@soulbatical/tetra-core 0.10.4 → 0.11.0

package/dist/shared/mcp/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/shared/mcp/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAG1D,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC5I,YAAY,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAGtE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACjD,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG/E,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}

package/dist/shared/mcp/index.js

@@ -1,51 +0,0 @@
-/**
- * MCP Online Module
- *
- * Provides everything needed to expose MCP tools over HTTP:
- * - StreamableHTTP transport with Bearer token auth
- * - Browser-based login flow for token acquisition
- * - Token CRUD management
- * - Usage stats / audit logging
- * - Tenant isolation via AsyncLocalStorage
- *
- * Quick start:
- * ```typescript
- * import { addMcpRoutes, addMcpAuthRoutes, addMcpTokenRoutes, addMcpUsageRoutes } from '@soulbatical/tetra-core';
- * import { Router } from 'express';
- *
- * const tokenPrefix = 'myapp_';
- *
- * // MCP endpoint (Bearer API token auth)
- * const mcpRouter = Router();
- * addMcpRoutes(mcpRouter, { tools, handlers, tokenPrefix });
- * app.use('/api/mcp', mcpRouter);
- *
- * // Browser auth flow (public + JWT)
- * const mcpAuthRouter = Router();
- * addMcpAuthRoutes(mcpAuthRouter, { tokenPrefix });
- * app.use('/api/mcp-auth', mcpAuthRouter);
- *
- * // Token management (JWT auth)
- * const mcpTokensRouter = Router();
- * addMcpTokenRoutes(mcpTokensRouter, { tokenPrefix });
- * app.use('/api/mcp-tokens', mcpTokensRouter);
- *
- * // Usage stats (JWT auth)
- * const mcpUsageRouter = Router();
- * addMcpUsageRoutes(mcpUsageRouter);
- * app.use('/api/mcp-usage', mcpUsageRouter);
- * ```
- *
- * Database: requires `mcp_api_tokens` and `mcp_audit_log` tables.
- * See migrations/ directory for SQL.
- */
-// Routes
-export { addMcpRoutes } from './mcp-routes.js';
-export { addMcpAuthRoutes } from './mcp-auth-routes.js';
-export { addMcpTokenRoutes } from './mcp-tokens-routes.js';
-export { addMcpUsageRoutes } from './mcp-usage-routes.js';
-// Tenant context
-export { getMcpOrganizationId, getMcpTenantContext, runWithMcpTenant, validateMcpApiToken, generateMcpApiToken } from './tenant-context.js';
-// Database client for MCP tool handlers
-export { mcpDB, mcpScopedDB } from './mcp-db.js';
-//# sourceMappingURL=index.js.map

package/dist/shared/mcp/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/shared/mcp/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,SAAS;AACT,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,iBAAiB;AACjB,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAG5I,wCAAwC;AACxC,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}

package/dist/shared/mcp/mcp-auth-routes.d.ts

@@ -1,26 +0,0 @@
-/**
- * MCP Auth Routes — Factory
- *
- * Browser-based login flow for MCP token acquisition.
- *
- * Flow:
- * 1. MCP client POST /request → gets request_id + login URL
- * 2. User opens browser, logs in
- * 3. Frontend calls POST /approve/:requestId (authenticated)
- * 4. MCP client polls GET /poll/:requestId → receives API token
- *
- * Usage:
- * ```typescript
- * import { addMcpAuthRoutes } from '@soulbatical/tetra-core';
- *
- * const mcpAuthRouter = Router();
- * addMcpAuthRoutes(mcpAuthRouter, {
- *   tokenPrefix: 'vincifox_',
- * });
- * app.use('/api/mcp-auth', mcpAuthRouter);
- * ```
- */
-import type { Router } from 'express';
-import type { McpAuthRoutesConfig } from './types.js';
-export declare function addMcpAuthRoutes(router: Router, config: McpAuthRoutesConfig): void;
-//# sourceMappingURL=mcp-auth-routes.d.ts.map

