@tiangong-lca/mcp-server 0.0.16 → 0.0.18

package/dist/src/_shared/auth_middleware.js

@@ -3,11 +3,43 @@ import { Redis } from '@upstash/redis';
 import { authenticateCognitoToken } from './cognito_auth.js';
 import { redis_token, redis_url, supabase_base_url, supabase_publishable_key } from './config.js';
 import decodeApiKey from './decode_api_key.js';
+import { normalizeSupabaseSession } from './supabase_session.js';
 const supabase = createClient(supabase_base_url, supabase_publishable_key);
 const redis = new Redis({
     url: redis_url,
     token: redis_token,
 });
+const SESSION_EXPIRY_BUFFER_SECONDS = 30;
+function isSupabaseSessionReusable(session) {
+    if (!session) {
+        return false;
+    }
+    if (typeof session.access_token !== 'string' || session.access_token.length === 0) {
+        return false;
+    }
+    const expiresAt = typeof session.expires_at === 'number'
+        ? session.expires_at
+        : session.expires_at === null
+            ? null
+            : undefined;
+    if (!expiresAt) {
+        return false;
+    }
+    const nowSeconds = Math.floor(Date.now() / 1000);
+    return expiresAt - nowSeconds > SESSION_EXPIRY_BUFFER_SECONDS;
+}
+function calculateCacheTtlSeconds(session) {
+    const expiresAt = typeof session.expires_at === 'number' ? session.expires_at : null;
+    if (!expiresAt) {
+        return null;
+    }
+    const nowSeconds = Math.floor(Date.now() / 1000);
+    const remaining = Math.floor(expiresAt - nowSeconds);
+    if (remaining <= 0) {
+        return null;
+    }
+    return Math.max(1, Math.min(remaining, 3600));
+}
 export function getTokenType(bearerKey) {
     const jwtPattern = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
     if (jwtPattern.test(bearerKey)) {
@@ -51,38 +83,89 @@ async function authenticateApiKeyRequest(bearerKey) {
     const credentials = decodeApiKey(bearerKey);
     if (credentials) {
         const { email = '', password = '' } = credentials;
-        const userIdFromRedis = await redis.get('lca_' + email);
-        if (!userIdFromRedis) {
-            const { data, error } = await supabase.auth.signInWithPassword({
-                email: email,
-                password: password,
-            });
-            if (error) {
-                return {
-                    isAuthenticated: false,
-                    response: 'Unauthorized',
-                };
+        const cacheKey = 'lca_' + email;
+        const cachedPayload = (await redis.get(cacheKey));
+        let cachedUserId;
+        let cachedSession;
+        if (cachedPayload) {
+            const applyCachedObject = (record) => {
+                const recordUserId = record['userId'];
+                if (typeof recordUserId === 'string') {
+                    cachedUserId = recordUserId;
+                }
+                if ('session' in record) {
+                    const normalized = normalizeSupabaseSession(record['session']);
+                    if (normalized) {
+                        cachedSession = normalized;
+                    }
+                }
+            };
+            if (typeof cachedPayload === 'string') {
+                try {
+                    const parsed = JSON.parse(cachedPayload);
+                    applyCachedObject(parsed);
+                }
+                catch (_error) {
+                    cachedUserId = cachedPayload;
+                }
             }
-            if (data.user.role !== 'authenticated') {
-                return {
-                    isAuthenticated: false,
-                    response: 'You are not an authenticated user.',
-                };
+            else if (typeof cachedPayload === 'object') {
+                applyCachedObject(cachedPayload);
             }
-            else {
-                await redis.setex('lca_' + email, 3600, data.user.id);
-                return {
-                    isAuthenticated: true,
-                    response: data.user.id,
-                    userId: data.user.id,
-                    email: data.user.email,
-                };
+        }
+        if (cachedUserId && isSupabaseSessionReusable(cachedSession)) {
+            const ttlSeconds = calculateCacheTtlSeconds(cachedSession);
+            if (ttlSeconds) {
+                try {
+                    await redis.expire(cacheKey, ttlSeconds);
+                }
+                catch (error) {
