@rigstate/mcp 0.7.5 → 0.7.7

package/src/tools/list-features.ts

@@ -17,43 +17,41 @@ export const listFeaturesTool: ToolDefinition<typeof InputSchema> = {
 Useful for understanding the strategic context and major milestones.`,
     schema: InputSchema,
     handler: async ({ projectId }, { supabase, userId }) => {
-        // 1. Fetch project to verify access and get fallback spec
-        const { data: project, error: projectError } = await supabase
-            .from('projects')
-            .select('id, functional_spec')
-            .eq('id', projectId)
-            .eq('owner_id', userId)
-            .single();
+        // 1. Verify project access and fetch context
+        const { data: projectRow, error: projectError } = await supabase
+            .rpc('get_project_context_secure', {
+                p_project_id: projectId,
+                p_user_id: userId
+            })
+            .single() as any;
 
-        if (projectError || !project) {
-            throw new Error('Project not found or access denied');
+        if (projectError || !projectRow) {
+            throw new Error('Project details not found or access denied');
         }
 
-        // 2. Primary Strategy: Fetch from 'project_features'
+        // 2. Primary Strategy: Fetch from 'project_features' via secure RPC
         const { data: dbFeatures, error: dbError } = await supabase
-            .from('project_features')
-            .select('id, name, description, status')
-            .eq('project_id', projectId)
-            .neq('status', 'shadow') // Exclude shadow features by default unless asked
-            .order('created_at', { ascending: false });
+            .rpc('get_project_features_secure', {
+                p_project_id: projectId,
+                p_user_id: userId
+            });
 
         let featuresList: any[] = [];
         let source = 'DB';
 
         if (!dbError && dbFeatures && dbFeatures.length > 0) {
-            featuresList = dbFeatures.map(f => ({
+            featuresList = dbFeatures.map((f: any) => ({
                 ...f,
-                title: f.name // Map back to title specifically for uniform handling below
+                title: f.name
             }));
         } else {
             // 3. Fallback Strategy: Extract from 'functional_spec'
             source = 'FALLBACK_SPEC';
-            // Log warning (In a real system, use a structured logger. Here we console.error to stderr)
-            console.error(`[WARN] Project ${projectId}: 'project_features' empty or missing. Falling back to 'functional_spec'.`);
+            const spec = projectRow.functional_spec as any;
+            const features = spec?.featureList || spec?.features;
 
-            const spec = project.functional_spec as any;
-            if (spec && typeof spec === 'object' && Array.isArray(spec.features)) {
-                featuresList = spec.features.map((f: any) => ({
+            if (Array.isArray(features)) {
+                featuresList = features.map((f: any) => ({
                     id: 'legacy',
                     title: f.name || f.title,
                     description: f.description,
@@ -79,5 +77,3 @@ Useful for understanding the strategic context and major milestones.`,
 };
 
 registry.register(listFeaturesTool);
-
-

package/src/tools/list-roadmap-tasks.ts

@@ -74,7 +74,12 @@ export async function listRoadmapTasks(
             priority: t.priority,
             status: t.status,
             step_number: t.step_number,
-            prompt_content: t.prompt_content
+            prompt_content: t.prompt_content,
+            architectural_brief: t.architectural_brief,
+            context_summary: t.context_summary,
+            metadata: t.metadata,
+            checklist: t.checklist,
+            tags: t.tags
         })),
         formatted
     };

package/src/tools/pending-tasks.ts

@@ -48,8 +48,19 @@ export interface UpdateTaskStatusResponse {
  */
 export async function getPendingTasks(
     supabase: SupabaseClient,
+    userId: string,
     projectId: string
 ): Promise<GetPendingTasksResponse> {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
 
     // Fetch APPROVED tasks that are ready for execution
     const { data: tasks, error } = await supabase
@@ -143,11 +154,22 @@ export async function getPendingTasks(
  */
 export async function updateTaskStatus(
     supabase: SupabaseClient,
+    userId: string,
     projectId: string,
     taskId: string,
     newStatus: 'EXECUTING' | 'COMPLETED' | 'FAILED',
     executionSummary?: string
 ): Promise<UpdateTaskStatusResponse> {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
 
     // 1. Fetch the current task state
     const { data: currentTask, error: fetchError } = await supabase

package/src/tools/planning-tools.ts

@@ -60,25 +60,21 @@ export async function saveToProjectBrain(
 
     const fullContent = `# ${title}\n\n${content}`;
 