package/dist/shared/mcp/mcp-auth-routes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mcp-auth-routes.d.ts","sourceRoot":"","sources":["../../../src/shared/mcp/mcp-auth-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAqB,MAAM,SAAS,CAAC;AAKzD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAiCtD,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,GAAG,IAAI,CA2HlF"}

package/dist/shared/mcp/mcp-auth-routes.js

@@ -1,141 +0,0 @@
-/**
- * MCP Auth Routes — Factory
- *
- * Browser-based login flow for MCP token acquisition.
- *
- * Flow:
- * 1. MCP client POST /request → gets request_id + login URL
- * 2. User opens browser, logs in
- * 3. Frontend calls POST /approve/:requestId (authenticated)
- * 4. MCP client polls GET /poll/:requestId → receives API token
- *
- * Usage:
- * ```typescript
- * import { addMcpAuthRoutes } from '@soulbatical/tetra-core';
- *
- * const mcpAuthRouter = Router();
- * addMcpAuthRoutes(mcpAuthRouter, {
- *   tokenPrefix: 'vincifox_',
- * });
- * app.use('/api/mcp-auth', mcpAuthRouter);
- * ```
- */
-import { randomUUID } from 'node:crypto';
-import { authenticateToken } from '../../middleware/authMiddleware.js';
-import { systemDB } from '../../core/systemDb.js';
-import { generateMcpApiToken } from './tenant-context.js';
-// In-memory store (short-lived, <5min)
-const pendingRequests = new Map();
-// Cleanup expired every 30s
-setInterval(() => {
-    const now = Date.now();
-    for (const [id, req] of pendingRequests) {
-        if (now - req.createdAt > 600_000) { // 10min hard limit
-            pendingRequests.delete(id);
-        }
-    }
-}, 30_000).unref();
-function getOrgId(req) {
-    const user = req.user;
-    return user?.activeOrganizationId || user?.active_organization_id || user?.organizationId || null;
-}
-function paramStr(value) {
-    return Array.isArray(value) ? value[0] : value || '';
-}
-export function addMcpAuthRoutes(router, config) {
-    const { tokenPrefix, frontendApprovalPath = '/app/settings/api-tokens', defaultDeviceName = 'Claude Code', expirySeconds = 300, } = config;
-    const frontendUrl = config.frontendUrl || process.env.FRONTEND_URL || 'http://localhost:3000';
-    // Lazy DB: only create client when first request arrives (not at mount time)
-    let _db = null;
-    const db = () => { if (!_db)
-        _db = systemDB('mcp-auth'); return _db; };
-    // POST /request — Create pending auth request
-    router.post('/request', (req, res) => {
-        const { device_name } = req.body || {};
-        const requestId = randomUUID();
-        pendingRequests.set(requestId, {
-            requestId,
-            deviceName: device_name || defaultDeviceName,
-            createdAt: Date.now(),
-        });
-        res.json({
-            request_id: requestId,
-            login_url: `${frontendUrl}${frontendApprovalPath}?mcp_auth=${requestId}`,
-            expires_in: expirySeconds,
-        });
-    });
-    // GET /status/:requestId — Check if request is valid (for frontend)
-    router.get('/status/:requestId', (req, res) => {
-        const requestId = paramStr(req.params.requestId);
-        const pending = pendingRequests.get(requestId);
-        if (!pending) {
-            res.status(404).json({ error: 'Auth request not found or expired' });
-            return;
-        }
-        const expiryMs = expirySeconds * 1000;
-        res.json({
-            status: pending.approved ? 'approved' : 'pending',
-            device_name: pending.deviceName,
-            expires_in: Math.max(0, Math.ceil((pending.createdAt + expiryMs - Date.now()) / 1000)),
-        });
-    });
-    // POST /approve/:requestId — Approve and generate token (requires JWT)
-    router.post('/approve/:requestId', authenticateToken, async (req, res) => {
-        try {
-            const requestId = paramStr(req.params.requestId);
-            const user = req.user;
-            const pending = pendingRequests.get(requestId);
-            if (!pending) {
-                res.status(404).json({ error: 'Auth request not found or expired' });
-                return;
-            }
-            if (pending.approved) {
-                res.status(409).json({ error: 'Already approved' });
-                return;
-            }
-            const organizationId = getOrgId(req);
-            if (!organizationId) {
-                res.status(400).json({ error: 'No active organization' });
-                return;
-            }
-            // Generate API token
-            const tokenName = `${pending.deviceName} (${new Date().toISOString().slice(0, 10)})`;
-            const token = await generateMcpApiToken(organizationId, tokenName, tokenPrefix, user.id);
-            // Get org name for display
-            const { data: org } = await db()
-                .from('organizations')
-                .select('name')
-                .eq('id', organizationId)
-                .single();
-            pending.apiToken = token;
-            pending.organizationName = org?.name || 'Unknown';
-            pending.approved = true;
-            res.json({ success: true, organization: org?.name });
-        }
-        catch (err) {
-            res.status(500).json({ error: 'Internal server error' });
-        }
-    });
-    // GET /poll/:requestId — Poll for token (MCP client side)
-    router.get('/poll/:requestId', (req, res) => {
-        const requestId = paramStr(req.params.requestId);
-        const pending = pendingRequests.get(requestId);
-        if (!pending) {
-            res.status(404).json({ error: 'Auth request not found or expired' });
-            return;
-        }
-        if (!pending.approved) {
-            res.json({ status: 'pending' });
-            return;
-        }
-        // Return token and clean up (one-time retrieval)
-        const result = {
-            status: 'approved',
-            api_token: pending.apiToken,
-            organization: pending.organizationName,
-        };
-        pendingRequests.delete(requestId);
-        res.json(result);
-    });
-}
-//# sourceMappingURL=mcp-auth-routes.js.map

