@sealab/mcp-server 1.0.1 → 1.0.3

package/src/tools/orders.ts

@@ -212,7 +212,7 @@ async function applySavedSettingsToArticles<T extends { settingsName?: string; [
   return Promise.all(articles.map(applySavedSettingToArticle));
 }
 
-const ArticleItemSchema = z.object({
+export const ArticleItemSchema = z.object({
   serialNumber: z.string(),
   positionName: z.string().max(25).describe(
     'Unique label for this cabinet within the order. Must be unique across ALL articles in the order. ' +

package/src/tools/permissions.ts

@@ -0,0 +1,169 @@
+import { z } from 'zod';
+import { client, handleAxiosError } from '../client/api-client';
+
+// ─── Schemas ─────────────────────────────────────────────────────────────────
+
+const ShareOrderSchema = z.object({
+  orderId: z.string().describe('The order ID to share access to.'),
+  grantedToEmail: z.string().describe('Email address of the user to grant access to.'),
+  permissionType: z.enum(['VIEW', 'EDIT', 'ADMIN']).default('VIEW').describe(
+    'Permission level to grant. VIEW = read-only (default), EDIT = can modify order options, ADMIN = full control.'
+  ),
+  hidePrice: z.boolean().default(false).describe(
+    'Whether to hide pricing information from this user. Defaults to false.'
+  ),
+});
+
+const UpdateOrderAccessSchema = z.object({
+  orderId: z.string().describe('The order ID whose permission you want to update.'),
+  grantedToEmail: z.string().describe('Email address of the user whose permission to update.'),
+  permissionType: z.enum(['VIEW', 'EDIT', 'ADMIN']).describe(
+    'New permission level. VIEW = read-only, EDIT = can modify order options, ADMIN = full control.'
+  ),
+  hidePrice: z.boolean().default(false).describe(
+    'Whether to hide pricing information from this user.'
+  ),
+});
+
+const RevokeOrderAccessSchema = z.object({
+  orderId: z.string().describe('The order ID to revoke access from.'),
+  email: z.string().describe('Email address of the user whose access to revoke.'),
+});
+
+const ListOrderAccessSchema = z.object({
+  orderId: z.string().describe('The order ID to list shared access for.'),
+});
+
+// ─── Handlers ────────────────────────────────────────────────────────────────
+
+export async function shareOrderAccess(input: z.infer<typeof ShareOrderSchema>): Promise<string> {
+  try {
+    const { data } = await client.post(`/orders/${input.orderId}/permissions/grant`, {
+      grantedToEmail: input.grantedToEmail,
+      permissionType: input.permissionType,
+      hidePrice: input.hidePrice,
+    });
+    const priceNote = input.hidePrice ? ' Prices will be hidden from them.' : '';
+    return `Access granted. ${input.grantedToEmail} now has ${input.permissionType} access to order ${input.orderId}.${priceNote} They will receive an email notification.`;
+  } catch (error) {
+    try { handleAxiosError(error); } catch (e: any) { return e.message; }
+    return 'Unexpected error granting order access.';
+  }
+}
+
+export async function updateOrderAccess(input: z.infer<typeof UpdateOrderAccessSchema>): Promise<string> {
+  try {
+    await client.put(`/orders/${input.orderId}/permissions/update`, {
+      grantedToEmail: input.grantedToEmail,
+      permissionType: input.permissionType,
+      hidePrice: input.hidePrice,
+    });
+    const priceNote = input.hidePrice ? ' Prices are hidden from them.' : ' Prices are visible to them.';
+    return `Permission updated. ${input.grantedToEmail} now has ${input.permissionType} access to order ${input.orderId}.${priceNote}`;
+  } catch (error) {
+    try { handleAxiosError(error); } catch (e: any) { return e.message; }
+    return 'Unexpected error updating order access.';
+  }
+}
+
+export async function revokeOrderAccess(input: z.infer<typeof RevokeOrderAccessSchema>): Promise<string> {
+  try {
+    await client.delete(`/orders/${input.orderId}/permissions/revoke`, {
+      params: { email: input.email },
+    });
+    return `Access revoked. ${input.email} can no longer access order ${input.orderId}.`;
+  } catch (error) {
+    try { handleAxiosError(error); } catch (e: any) { return e.message; }
+    return 'Unexpected error revoking order access.';
+  }
+}
+
+export async function listOrderAccess(input: z.infer<typeof ListOrderAccessSchema>): Promise<string> {
+  try {
+    const { data } = await client.get(`/orders/${input.orderId}/permissions`);
+    if (!data || data.length === 0) {
+      return `No shared access on order ${input.orderId}. Only you can view it.`;
+    }
+    const lines: string[] = [`Shared access for order ${input.orderId}:\n`];
+    for (const p of data) {
+      const priceNote = p.hidePrice ? ' | Prices hidden' : '';
+      const grantedDate = p.grantedDate ? ` | Granted: ${p.grantedDate.split('T')[0]}` : '';
+      lines.push(`• ${p.grantedToEmail} — ${p.permissionType}${priceNote}${grantedDate}`);
+    }
+    return lines.join('\n');
+  } catch (error) {
+    try { handleAxiosError(error); } catch (e: any) { return e.message; }
+    return 'Unexpected error listing order access.';
+  }
+}
+
+// ─── Tool Definitions ─────────────────────────────────────────────────────────
+
+export const permissionTools = [
+  {
+    name: 'share_order_access',
+    description: `Grant another user access to one of your orders.
+
+Use when the user says things like:
+- "Share order 12345 with someone@email.com"
+- "Give Jane access to my order"
+- "Let my contractor view this order without seeing prices"
+
+BEFORE calling, confirm with the user:
+- The order ID
+- The recipient's email address
+- Permission level: VIEW (read-only, default), EDIT (modify options), ADMIN (full control)
+- Whether to hide prices from the recipient (default: no)
+
+After granting:
+- The recipient receives an email notification
+- They log in to their Sealab account to view the shared order
+- You can update or revoke access at any time using the other permission tools
+
+Rules enforced by the system:
+- You can only share your own orders
+- Cannot share with yourself
+- Maximum 50 users per order`,
+    inputSchema: ShareOrderSchema,
+    handler: shareOrderAccess,
+  },
+  {
+    name: 'update_order_access',
+    description: `Update the permission level or price visibility for a user who already has access to one of your orders.
+
+Use when the user wants to:
+- Change someone's permission from VIEW to EDIT or ADMIN
+- Toggle whether prices are hidden for a specific user
+- Adjust existing shared access without revoking and re-granting
+
+Requires the order ID, the user's email, the new permission type, and the new hidePrice setting.`,
+    inputSchema: UpdateOrderAccessSchema,
+    handler: updateOrderAccess,
+  },
+  {
+    name: 'revoke_order_access',
+    description: `Revoke a user's access to one of your orders.
+
+Use when the user wants to:
+- Remove someone's access to an order
+- Revoke a collaborator or contractor's view of an order
+
+After revoking, the user immediately loses access. No email notification is sent on revocation.
+
+Requires the order ID and the email address of the user whose access to remove.`,
+    inputSchema: RevokeOrderAccessSchema,
+    handler: revokeOrderAccess,
+  },
+  {
+    name: 'list_order_access',
+    description: `List all users who currently have shared access to one of your orders.
+
+Returns each user's email, permission level (VIEW/EDIT/ADMIN), whether prices are hidden for them, and the date access was granted.
+
+Use when the user asks:
+- "Who has access to order 12345?"
+- "Show me who I've shared this order with"`,
+    inputSchema: ListOrderAccessSchema,
+    handler: listOrderAccess,
+  },
+];