-    const { data, error } = await supabase
-        .from('project_memories')
-        .insert({
-            project_id: projectId,
-            content: fullContent,
-            category: category.toLowerCase(),
-            tags: tags,
-            importance: (category === 'DECISION' || category === 'ARCHITECTURE') ? 9 : 5,
-            is_active: true,
-            source_type: 'chat_manual'
-        })
-        .select('id')
-        .single();
+    const { data: memoryId, error } = await supabase
+        .rpc('save_project_memory_secure', {
+            p_project_id: projectId,
+            p_user_id: userId,
+            p_content: fullContent,
+            p_category: category.toLowerCase(),
+            p_tags: tags || [],
+            p_importance: (category === 'DECISION' || category === 'ARCHITECTURE') ? 9 : 5
+        });
 
     if (error) throw new Error(`Failed to save memory: ${error.message}`);
 
     return {
         success: true,
-        memoryId: data.id,
+        memoryId: memoryId,
         message: `✅ Saved [${category}] "${title}" to Project Brain.`
     };
 }

package/src/tools/query-brain.ts

@@ -75,55 +75,34 @@ export async function queryBrain(
     limit: number = 8,
     threshold: number = 0.5
 ): Promise<BrainQueryResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (projectError || !project) {
+    // First, verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
     // Try semantic search first using the match_memories RPC
-    // This requires the embedding to be generated, so we'll try
-    // Generate embedding if possible for semantic search
     const embedding = await generateQueryEmbedding(query);
     let memories: MemoryRecord[] = [];
 
-    // Use the hybrid search RPC
+    // Use the secure search RPC
     const { data: searchResults, error: searchError } = await supabase
-        .rpc('hybrid_search_memories', {
+        .rpc('query_project_brain_secure', {
             p_project_id: projectId,
+            p_user_id: userId,
             p_query: query,
-            p_embedding: embedding || null,
-            p_limit: limit,
-            p_similarity_threshold: threshold || 0.1
+            p_limit: limit
         });
 
-    if (searchError) {
-        // Fallback to basic recent fetch if RPC fails
-        const { data: recentMemories } = await supabase
-            .from('project_memories')
-            .select('id, content, category, tags, importance, created_at')
-            .eq('project_id', projectId)
-            .eq('is_active', true)
-            .order('created_at', { ascending: false })
-            .limit(limit);
-
-        if (recentMemories) {
-            memories = recentMemories.map(m => ({
-                id: m.id,
-                content: m.content,
-                category: m.category || 'general',
-                tags: m.tags || [],
-                netVotes: m.importance || 0,
-                createdAt: m.created_at
-            }));
-        }
-    } else if (searchResults) {
+    if (searchError || !searchResults) {
+        console.error('Brain query failed:', searchError);
+        memories = [];
+    } else {
         memories = searchResults.map((m: any) => ({
             id: m.id,
             content: m.content,
@@ -134,31 +113,39 @@ export async function queryBrain(
         }));
     }
 
-    // --- NEW: FETCH RELEVANT FEATURES ---
-    // Simple fuzzy search until we vector embedding for features.
+    // --- FETCH RELEVANT FEATURES FROM SPEC ---
     let relevantFeatures: any[] = [];
     try {
-        const { data: features } = await supabase
-            .from('project_features')
-            .select('name, status, description')
-            .eq('project_id', projectId)
-            .or(`name.ilike.%${query}%,description.ilike.%${query}%`)
-            .limit(3);
-
-        if (features) relevantFeatures = features;
+        const { data: projectRow } = await supabase
+            .rpc('get_project_context_secure', {
+                p_project_id: projectId,
+                p_user_id: userId
+            })
+            .single() as any;
+
+        if (projectRow?.functional_spec) {
+            const spec = typeof projectRow.functional_spec === 'string'
+                ? JSON.parse(projectRow.functional_spec)
+                : projectRow.functional_spec;
+
+            const features = spec.featureList || spec.features || [];
+            relevantFeatures = features
+                .filter((f: any) => (f.name || f.title)?.toLowerCase().includes(query.toLowerCase()))
+                .slice(0, 3);
+        }
     } catch (e) {
         console.warn('Feature fetch failed in brain query', e);
     }
 