package/dist/shared/mcp/mcp-auth-routes.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"mcp-auth-routes.js","sourceRoot":"","sources":["../../../src/shared/mcp/mcp-auth-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAY1D,uCAAuC;AACvC,MAAM,eAAe,GAAG,IAAI,GAAG,EAA8B,CAAC;AAE9D,4BAA4B;AAC5B,WAAW,CAAC,GAAG,EAAE;IACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,eAAe,EAAE,CAAC;QACxC,IAAI,GAAG,GAAG,GAAG,CAAC,SAAS,GAAG,OAAO,EAAE,CAAC,CAAC,mBAAmB;YACtD,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;AACH,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,CAAC;AAEnB,SAAS,QAAQ,CAAC,GAAY;IAC5B,MAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAC;IAC/B,OAAO,IAAI,EAAE,oBAAoB,IAAI,IAAI,EAAE,sBAAsB,IAAI,IAAI,EAAE,cAAc,IAAI,IAAI,CAAC;AACpG,CAAC;AAED,SAAS,QAAQ,CAAC,KAAoC;IACpD,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,MAA2B;IAC1E,MAAM,EACJ,WAAW,EACX,oBAAoB,GAAG,0BAA0B,EACjD,iBAAiB,GAAG,aAAa,EACjC,aAAa,GAAG,GAAG,GACpB,GAAG,MAAM,CAAC;IAEX,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,uBAAuB,CAAC;IAE9F,6EAA6E;IAC7E,IAAI,GAAG,GAAuC,IAAI,CAAC;IACnD,MAAM,EAAE,GAAG,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG;QAAE,GAAG,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC;IAEvE,8CAA8C;IAC9C,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACtD,MAAM,EAAE,WAAW,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC;QAE/B,eAAe,CAAC,GAAG,CAAC,SAAS,EAAE;YAC7B,SAAS;YACT,UAAU,EAAE,WAAW,IAAI,iBAAiB;YAC5C,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,GAAG,CAAC,IAAI,CAAC;YACP,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,GAAG,WAAW,GAAG,oBAAoB,aAAa,SAAS,EAAE;YACxE,UAAU,EAAE,aAAa;SAC1B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,oEAAoE;IACpE,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC/D,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAE/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC,CAAC;YACrE,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,aAAa,GAAG,IAAI,CAAC;QACtC,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YACjD,WAAW,EAAE,OAAO,CAAC,UAAU;YAC/B,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,GAAG,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;SACvF,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,uEAAuE;IACvE,MAAM,CAAC,IAAI,CACT,qBAAqB,EACrB,iBAAiB,EACjB,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACjD,MAAM,IAAI,GAAI,GAAW,CAAC,IAAI,CAAC;YAE/B,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC,CAAC;gBACrE,OAAO;YACT,CAAC;YAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBACpD,OAAO;YACT,CAAC;YAED,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;gBAC1D,OAAO;YACT,CAAC;YAED,qBAAqB;YACrB,MAAM,SAAS,GAAG,GAAG,OAAO,CAAC,UAAU,KAAK,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC;YACrF,MAAM,KAAK,GAAG,MAAM,mBAAmB,CAAC,cAAc,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAEzF,2BAA2B;YAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,MAAM,EAAE,EAAE;iBAC7B,IAAI,CAAC,eAAe,CAAC;iBACrB,MAAM,CAAC,MAAM,CAAC;iBACd,EAAE,CAAC,IAAI,EAAE,cAAc,CAAC;iBACxB,MAAM,EAAE,CAAC;YAEZ,OAAO,CAAC,QAAQ,GAAG,KAAK,CAAC;YACzB,OAAO,CAAC,gBAAgB,GAAG,GAAG,EAAE,IAAI,IAAI,SAAS,CAAC;YAClD,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;YAExB,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CACF,CAAC;IAEF,0DAA0D;IAC1D,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAE/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC,CAAC;YACrE,OAAO;QACT,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACtB,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YAChC,OAAO;QACT,CAAC;QAED,iDAAiD;QACjD,MAAM,MAAM,GAAG;YACb,MAAM,EAAE,UAAU;YAClB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,YAAY,EAAE,OAAO,CAAC,gBAAgB;SACvC,CAAC;QAEF,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/shared/mcp/mcp-db.d.ts

