migration",
+    "Apply a migration SQL to the connected Supabase. Destructive — use with care.",
+    { name: z.string() },
+    async ({ name }) => {
+      const { client, errors } = getSupabaseClient();
+      if (!client) return fail(`Not connected: ${errors.join(", ")}`);
+      const sql = getMigration(name);
+      if (!sql) return text(`Migration '${name}' not found`, true);
+      try {
+        const result = await execSql(sql);
+        return text(`Migration '${name}' applied. Result: ${JSON.stringify(result).slice(0, 200)}`);
+      } catch (e) {
+        return text(`Migration failed: ${e.message}`, true);
+      }
+    }
+  );
+
+  // ── Supabase connection info ─────────────────────
+  server.tool(
+    "connection_info",
+    "Show the current Supabase connection status and project URL.",
+    {},
+    async () => {
+      const url = process.env.SUPABASE_URL;
+      if (!url) return text("Not connected to Supabase. Run 'npx @rblez/authly init' or connect from the dashboard.");
+      return text(`  Connected to: ${url}\n  ANON_KEY: ${process.env.SUPABASE_ANON_KEY ? "set" : "missing"}\n  SERVICE_ROLE: ${process.env.SUPABASE_SERVICE_ROLE_KEY ? "set" : "missing"}`);
+    }
+  );
+
+  return server;
+}
+
+// ── Mount on Hono ────────────────────────────────────
+
+const sessionTransports = new Map();
+
+/**
+ * Mount the MCP server onto a Hono app at /mcp.
+ * Uses Streamable HTTP transport so MCP clients
+ * (Claude Desktop, cursor, etc.) and the dashboard
+ * can both communicate with the tool server.
+ */
+export function mountMcp(app) {
+  const mcpServer = createMcpServer();
+
+  app.all("/mcp", async (c) => {
+    // Each client session gets its own transport
+    const sessionId = c.req.header("Mcp-Session-Id");
+
+    let transport;
+    if (sessionId && sessionTransports.has(sessionId)) {
+      transport = sessionTransports.get(sessionId);
+    } else {
+      const supabaseOk = process.env.SUPABASE_URL && process.env.SUPABASE_ANON_KEY;
+      if (!supabaseOk) {
+        return c.json({
+          jsonrpc: "2.0",
+          error: { code: -32600, message: "Not connected to Supabase. Authorize from the dashboard first." },
+          id: null,
+        }, 400);
+      }
+
+      transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => crypto.randomUUID(),
+        onsessioninitialized: (sid) => sessionTransports.set(sid, transport),
+      });
+
+      transport.onclose = () => {
+        if (transport.sessionId) sessionTransports.delete(transport.sessionId);
+      };
+
+      await mcpServer.connect(transport);
+    }
+
+    await transport.handleRequest(c.req.raw, c.req.raw.signal);
+  });
+}
+
+// ── Helpers ──────────────────────────────────────────
+
+function text(content, isError = false) {
+  return { content: [{ type: "text", text: content }], isError };
+}
+function fail(message) {
+  return text(message, true);
+}
+
+/**
+ * Execute raw SQL via PostgREST endpoint.
+ * Since supabase-js doesn't support raw SQL directly,
+ * we use the REST API with a stored procedure.
+ */
+async function execSql(sql) {
+  const url = process.env.SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_ANON_KEY;
+  if (!key) throw new Error("Supabase credentials not configured");
+
+  const res = await fetch(`${url}/rest/v1/`, {
+    method: "POST",
+    headers: {
+      apikey: key,
+      Authorization: `Bearer ${key}`,
+      "Content-Type": "application/json",
+      Prefer: "return=representation",
+    },
+    body: JSON.stringify({ _sql: sql }),
+  });
+
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`${res.status}: ${body.slice(0, 300)}`);
+  }
+
+  const text = await res.text();
+  try { return JSON.parse(text); } catch { return { raw: text }; }
+}