+                    console.warn('Failed to refresh Redis TTL for cached Supabase session:', error);
+                }
             }
+            return {
+                isAuthenticated: true,
+                response: cachedUserId,
+                userId: cachedUserId,
+                email,
+                supabaseSession: cachedSession,
+            };
         }
+        const { data, error } = await supabase.auth.signInWithPassword({
+            email,
+            password,
+        });
+        if (error || !data.user) {
+            return {
+                isAuthenticated: false,
+                response: 'Unauthorized',
+            };
+        }
+        if (data.user.role !== 'authenticated') {
+            return {
+                isAuthenticated: false,
+                response: 'You are not an authenticated user.',
+            };
+        }
+        const sessionTokens = data.session?.access_token
+            ? {
+                access_token: data.session.access_token,
+                refresh_token: data.session.refresh_token ?? null,
+                expires_at: typeof data.session.expires_at === 'number' ? data.session.expires_at : null,
+            }
+            : undefined;
+        const cacheValue = {
+            userId: data.user.id,
+            session: sessionTokens ?? null,
+        };
+        const cacheTtl = sessionTokens ? (calculateCacheTtlSeconds(sessionTokens) ?? 3600) : 3600;
+        await redis.setex(cacheKey, cacheTtl, JSON.stringify(cacheValue));
         return {
             isAuthenticated: true,
-            response: String(userIdFromRedis),
-            userId: String(userIdFromRedis),
+            response: data.user.id,
+            userId: data.user.id,
+            email: data.user.email ?? email,
+            supabaseSession: sessionTokens,
         };
     }
     return {
@@ -91,7 +174,6 @@ async function authenticateApiKeyRequest(bearerKey) {
     };
 }
 async function authenticateSupabaseRequest(bearerKey) {
-    console.log(bearerKey);
     const { data: authData } = await supabase.auth.getUser(bearerKey);
     if (authData.user?.role === 'authenticated') {
         return {
@@ -99,6 +181,9 @@ async function authenticateSupabaseRequest(bearerKey) {
             response: authData.user?.id,
             userId: authData.user?.id,
             email: authData.user?.email,
+            supabaseSession: {
+                access_token: bearerKey,
+            },
         };
     }
     if (!authData || !authData.user) {
@@ -120,5 +205,8 @@ async function authenticateSupabaseRequest(bearerKey) {
         response: authData.user.id,
         userId: authData.user.id,
         email: authData.user.email,
+        supabaseSession: {
+            access_token: bearerKey,
+        },
     };
 }

package/dist/src/_shared/init_server_http.js

@@ -1,8 +1,9 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { regBomCalculationTool } from '../tools/bom_calculation.js';
+import { regCrudTool } from '../tools/db_crud.js';
 import { regFlowSearchTool } from '../tools/flow_hybrid_search.js';
 import { regProcessSearchTool } from '../tools/process_hybrid_search.js';
-export function initializeServer(bearerKey) {
+export function initializeServer(bearerKey, supabaseSession) {
     const server = new McpServer({
         name: 'TianGong-LCA-MCP-Server',
         version: '1.0.0',
@@ -10,8 +11,9 @@ export function initializeServer(bearerKey) {
     regFlowSearchTool(server, bearerKey);
     regProcessSearchTool(server, bearerKey);
     regBomCalculationTool(server);
+    regCrudTool(server, supabaseSession ?? bearerKey);
     return server;
 }
-export function getServer(bearerKey) {
-    return initializeServer(bearerKey);
+export function getServer(bearerKey, supabaseSession) {
+    return initializeServer(bearerKey, supabaseSession);
 }

package/dist/src/_shared/supabase_session.js

@@ -0,0 +1,89 @@
+function isNonEmptyString(value) {
+    return typeof value === 'string' && value.length > 0;
+}
+function normalizeRefreshToken(value) {
+    if (typeof value === 'string') {
+        return value;
+    }
+    if (value === null) {
+        return null;
+    }
+    return undefined;
+}
+function normalizeExpiresAt(value) {
+    if (typeof value === 'number') {
+        return value;
+    }
+    if (value === null) {
+        return null;
+    }
+    return undefined;
+}