@@ -1,99 +0,0 @@
-/**
- * MCP Database Client
- *
- * Provides a tenant-scoped Supabase client for MCP tool handlers.
- * Replaces the `createAdminClient()` workaround used in projects like AgentRook.
- *
- * How it works:
- * 1. Reads the TenantContext from AsyncLocalStorage (set by addMcpRoutes)
- * 2. Returns a service_role client (bypasses RLS — MCP tools filter by org_id themselves)
- * 3. Includes the organization_id so tools can scope their queries
- *
- * Usage in MCP tool handlers:
- * ```typescript
- * import { mcpDB } from '@soulbatical/tetra-core/mcp';
- *
- * async function handleGenerateImage(args: Record<string, unknown>) {
- *   const { client, organizationId } = mcpDB();
- *
- *   // All queries are scoped to this org
- *   const { data } = await client
- *     .from('campaigns')
- *     .select('*')
- *     .eq('organization_id', organizationId);
- *
- *   // ...
- * }
- * ```
- *
- * For local/stdio MCP (no tenant context), use `mcpDB({ allowLocal: true })`
- * which returns a client without org scoping. The tool is responsible for
- * handling the missing org context.
- */
-import { type SupabaseClient } from '@supabase/supabase-js';
-export interface McpDBResult {
-    /** Supabase client (service_role, bypasses RLS) */
-    client: SupabaseClient;
-    /** Organization ID from the MCP API token */
-    organizationId: string;
-    /** Token ID for audit logging */
-    tokenId: string;
-}
-export interface McpDBLocalResult {
-    /** Supabase client (service_role, bypasses RLS) */
-    client: SupabaseClient;
-    /** Organization ID — undefined in local/stdio mode */
-    organizationId: string | undefined;
-    /** Token ID — undefined in local/stdio mode */
-    tokenId: string | undefined;
-}
-export interface McpDBOptions {
-    /**
-     * Allow usage without tenant context (local/stdio mode).
-     * When true, returns a client without org scoping.
-     * Default: false
-     */
-    allowLocal?: boolean;
-}
-/**
- * Get a tenant-scoped database client for MCP tool handlers.
- *
- * Must be called within a `runWithMcpTenant()` context (set automatically
- * by `addMcpRoutes`). Throws if no tenant context is found and
- * `allowLocal` is not set.
- *
- * @example
- * ```typescript
- * // Standard usage (online MCP with API key auth)
- * const { client, organizationId } = mcpDB();
- * const { data } = await client.from('items').select('*').eq('organization_id', organizationId);
- *
- * // Local/stdio mode (development, no API key)
- * const { client, organizationId } = mcpDB({ allowLocal: true });
- * if (!organizationId) {
- *   // Handle local mode — maybe use a default org or skip org filtering
- * }
- * ```
- */
-export declare function mcpDB(): McpDBResult;
-export declare function mcpDB(options: {
-    allowLocal: true;
-}): McpDBLocalResult;
-/**
- * Convenience wrapper that creates a scoped query builder.
- * Automatically adds `.eq('organization_id', orgId)` to every query.
- *
- * @example
- * ```typescript
- * const db = mcpScopedDB();
- * const { data } = await db.from('campaigns').select('*');
- * // Automatically filtered by organization_id
- * ```
- */
-export declare function mcpScopedDB(): {
-    from: (table: string) => ReturnType<SupabaseClient['from']>;
-    organizationId: string;
-    tokenId: string;
-    client: SupabaseClient;
-};
-//# sourceMappingURL=mcp-db.d.ts.map

