npm - @roadmapperai/mcp - Versions diffs - 0.1.0 → 0.2.0 - Mend

@roadmapperai/mcp 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/server.mjs +49 -3

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@roadmapperai/mcp",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Roadmapper AI MCP server — exposes a planning surface (themes, capabilities, tasks, sprints, PRs) to coding agents via stdio JSON-RPC. Pairs with the Roadmapper AI workspace at dashboard.roadmapperai.com.",
   "keywords": [
     "mcp",

package/server.mjs CHANGED Viewed

@@ -129,6 +129,18 @@ function supabaseConfig() {
     readKey: readKey(),
     writeKey: process.env.SUPABASE_SERVICE_ROLE_KEY || null,
     workspaceId: process.env.SUPABASE_WORKSPACE_ID || null,
+    // ROADMAPPER_API_KEY is the customer-facing path: a per-workspace
+    // token (rmpr_…) minted from the dashboard. When set, write tools
+    // route through the mcp-broker Edge Function instead of needing
+    // a service-role key on the customer's machine. The broker URL
+    // defaults to the public Supabase project's edge endpoint but is
+    // overridable for self-hosted deployments / staging.
+    apiKey: process.env.ROADMAPPER_API_KEY || null,
+    brokerUrl:
+      process.env.ROADMAPPER_BROKER_URL ||
+      (process.env.SUPABASE_URL
+        ? `${process.env.SUPABASE_URL.replace(/\/$/, "")}/functions/v1/mcp-broker`
+        : null),
   };
 }
@@ -350,12 +362,46 @@ function stripUndefined(o) {
  * function bodies.
  */
 async function rpcCall(fn, body) {
-  const { url, writeKey } = supabaseConfig();
+  const { url, writeKey, apiKey, brokerUrl } = supabaseConfig();
   // body must already carry p_workspace_id — the per-tool resolver
   // injects it before calling rpcCall so the override path works.
-  if (!url || !writeKey || !body?.p_workspace_id) {
+  if (!url || !body?.p_workspace_id) {
     throw new Error(
-      "Write tools require SUPABASE_URL + SUPABASE_SERVICE_ROLE_KEY in env and a resolvable workspaceId (either SUPABASE_WORKSPACE_ID env or workspaceId arg)."
+      "Write tools require SUPABASE_URL in env and a resolvable workspaceId (either SUPABASE_WORKSPACE_ID env or workspaceId arg)."
+    );
+  }
+  // Customer path: ROADMAPPER_API_KEY routes through the mcp-broker
+  // Edge Function, which validates the key, hashes it against
+  // workspace_api_keys, and performs the RPC with service-role
+  // credentials never leaving the server side. This is what the
+  // published @roadmapperai/mcp package uses; customers' machines
+  // never see SUPABASE_SERVICE_ROLE_KEY.
+  if (apiKey && brokerUrl) {
+    const res = await fetch(brokerUrl, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${apiKey}`,
+        "content-type": "application/json",
+        Accept: "application/json",
+      },
+      body: JSON.stringify({ rpc: fn, body }),
+    });
+    if (!res.ok) {
+      const txt = await res.text();
+      throw new Error(
+        `mcp-broker rejected ${fn}: ${res.status} ${txt.slice(0, 300)}`
+      );
+    }
+    return res.json();
+  }
+  // Operator / dev path: SUPABASE_SERVICE_ROLE_KEY in env — bypasses
+  // RLS and the broker. Used in CI and the maintainer's local
+  // workspace; not what customers should ever configure.
+  if (!writeKey) {
+    throw new Error(
+      "Write tools require either ROADMAPPER_API_KEY (customer path) or SUPABASE_SERVICE_ROLE_KEY (operator path)."
     );
   }
   const res = await fetch(`${url}/rest/v1/rpc/${fn}`, {