+const nestedSessionKeys = ['session', 'supabaseSession', 'supabaseSessionTokens'];
+export function normalizeSupabaseSession(input) {
+    if (!input) {
+        return undefined;
+    }
+    if (typeof input === 'string') {
+        const trimmed = input.trim();
+        if (!trimmed.startsWith('{')) {
+            return undefined;
+        }
+        try {
+            const parsed = JSON.parse(trimmed);
+            return normalizeSupabaseSession(parsed);
+        }
+        catch (_error) {
+            return undefined;
+        }
+    }
+    if (typeof input !== 'object') {
+        return undefined;
+    }
+    const record = input;
+    const candidateAccessToken = record['access_token'] ?? record['accessToken'];
+    const accessToken = isNonEmptyString(candidateAccessToken) ? candidateAccessToken : undefined;
+    if (accessToken) {
+        const candidateRefreshToken = record['refresh_token'] ?? record['refreshToken'];
+        const refreshToken = normalizeRefreshToken(candidateRefreshToken);
+        const candidateExpiresAt = record['expires_at'] ?? record['expiresAt'];
+        const expiresAt = normalizeExpiresAt(candidateExpiresAt);
+        const normalized = {
+            access_token: accessToken,
+        };
+        if (refreshToken !== undefined) {
+            normalized.refresh_token = refreshToken;
+        }
+        if (expiresAt !== undefined) {
+            normalized.expires_at = expiresAt;
+        }
+        return normalized;
+    }
+    for (const key of nestedSessionKeys) {
+        if (key in record) {
+            const nestedValue = record[key];
+            if (nestedValue && nestedValue !== input) {
+                const normalized = normalizeSupabaseSession(nestedValue);
+                if (normalized) {
+                    return normalized;
+                }
+            }
+        }
+    }
+    return undefined;
+}
+export function resolveSupabaseAccessToken(input) {
+    const session = normalizeSupabaseSession(input);
+    if (session) {
+        return {
+            session,
+            accessToken: session.access_token,
+        };
+    }
+    if (typeof input === 'string' && input.trim().length > 0) {
+        return {
+            accessToken: input.trim(),
+        };
+    }
+    return {};
+}

package/dist/src/index_server.js

@@ -35,6 +35,7 @@ const authenticateBearer = async (req, res, next) => {
         return;
     }
     req.bearerKey = bearerKey;
+    req.supabaseSession = authResult.supabaseSession;
     next();
 };
 const app = express();
@@ -53,7 +54,7 @@ app.use((req, res, next) => {
 });
 app.post('/mcp', authenticateBearer, async (req, res) => {
     try {
-        const server = getServer(req.bearerKey);
+        const server = getServer(req.bearerKey, req.supabaseSession);
         const transport = new StreamableHTTPServerTransport({
             sessionIdGenerator: undefined,
         });

package/dist/src/tools/db_crud.js

@@ -0,0 +1,346 @@
+import { randomUUID } from 'node:crypto';
+import { createClient, FunctionRegion } from '@supabase/supabase-js';
+import { createContact, createFlow, createLifeCycleModel, createProcess, createSource, } from '@tiangong-lca/tidas-sdk/core';
+import { z } from 'zod';
+import { supabase_base_url, supabase_publishable_key } from '../_shared/config.js';
+import { resolveSupabaseAccessToken } from '../_shared/supabase_session.js';
+const allowedTables = ['contacts', 'flows', 'lifecyclemodels', 'processes', 'sources'];
+const tableSchema = z.enum(allowedTables);
+const UPDATE_FUNCTION_NAME = 'update_data';
+const tablePrimaryKey = {
+    contacts: 'id',
+    flows: 'id',
+    lifecyclemodels: 'id',
+    processes: 'id',
+    sources: 'id',
+};
+function getPrimaryKeyColumn(table) {
+    return tablePrimaryKey[table] ?? 'id';
+}
+const jsonValueSchema = z.lazy(() => z.union([
+    z.string(),
+    z.number(),
+    z.boolean(),
+    z.null(),
+    z.array(jsonValueSchema),
+    z.record(jsonValueSchema),
+]));
+const filterValueSchema = z.union([
+    z.string(),
+    z.number(),
+    z.boolean(),
+    z.null(),
+]);
+const filtersSchema = z.record(filterValueSchema);
+const toolParamsSchema = {
+    operation: z
+        .enum(['select', 'insert', 'update', 'delete'])
+        .describe('CRUD operation to perform: select optionally accepts limit/id/version/filters, insert requires jsonOrdered (id auto-generated), update requires id/version/jsonOrdered, delete requires id/version.'),