package/dist/shared/mcp/mcp-db.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mcp-db.d.ts","sourceRoot":"","sources":["../../../src/shared/mcp/mcp-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAgB,KAAK,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAQ1E,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,EAAE,cAAc,CAAC;IACvB,6CAA6C;IAC7C,cAAc,EAAE,MAAM,CAAC;IACvB,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,mDAAmD;IACnD,MAAM,EAAE,cAAc,CAAC;IACvB,sDAAsD;IACtD,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;IACnC,+CAA+C;IAC/C,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAsBD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,IAAI,WAAW,CAAC;AACrC,wBAAgB,KAAK,CAAC,OAAO,EAAE;IAAE,UAAU,EAAE,IAAI,CAAA;CAAE,GAAG,gBAAgB,CAAC;AAgCvE;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,IAAI;IAC7B,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5D,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,cAAc,CAAC;CACxB,CAqBA"}

package/dist/shared/mcp/mcp-db.js

@@ -1,106 +0,0 @@
-/**
- * MCP Database Client
- *
- * Provides a tenant-scoped Supabase client for MCP tool handlers.
- * Replaces the `createAdminClient()` workaround used in projects like AgentRook.
- *
- * How it works:
- * 1. Reads the TenantContext from AsyncLocalStorage (set by addMcpRoutes)
- * 2. Returns a service_role client (bypasses RLS — MCP tools filter by org_id themselves)
- * 3. Includes the organization_id so tools can scope their queries
- *
- * Usage in MCP tool handlers:
- * ```typescript
- * import { mcpDB } from '@soulbatical/tetra-core/mcp';
- *
- * async function handleGenerateImage(args: Record<string, unknown>) {
- *   const { client, organizationId } = mcpDB();
- *
- *   // All queries are scoped to this org
- *   const { data } = await client
- *     .from('campaigns')
- *     .select('*')
- *     .eq('organization_id', organizationId);
- *
- *   // ...
- * }
- * ```
- *
- * For local/stdio MCP (no tenant context), use `mcpDB({ allowLocal: true })`
- * which returns a client without org scoping. The tool is responsible for
- * handling the missing org context.
- */
-import { createClient } from '@supabase/supabase-js';
-import { getMcpTenantContext } from './tenant-context.js';
-import { createLogger } from '../../utils/logger.js';
-const logger = createLogger('mcp:db');
-// ── Singleton client ───────────────────────────────────
-let _client = null;
-function getServiceClient() {
-    if (!_client) {
-        const url = process.env.SUPABASE_URL;
-        const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
-        if (!url || !key) {
-            throw new Error('mcpDB requires SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY');
-        }
-        _client = createClient(url, key, {
-            auth: { autoRefreshToken: false, persistSession: false },
-        });
-    }
-    return _client;
-}
-export function mcpDB(options) {
-    const ctx = getMcpTenantContext();
-    const client = getServiceClient();
-    if (!ctx) {
-        if (options?.allowLocal) {
-            logger.debug('mcpDB: no tenant context (local/stdio mode)');
-            return {
-                client,
-                organizationId: undefined,
-                tokenId: undefined,
-            };
-        }
-        throw new Error('mcpDB: no tenant context found. ' +
-            'Ensure this is called within an MCP tool handler (inside runWithMcpTenant). ' +
-            'For local/stdio mode, use mcpDB({ allowLocal: true }).');
-    }
-    logger.debug({ organizationId: ctx.organizationId }, 'mcpDB: tenant-scoped access');
-    return {
-        client,
-        organizationId: ctx.organizationId,
-        tokenId: ctx.tokenId,
-    };
-}
-// ── Convenience: scoped query helper ───────────────────
-/**
- * Convenience wrapper that creates a scoped query builder.
- * Automatically adds `.eq('organization_id', orgId)` to every query.
- *
- * @example
- * ```typescript
- * const db = mcpScopedDB();
- * const { data } = await db.from('campaigns').select('*');
- * // Automatically filtered by organization_id
- * ```
- */
-export function mcpScopedDB() {
-    const { client, organizationId, tokenId } = mcpDB();
-    return {
-        from: (table) => {
-            const query = client.from(table);
-            // Patch select/insert/update/delete to auto-scope
-            const original = query.select.bind(query);
-            const scopedQuery = Object.create(query);
-            // For SELECT queries, auto-add org filter
-            scopedQuery.select = (...args) => {
-                return original(...args).eq('organization_id', organizationId);
-            };
-            return scopedQuery;
-        },
-        organizationId,
-        tokenId,
-        client,
-    };
-}
-//# sourceMappingURL=mcp-db.js.map

