@rigstate/mcp 0.7.2 → 0.7.3

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@rigstate/mcp",
-    "version": "0.7.2",
+    "version": "0.7.3",
     "description": "Rigstate MCP Server - Model Context Protocol for AI Editors",
     "type": "module",
     "main": "./dist/index.js",
@@ -26,7 +26,7 @@
         "zod": "^3.22.4"
     },
     "devDependencies": {
-        "@rigstate/rules-engine": "0.1.0",
+        "@rigstate/rules-engine": "*",
         "@types/node": "^20.11.5",
         "tsup": "^8.0.1",
         "typescript": "^5.3.3"

package/src/tools/get-latest-decisions.ts

@@ -36,15 +36,14 @@ export async function getLatestDecisions(
     projectId: string,
     limit: number = 5
 ): Promise<DecisionsResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (projectError || !project) {
+    // First, verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 

package/src/tools/list-roadmap-tasks.ts

@@ -33,15 +33,14 @@ export async function listRoadmapTasks(
     userId: string,
     projectId: string
 ): Promise<ListRoadmapTasksResponse> {
-    // 1. Verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 

package/src/tools/planning-tools.ts

@@ -53,8 +53,10 @@ export async function saveToProjectBrain(
     const { projectId, title, content, category, tags } = input;
 
     // Confirm project access
-    const { data: p, error: pErr } = await supabase.from('projects').select('id').eq('id', projectId).eq('owner_id', userId).single();
-    if (pErr || !p) throw new Error('Access denied');
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', { p_project_id: projectId, p_user_id: userId });
+
+    if (accessError || !hasAccess) throw new Error('Access denied');
 
     const fullContent = `# ${title}\n\n${content}`;
 
@@ -92,6 +94,12 @@ export async function updateRoadmapStatus(
 ) {
     const { projectId, chunkId, status } = input;
 
+    // Confirm project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', { p_project_id: projectId, p_user_id: userId });
+
+    if (accessError || !hasAccess) throw new Error('Access denied');
+
     // Map status to DB enum: 'TODO' -> 'LOCKED' (Standard convention in Rigstate seems to be LOCKED/ACTIVE/COMPLETED)
     // If 'TODO' is meant to be 'PENDING', we check schema. Assuming 'LOCKED' is the backlog state.
     const dbStatus = status === 'TODO' ? 'LOCKED' : status === 'IN_PROGRESS' ? 'ACTIVE' : 'COMPLETED';
@@ -127,6 +135,12 @@ export async function addRoadmapChunk(
 ) {
     const { projectId, title, description, priority } = input;
 
+    // Confirm project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', { p_project_id: projectId, p_user_id: userId });
+
+    if (accessError || !hasAccess) throw new Error('Access denied');
+
     // Get max step number
     const { data: maxStep } = await supabase
         .from('roadmap_chunks')