+    table: tableSchema.describe('Target table for the operation; must be one of contacts, flows, lifecyclemodels, processes, or sources.'),
+    limit: z
+        .number()
+        .int()
+        .positive()
+        .optional()
+        .describe('Maximum number of records to return (select only).'),
+    id: z
+        .string()
+        .uuid()
+        .optional()
+        .describe('UUID string stored in the `id` column (required for update/delete, optional filter for select).'),
+    version: z
+        .string()
+        .min(1)
+        .optional()
+        .describe('String stored in the `version` column (required for update/delete, optional filter for select).'),
+    filters: filtersSchema
+        .optional()
+        .describe('Optional equality filters as JSON object, e.g. { "name": "Example" }. Only used for select operations. Leave empty for insert/update/delete operations.'),
+    jsonOrdered: jsonValueSchema
+        .optional()
+        .describe('JSON value persisted into json_ordered (required for insert/update; omit for select/delete).'),
+};
+const refinedInputSchema = z
+    .object(toolParamsSchema)
+    .strict()
+    .superRefine((data, ctx) => {
+    switch (data.operation) {
+        case 'insert':
+            if (data.jsonOrdered === undefined) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'jsonOrdered is required for insert operations.',
+                    path: ['jsonOrdered'],
+                });
+            }
+            break;
+        case 'update':
+            if (data.id === undefined) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'id is required for update operations.',
+                    path: ['id'],
+                });
+            }
+            if (data.version === undefined) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'version is required for update operations.',
+                    path: ['version'],
+                });
+            }
+            if (data.jsonOrdered === undefined) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'jsonOrdered is required for update operations.',
+                    path: ['jsonOrdered'],
+                });
+            }
+            break;
+        case 'delete':
+            if (data.id === undefined) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'id is required for delete operations.',
+                    path: ['id'],
+                });
+            }
+            if (data.version === undefined) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    message: 'version is required for delete operations.',
+                    path: ['version'],
+                });
+            }
+            break;
+        default:
+            break;
+    }
+});
+function requireAccessToken(accessToken) {
+    if (!accessToken) {
+        throw new Error('An authenticated Supabase session is required for update operations. Provide a valid access token.');
+    }
+    return accessToken;
+}
+function ensureRows(rows, errorMessage) {
+    if (!Array.isArray(rows) || rows.length === 0) {
+        throw new Error(errorMessage);
+    }
+    return rows;
+}
+function validateJsonOrdered(table, jsonOrdered) {
+    try {
+        let validationResult;
+        switch (table) {
+            case 'contacts': {
+                const contact = createContact(jsonOrdered, { mode: 'strict' });
+                validationResult = contact.validate();
+                break;
+            }
+            case 'flows': {
+                const flow = createFlow(jsonOrdered, { mode: 'strict' });
+                validationResult = flow.validate();
+                break;
+            }
+            case 'lifecyclemodels': {
+                const lifecycleModel = createLifeCycleModel(jsonOrdered, { mode: 'strict' });
+                validationResult = lifecycleModel.validate();
+                break;
+            }
+            case 'processes': {
+                const process = createProcess(jsonOrdered, { mode: 'strict' });
+                validationResult = process.validate();
+                break;
+            }
+            case 'sources': {
+                const source = createSource(jsonOrdered, { mode: 'strict' });
+                validationResult = source.validate();
+                break;
+            }
+            default: {
+                const exhaustiveCheck = table;