     // Format memories into a readable context block
-    const contextLines = memories.map((m) => {
+    const contextLines = memories.map((m: any) => {
         const voteIndicator = m.netVotes && m.netVotes < 0 ? ` [⚠️ POORLY RATED: ${m.netVotes}]` : '';
         const tagStr = m.tags && m.tags.length > 0 ? ` [${m.tags.join(', ')}]` : '';
         const category = m.category ? m.category.toUpperCase() : 'GENERAL';
         return `- [${category}]${tagStr}${voteIndicator}: ${m.content}`;
     });
 
-    const searchType = embedding ? 'TRIPLE-HYBRID (Vector + FTS + Fuzzy)' : 'HYBRID (FTS + Fuzzy)';
+    const searchType = embedding ? 'TRIPLE-HYBRID (Vector + FTS + Fuzzy)' : 'SECURE-GATEWAY (Fuzzy)';
 
     let formatted = `=== PROJECT BRAIN: RELEVANT MEMORIES ===
 Search Mode: ${searchType}
@@ -166,7 +153,7 @@ Query: "${query}"`;
 
     if (relevantFeatures.length > 0) {
         formatted += `\n\n=== RELATED FEATURES ===\n` +
-            relevantFeatures.map((f: any) => `- ${f.name} [${f.status}]`).join('\n');
+            relevantFeatures.map((f: any) => `- ${f.name || f.title} [${f.status || 'Active'}]`).join('\n');
     }
 
     formatted += `\n\nFound ${memories.length} relevant memories:\n\n${contextLines.join('\n')}\n\n==========================================`;

package/src/tools/research-tools.ts

@@ -13,14 +13,15 @@ export async function queryProjectBrain(
     const { projectId, query, limit = 5 } = input;
 
     // Verify access
-    const { data: project, error: pError } = await supabase
-        .from('projects')
-        .select('id')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (pError || !project) throw new Error('Access denied or project not found');
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Access denied or project not found');
+    }
 
     // Simple keyword search
     const terms = query.toLowerCase().split(/\s+/).filter(t => t.length > 2);

package/src/tools/run-architecture-audit.ts

@@ -110,15 +110,14 @@ export async function runArchitectureAudit(
     filePath: string,
     content: string
 ): Promise<ArchitectureAuditResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
-
-    if (projectError || !project) {
+    // First, verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 

package/src/tools/save-decision.ts

@@ -44,18 +44,24 @@ export async function saveDecision(
     category: string = 'decision',
     tags: string[] = []
 ): Promise<SaveDecisionResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
+    // 2. Fetch project name for the response message
+    const { data: project } = await supabase
+        .from('projects')
+        .select('name')
+        .eq('id', projectId)
+        .single();
+
     // Build the full content with title, decision, and rationale
     const contentParts = [`# ${title}`, '', decision];
     if (rationale) {
@@ -98,6 +104,6 @@ export async function saveDecision(
     return {
         success: true,
         memoryId: memory.id,
-        message: `✅ Decision "${title}" saved to project "${project.name}" with importance 9/10`
+        message: `✅ Decision "${title}" saved to project "${project?.name || projectId}" with importance 9/10`
     };
 }

package/src/tools/security-tools.ts

@@ -14,7 +14,7 @@ registry.register({
     description: `Sven's Tool: Security Shield. Audits the database to ensure Row Level Security (RLS) is enforced.`,
     schema: AuditRlsStatusInputSchema,
     handler: async (args, context) => {
-        const result = await auditRlsStatus(context.supabase, args);
+        const result = await auditRlsStatus(context.supabase, context.userId, args);
         return { content: [{ type: 'text', text: result.summary || 'No summary available' }] };
     }
 });
@@ -24,7 +24,7 @@ registry.register({
     description: `Frank's Tool: Security Oracle. Performs a diagnostic security audit against the Fortress Matrix.`,
     schema: AuditSecurityIntegrityInputSchema,
     handler: async (args, context) => {
-        const result = await auditSecurityIntegrity(context.supabase, args);
+        const result = await auditSecurityIntegrity(context.supabase, context.userId, args);
         return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
     }
 });
@@ -35,8 +35,20 @@ registry.register({
  */
 export async function auditRlsStatus(
     supabase: SupabaseClient,
+    userId: string,
     input: AuditRlsStatusInput
 ) {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: input.projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
+
     try {
         const { data, error } = await supabase.rpc('execute_sql', {
             query: `
@@ -97,8 +109,20 @@ export async function auditRlsStatus(
  */
 export async function auditSecurityIntegrity(
     supabase: SupabaseClient,
+    userId: string,
     input: { projectId: string, filePath: string, content: string }
 ) {
+    // 0. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: input.projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
+
     const violations: any[] = [];
     const { content, filePath } = input;
 