package/dist/shared/mcp/mcp-db.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"mcp-db.js","sourceRoot":"","sources":["../../../src/shared/mcp/mcp-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAE,YAAY,EAAuB,MAAM,uBAAuB,CAAC;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;AA+BtC,0DAA0D;AAE1D,IAAI,OAAO,GAA0B,IAAI,CAAC;AAE1C,SAAS,gBAAgB;IACvB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QACrC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;QAClD,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC/E,CAAC;QACD,OAAO,GAAG,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE;YAC/B,IAAI,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE;SACzD,CAAC,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AA0BD,MAAM,UAAU,KAAK,CAAC,OAAsB;IAC1C,MAAM,GAAG,GAAG,mBAAmB,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAElC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;YACxB,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;YAC5D,OAAO;gBACL,MAAM;gBACN,cAAc,EAAE,SAAS;gBACzB,OAAO,EAAE,SAAS;aACnB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CACb,kCAAkC;YAClC,8EAA8E;YAC9E,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,EAAE,cAAc,EAAE,GAAG,CAAC,cAAc,EAAE,EAAE,6BAA6B,CAAC,CAAC;IAEpF,OAAO;QACL,MAAM;QACN,cAAc,EAAE,GAAG,CAAC,cAAc;QAClC,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC;AACJ,CAAC;AAED,0DAA0D;AAE1D;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW;IAMzB,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,KAAK,EAAE,CAAC;IAEpD,OAAO;QACL,IAAI,EAAE,CAAC,KAAa,EAAE,EAAE;YACtB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjC,kDAAkD;YAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1C,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAEzC,0CAA0C;YAC1C,WAAW,CAAC,MAAM,GAAG,CAAC,GAAG,IAAqC,EAAE,EAAE;gBAChE,OAAO,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC,iBAAiB,EAAE,cAAc,CAAC,CAAC;YACjE,CAAC,CAAC;YAEF,OAAO,WAAW,CAAC;QACrB,CAAC;QACD,cAAc;QACd,OAAO;QACP,MAAM;KACP,CAAC;AACJ,CAAC"}