+                throw new Error(`Unsupported table type: ${table}`);
+            }
+        }
+        if (!validationResult.success) {
+            const errorDetails = validationResult.error?.issues
+                ? JSON.stringify(validationResult.error.issues, null, 2)
+                : JSON.stringify(validationResult.error);
+            throw new Error(`Validation failed for table "${table}". Errors: ${errorDetails}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to validate jsonOrdered for table "${table}": ${error.message}`);
+        }
+        throw error;
+    }
+}
+async function createSupabaseClient(bearerKey) {
+    const { session: normalizedSession, accessToken: bearerToken } = resolveSupabaseAccessToken(bearerKey);
+    const supabase = createClient(supabase_base_url, supabase_publishable_key, {
+        auth: {
+            persistSession: false,
+            autoRefreshToken: Boolean(normalizedSession?.refresh_token),
+        },
+        ...(bearerToken
+            ? {
+                global: {
+                    headers: {
+                        Authorization: `Bearer ${bearerToken}`,
+                    },
+                },
+            }
+            : {}),
+    });
+    if (normalizedSession?.refresh_token) {
+        const { error: setSessionError } = await supabase.auth.setSession({
+            access_token: normalizedSession.access_token,
+            refresh_token: normalizedSession.refresh_token,
+        });
+        if (setSessionError) {
+            console.warn('Failed to set Supabase session for CRUD tool:', setSessionError.message);
+        }
+    }
+    return { supabase, accessToken: normalizedSession?.access_token ?? bearerToken };
+}
+async function handleSelect(supabase, input) {
+    const { table, limit, id, version, filters } = input;
+    const keyColumn = getPrimaryKeyColumn(table);
+    let queryBuilder = supabase.from(table).select('*');
+    if (filters) {
+        for (const [column, value] of Object.entries(filters)) {
+            if (value !== null && value !== undefined) {
+                queryBuilder = queryBuilder.eq(column, value);
+            }
+        }
+    }
+    if (id) {
+        queryBuilder = queryBuilder.eq(keyColumn, id);
+    }
+    if (version) {
+        queryBuilder = queryBuilder.eq('version', version);
+    }
+    if (limit) {
+        queryBuilder = queryBuilder.limit(limit);
+    }
+    const { data, error } = await queryBuilder;
+    if (error) {
+        console.error('Error querying the database:', error);
+        throw error;
+    }
+    return JSON.stringify({ data: data ?? [], count: data?.length ?? 0 });
+}
+async function handleInsert(supabase, input) {
+    const { table, jsonOrdered } = input;
+    if (jsonOrdered === undefined) {
+        throw new Error('jsonOrdered is required for insert operations.');
+    }
+    validateJsonOrdered(table, jsonOrdered);
+    const newId = randomUUID();
+    const keyColumn = getPrimaryKeyColumn(table);
+    const { data, error } = await supabase
+        .from(table)
+        .insert([{ [keyColumn]: newId, json_ordered: jsonOrdered }])
+        .select();
+    if (error) {
+        console.error('Error inserting into the database:', error);
+        throw error;
+    }
+    return JSON.stringify({ id: newId, data: data ?? [] });
+}
+async function handleUpdate(supabase, accessToken, input) {
+    const { table, id, version, jsonOrdered } = input;
+    if (id === undefined) {
+        throw new Error('id is required for update operations.');
+    }
+    if (version === undefined) {
+        throw new Error('version is required for update operations.');
+    }
+    if (jsonOrdered === undefined) {
+        throw new Error('jsonOrdered is required for update operations.');
+    }
+    validateJsonOrdered(table, jsonOrdered);
+    const token = requireAccessToken(accessToken);
+    const { data: functionPayload, error } = await supabase.functions.invoke(UPDATE_FUNCTION_NAME, {
+        headers: {
+            Authorization: `Bearer ${token}`,
+        },
+        body: { id, version, table, data: { json_ordered: jsonOrdered } },
+        region: FunctionRegion.UsEast1,
+    });
+    if (error) {
+        console.error('Error invoking update_data function:', error);
+        throw error;
+    }
+    const { data: updatedRows, error: functionError } = (functionPayload ??