package/src/tools/submit-idea.ts

@@ -42,18 +42,24 @@ export async function submitIdea(
     category: string = 'feature',
     tags: string[] = []
 ): Promise<SubmitIdeaResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
+    // 2. Fetch project name for the response message
+    const { data: project } = await supabase
+        .from('projects')
+        .select('name')
+        .eq('id', projectId)
+        .single();
+
     // Insert the idea into saved_ideas
     const { data: idea, error: insertError } = await supabase
         .from('saved_ideas')
@@ -86,6 +92,6 @@ export async function submitIdea(
     return {
         success: true,
         ideaId: idea.id,
-        message: `💡 Idea "${title}" submitted to Idea Lab for project "${project.name}". Status: Draft (awaiting review)`
+        message: `💡 Idea "${title}" submitted to Idea Lab for project "${project?.name || projectId}". Status: Draft (awaiting review)`
     };
 }

package/src/tools/sync-ide-rules.ts

@@ -22,7 +22,7 @@ registry.register({
 based on project context and user settings.`,
     schema: GenerateCursorRulesInputSchema,
     handler: async (args, context) => {
-        const result = await syncIdeRules(context.supabase, args.projectId);
+        const result = await syncIdeRules(context.supabase, context.userId, args.projectId);
 
         // Format response: Main file content + information about modular files
         let responseText = `FileName: ${result.fileName}\n\nContent:\n${result.content}`;
@@ -43,14 +43,27 @@ based on project context and user settings.`,
  * Uses the centralized rules-engine for consistent generation across all consumers.
  * 
  * @param supabase - Supabase client instance
+ * @param userId - The user ID for access verification
  * @param projectId - The project ID to generate rules for
  * @returns Object with fileName, content, and the new modular files[] array
  */
 export async function syncIdeRules(
     supabase: SupabaseClient,
+    userId: string,
     projectId: string
 ): Promise<{ fileName: string; content: string; files: RuleFile[] }> {
-    // 1. Fetch Project & Preferred IDE
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
+
+    if (accessError || !hasAccess) {
+        throw new Error('Project not found or access denied');
+    }
+
+    // 2. Fetch Project & Preferred IDE
     const { data: project, error: projectError } = await supabase
         .from('projects')
         .select('*')
@@ -58,7 +71,7 @@ export async function syncIdeRules(
         .single();
 
     if (projectError || !project) {
-        throw new Error(`Project ${projectId} not found.`);
+        throw new Error(`Project ${projectId} details not found.`);
     }
 
     // 2. Determine IDE (Preference -> Fallback)

package/src/tools/teacher-mode.ts

@@ -65,14 +65,13 @@ export async function refineLogic(
     const traceId = uuidv4();
 
     // Verify project access
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error(`Project access denied or not found: ${projectId}`);
     }
 

package/src/tools/update-roadmap.ts

@@ -40,18 +40,24 @@ export async function updateRoadmap(
     chunkId?: string,
     title?: string
 ): Promise<UpdateRoadmapResponse> {
-    // First, verify project ownership
-    const { data: project, error: projectError } = await supabase
-        .from('projects')
-        .select('id, name')
-        .eq('id', projectId)
-        .eq('owner_id', userId)
-        .single();
+    // 1. Verify project access
+    const { data: hasAccess, error: accessError } = await supabase
+        .rpc('check_project_access_secure', {
+            p_project_id: projectId,
+            p_user_id: userId
+        });
 
-    if (projectError || !project) {
+    if (accessError || !hasAccess) {
         throw new Error('Project not found or access denied');
     }
 
+    // 2. Fetch project details (for response message if needed)
+    const { data: project } = await supabase
+        .from('projects')
+        .select('name')
+        .eq('id', projectId)
+        .single();
+
     // Find the roadmap chunk
     let targetChunk: { id: string; title: string; status: string } | null = null;