@rigstate/mcp 0.7.5 → 0.7.6

package/src/tools/pending-tasks.ts

@@ -48,8 +48,19 @@ export interface UpdateTaskStatusResponse {
  */
 export async function getPendingTasks(
     supabase: SupabaseClient,
+    userId: string,
     projectId: string
 ): Promise<GetPendingTasksResponse> {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
 
     // Fetch APPROVED tasks that are ready for execution
     const { data: tasks, error } = await supabase
@@ -143,11 +154,22 @@ export async function getPendingTasks(
  */
 export async function updateTaskStatus(
     supabase: SupabaseClient,
+    userId: string,
     projectId: string,
     taskId: string,
     newStatus: 'EXECUTING' | 'COMPLETED' | 'FAILED',
     executionSummary?: string
 ): Promise<UpdateTaskStatusResponse> {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
 
     // 1. Fetch the current task state
     const { data: currentTask, error: fetchError } = await supabase

package/src/tools/query-brain.ts

@@ -75,15 +75,14 @@ export async function queryBrain(
     limit: number = 8,
     threshold: number = 0.5
 ): Promise<BrainQueryResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (projectError || !project) {
+    // First, verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 

package/src/tools/research-tools.ts

@@ -13,14 +13,15 @@ export async function queryProjectBrain(
     const { projectId, query, limit = 5 } = input;
 
     // Verify access
-    const { data: project, error: pError } = await supabase
-        .from('projects')
-        .select('id')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (pError || !project) throw new Error('Access denied or project not found');
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Access denied or project not found');
+    }
 
     // Simple keyword search
     const terms = query.toLowerCase().split(/\s+/).filter(t => t.length > 2);

package/src/tools/run-architecture-audit.ts

@@ -110,15 +110,14 @@ export async function runArchitectureAudit(
     filePath: string,
     content: string
 ): Promise<ArchitectureAuditResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (projectError || !project) {
+    // First, verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 

package/src/tools/save-decision.ts

@@ -44,18 +44,24 @@ export async function saveDecision(
     category: string = 'decision',
     tags: string[] = []
 ): Promise<SaveDecisionResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
+    // 2. Fetch project name for the response message
+    const { data: project } = await supabase
+        .from('projects')
+        .select('name')
+        .eq('id', projectId)
+        .single();
+
     // Build the full content with title, decision, and rationale
     const contentParts = [`# ${title}`, '', decision];
     if (rationale) {
@@ -98,6 +104,6 @@ export async function saveDecision(
     return {
         success: true,
         memoryId: memory.id,
-        message: `✅ Decision "${title}" saved to project "${project.name}" with importance 9/10`
+        message: `✅ Decision "${title}" saved to project "${project?.name || projectId}" with importance 9/10`
     };
 }

package/src/tools/security-tools.ts

@@ -14,7 +14,7 @@ registry.register({
     description: `Sven's Tool: Security Shield. Audits the database to ensure Row Level Security (RLS) is enforced.`,
     schema: AuditRlsStatusInputSchema,
     handler: async (args, context) => {
-        const result = await auditRlsStatus(context.supabase, args);
+        const result = await auditRlsStatus(context.supabase, context.userId, args);
         return { content: [{ type: 'text', text: result.summary || 'No summary available' }] };
     }
 });
@@ -24,7 +24,7 @@ registry.register({
     description: `Frank's Tool: Security Oracle. Performs a diagnostic security audit against the Fortress Matrix.`,
     schema: AuditSecurityIntegrityInputSchema,
     handler: async (args, context) => {
-        const result = await auditSecurityIntegrity(context.supabase, args);
+        const result = await auditSecurityIntegrity(context.supabase, context.userId, args);
         return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
     }
 });
@@ -35,8 +35,20 @@ registry.register({
  */
 export async function auditRlsStatus(
     supabase: SupabaseClient,
+    userId: string,
     input: AuditRlsStatusInput
 ) {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: input.projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
+
     try {
         const { data, error } = await supabase.rpc('execute_sql', {
             query: `
@@ -97,8 +109,20 @@ export async function auditRlsStatus(
  */
 export async function auditSecurityIntegrity(
     supabase: SupabaseClient,
+    userId: string,
     input: { projectId: string, filePath: string, content: string }
 ) {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: input.projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
+
     const violations: any[] = [];
     const { content, filePath } = input;
 

package/src/tools/submit-idea.ts

@@ -42,18 +42,24 @@ export async function submitIdea(
     category: string = 'feature',
     tags: string[] = []
 ): Promise<SubmitIdeaResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
+    // 2. Fetch project name for the response message
+    const { data: project } = await supabase
+        .from('projects')
+        .select('name')
+        .eq('id', projectId)
+        .single();
+
     // Insert the idea into saved_ideas
     const { data: idea, error: insertError } = await supabase
         .from('saved_ideas')
@@ -86,6 +92,6 @@ export async function submitIdea(
     return {
         success: true,
         ideaId: idea.id,
-        message: `💡 Idea "${title}" submitted to Idea Lab for project "${project.name}". Status: Draft (awaiting review)`
+        message: `💡 Idea "${title}" submitted to Idea Lab for project "${project?.name || projectId}". Status: Draft (awaiting review)`
     };
 }

package/src/tools/sync-ide-rules.ts

@@ -22,7 +22,7 @@ registry.register({
 based on project context and user settings.`,
     schema: GenerateCursorRulesInputSchema,
     handler: async (args, context) => {
-        const result = await syncIdeRules(context.supabase, args.projectId);
+        const result = await syncIdeRules(context.supabase, context.userId, args.projectId);
 
         // Format response: Main file content + information about modular files
         let responseText = `FileName: ${result.fileName}\n\nContent:\n${result.content}`;
@@ -43,14 +43,27 @@ based on project context and user settings.`,
  * Uses the centralized rules-engine for consistent generation across all consumers.
  * 
  * @param supabase - Supabase client instance
+ * @param userId - The user ID for access verification
  * @param projectId - The project ID to generate rules for
  * @returns Object with fileName, content, and the new modular files[] array
  */
 export async function syncIdeRules(
     supabase: SupabaseClient,
+    userId: string,
     projectId: string
 ): Promise<{ fileName: string; content: string; files: RuleFile[] }> {
-    // 1. Fetch Project & Preferred IDE
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
+
+    // 2. Fetch Project & Preferred IDE
     const { data: project, error: projectError } = await supabase
         .from('projects')
         .select('*')
@@ -58,7 +71,7 @@ export async function syncIdeRules(
         .single();
 
     if (projectError || !project) {
-        throw new Error(`Project ${projectId} not found.`);
+        throw new Error(`Project ${projectId} details not found.`);
     }
 
     // 2. Determine IDE (Preference -> Fallback)

package/src/tools/teacher-mode.ts

@@ -65,14 +65,13 @@ export async function refineLogic(
     const traceId = uuidv4();
 
     // Verify project access
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error(`Project access denied or not found: ${projectId}`);
     }
 

package/src/tools/update-roadmap.ts

@@ -40,18 +40,24 @@ export async function updateRoadmap(
     chunkId?: string,
     title?: string
 ): Promise<UpdateRoadmapResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
+    // 2. Fetch project details (for response message if needed)
+    const { data: project } = await supabase
+        .from('projects')
+        .select('name')
+        .eq('id', projectId)
+        .single();
+
     // Find the roadmap chunk
     let targetChunk: { id: string; title: string; status: string } | null = null;