package/dist/shared/mcp/mcp-routes.d.ts

@@ -1,29 +0,0 @@
-/**
- * MCP StreamableHTTP Routes — Factory
- *
- * Creates an Express router that exposes MCP tools over HTTP
- * with Bearer token authentication, rate limiting, and audit logging.
- *
- * Usage:
- * ```typescript
- * import { addMcpRoutes } from '@soulbatical/tetra-core';
- *
- * const mcpRouter = Router();
- * addMcpRoutes(mcpRouter, {
- *   tools: myToolDefinitions,
- *   handlers: myToolHandlers,
- *   tokenPrefix: 'vincifox_',
- * });
- * app.use('/', mcpRouter); // or app.use('/api/mcp', ...) if behind a backend proxy
- * ```
- */
-import type { Router } from 'express';
-import type { McpRoutesConfig } from './types.js';
-/**
- * Add MCP StreamableHTTP routes to a router.
- *
- * The router handles POST (JSON-RPC requests), GET (SSE), and DELETE (cleanup).
- * Authentication is via Bearer token in the Authorization header.
- */
-export declare function addMcpRoutes(router: Router, config: McpRoutesConfig): void;
-//# sourceMappingURL=mcp-routes.d.ts.map

package/dist/shared/mcp/mcp-routes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mcp-routes.d.ts","sourceRoot":"","sources":["../../../src/shared/mcp/mcp-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAqB,MAAM,SAAS,CAAC;AAIzD,OAAO,KAAK,EAAE,eAAe,EAAiB,MAAM,YAAY,CAAC;AA8CjE;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,IAAI,CA2I1E"}

package/dist/shared/mcp/mcp-routes.js

@@ -1,171 +0,0 @@
-/**
- * MCP StreamableHTTP Routes — Factory
- *
- * Creates an Express router that exposes MCP tools over HTTP
- * with Bearer token authentication, rate limiting, and audit logging.
- *
- * Usage:
- * ```typescript
- * import { addMcpRoutes } from '@soulbatical/tetra-core';
- *
- * const mcpRouter = Router();
- * addMcpRoutes(mcpRouter, {
- *   tools: myToolDefinitions,
- *   handlers: myToolHandlers,
- *   tokenPrefix: 'vincifox_',
- * });
- * app.use('/', mcpRouter); // or app.use('/api/mcp', ...) if behind a backend proxy
- * ```
- */
-import { createLogger } from '../../utils/logger.js';
-import { systemDB } from '../../core/systemDb.js';
-import { validateMcpApiToken, runWithMcpTenant } from './tenant-context.js';
-const logger = createLogger('mcp:routes');
-const rateBuckets = new Map();
-// Clean up expired buckets every 5 min
-setInterval(() => {
-    const now = Date.now();
-    for (const [key, bucket] of rateBuckets) {
-        if (now > bucket.resetAt) {
-            rateBuckets.delete(key);
-        }
-    }
-}, 5 * 60 * 1000).unref();
-function checkRateLimit(tokenId, max, windowMs) {
-    const now = Date.now();
-    let bucket = rateBuckets.get(tokenId);
-    if (!bucket || now > bucket.resetAt) {
-        bucket = { count: 0, resetAt: now + windowMs };
-        rateBuckets.set(tokenId, bucket);
-    }
-    bucket.count++;
-    const remaining = Math.max(0, max - bucket.count);
-    return {
-        allowed: bucket.count <= max,
-        remaining,
-        resetAt: bucket.resetAt,
-    };
-}
-/**
- * Add MCP StreamableHTTP routes to a router.
- *
- * The router handles POST (JSON-RPC requests), GET (SSE), and DELETE (cleanup).
- * Authentication is via Bearer token in the Authorization header.
- */
-export function addMcpRoutes(router, config) {
-    const { tools, handlers, tokenPrefix, rateLimitMax = 100, rateLimitWindowMs = 15 * 60 * 1000, enableAuditLog = true, onAuthenticate, } = config;
-    const db = enableAuditLog ? systemDB('mcp-audit') : null;
-    // Audit logging (fire-and-forget)
-    function logToolCall(tokenId, organizationId, toolName) {
-        if (!db)
-            return;
-        db.from('mcp_audit_log')
-            .insert({ token_id: tokenId, organization_id: organizationId, tool_name: toolName })
-            .then(() => { });
-    }
-    // Auth helper — uses custom onAuthenticate if provided, else default mcp_api_tokens lookup
-    async function authenticateRequest(req, res) {
-        const authHeader = req.headers.authorization;
-        if (!authHeader || !authHeader.startsWith('Bearer ')) {
-            res.status(401).json({ error: 'Missing or invalid Authorization header' });
-            return null;
-        }
-        const token = authHeader.substring(7);
-        try {
-            if (onAuthenticate) {
-                return await onAuthenticate(token);
-            }
-            return await validateMcpApiToken(token, tokenPrefix);
-        }
-        catch (error) {
-            const message = error instanceof Error ? error.message : 'Authentication failed';
-            res.status(401).json({ error: message });
-            return null;
-        }
-    }
-    // Lazy import MCP SDK (peer dependency)
-    let mcpSdkLoaded = false;
-    let Server;
-    let StreamableHTTPServerTransport;
-    let CallToolRequestSchema;
-    let ListToolsRequestSchema;
-    async function ensureMcpSdk() {
-        if (mcpSdkLoaded)
-            return;
-        const serverMod = await import('@modelcontextprotocol/sdk/server/index.js');
-        const transportMod = await import('@modelcontextprotocol/sdk/server/streamableHttp.js');
-        const typesMod = await import('@modelcontextprotocol/sdk/types.js');
-        Server = serverMod.Server;
-        StreamableHTTPServerTransport = transportMod.StreamableHTTPServerTransport;
-        CallToolRequestSchema = typesMod.CallToolRequestSchema;
-        ListToolsRequestSchema = typesMod.ListToolsRequestSchema;
-        mcpSdkLoaded = true;
-    }
-    // Create MCP server instance
-    function createMcpServer(tenant) {
-        const server = new Server({ name: 'tetra-mcp', version: '1.0.0' }, { capabilities: { tools: {} } });
-        server.setRequestHandler(ListToolsRequestSchema, async () => ({
-            tools,
-        }));
-        server.setRequestHandler(CallToolRequestSchema, async (request) => {
-            const { name, arguments: args = {} } = request.params;
-            const handler = handlers[name];
-            if (!handler) {
-                throw new Error(`Unknown tool: ${name}`);
-            }
-            logToolCall(tenant.tokenId, tenant.organizationId, name);
-            return handler(args);
-        });
-        return server;
-    }
-    // Main endpoint
-    router.all('/', async (req, res) => {
-        const tenant = await authenticateRequest(req, res);
-        if (!tenant)
-            return;
-        // Rate limit
-        const rateResult = checkRateLimit(tenant.tokenId, rateLimitMax, rateLimitWindowMs);
-        res.setHeader('X-RateLimit-Limit', rateLimitMax);
-        res.setHeader('X-RateLimit-Remaining', rateResult.remaining);
-        res.setHeader('X-RateLimit-Reset', Math.ceil(rateResult.resetAt / 1000));
-        if (!rateResult.allowed) {
-            res.status(429).json({
-                error: 'Rate limit exceeded',
-                retry_after: Math.ceil((rateResult.resetAt - Date.now()) / 1000),
-            });
-            return;
-        }
-        // Lazy-load MCP SDK
-        try {
-            await ensureMcpSdk();
-        }
-        catch (err) {
-            logger.error({ err }, 'Failed to load @modelcontextprotocol/sdk — is it installed?');
-            res.status(500).json({ error: 'MCP SDK not available' });
-            return;
-        }
-        const transport = new StreamableHTTPServerTransport({
-            sessionIdGenerator: undefined,
-        });
-        const server = createMcpServer(tenant);
-        try {
-            await server.connect(transport);
-            await runWithMcpTenant(tenant, async () => {
-                await transport.handleRequest(req, res, req.body);
-            });
-        }
-        catch (error) {
-            if (!res.headersSent) {
-                res.status(500).json({
-                    error: 'MCP request failed',
-                    details: error instanceof Error ? error.message : 'Unknown error',
-                });
-            }
-        }
-        finally {
-            await transport.close().catch(() => { });
-            await server.close().catch(() => { });
-        }
-    });
-}
-//# sourceMappingURL=mcp-routes.js.map