+        {});
+    if (functionError) {
+        console.error('Supabase update_data returned an error:', functionError);
+        const message = functionError.message ?? 'Supabase update_data function rejected the request.';
+        throw new Error(message);
+    }
+    const keyColumn = getPrimaryKeyColumn(table);
+    const rows = ensureRows(updatedRows, `Update affected 0 rows for table "${table}"; verify the provided ${keyColumn} (${id}) and version (${version}) exist and are accessible.`);
+    return JSON.stringify({ id, version, data: rows });
+}
+async function handleDelete(supabase, input) {
+    const { table, id, version } = input;
+    if (id === undefined) {
+        throw new Error('id is required for delete operations.');
+    }
+    if (version === undefined) {
+        throw new Error('version is required for delete operations.');
+    }
+    const keyColumn = getPrimaryKeyColumn(table);
+    const { data, error } = await supabase
+        .from(table)
+        .delete()
+        .eq(keyColumn, id)
+        .eq('version', version)
+        .select();
+    if (error) {
+        console.error('Error deleting from the database:', error);
+        throw error;
+    }
+    const rows = ensureRows(data, `Delete affected 0 rows for table "${table}"; verify the provided ${keyColumn} (${id}) and version (${version}) exist and are accessible.`);
+    return JSON.stringify({ id, version, data: rows });
+}
+async function performCrud(input, bearerKey) {
+    try {
+        const { supabase, accessToken } = await createSupabaseClient(bearerKey);
+        switch (input.operation) {
+            case 'select':
+                return handleSelect(supabase, input);
+            case 'insert':
+                return handleInsert(supabase, input);
+            case 'update':
+                return handleUpdate(supabase, accessToken, input);
+            case 'delete':
+                return handleDelete(supabase, input);
+            default: {
+                const exhaustiveCheck = input;
+                throw new Error('Unsupported operation supplied to CRUD tool.');
+            }
+        }
+    }
+    catch (error) {
+        console.error('Error making the request:', error);
+        throw error;
+    }
+}
+export function regCrudTool(server, bearerKey) {
+    server.tool('Database_CRUD_Tool', 'Perform select/insert/update/delete against allowed Supabase tables (insert needs jsonOrdered, update/delete need id and version).', toolParamsSchema, async (rawInput) => {
+        const input = refinedInputSchema.parse(rawInput);
+        const result = await performCrud(input, bearerKey);
+        return {
+            content: [
+                {
+                    type: 'text',
+                    text: result,
+                },
+            ],
+        };
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tiangong-lca/mcp-server",
-  "version": "0.0.16",
+  "version": "0.0.18",
   "description": "TianGong LCA MCP Server",
   "license": "MIT",
   "author": "Nan LI",
@@ -27,22 +27,23 @@
     "ncu:update": "npx npm-check-updates -u"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.17.4",
-    "@supabase/supabase-js": "^2.56.0",
+    "@modelcontextprotocol/sdk": "^1.19.1",
+    "@supabase/supabase-js": "^2.58.0",
+    "@tiangong-lca/tidas-sdk": "^0.1.16",
     "@types/express": "^5.0.3",
-    "@upstash/redis": "^1.35.3",
-    "aws-jwt-verify": "^5.1.0",
+    "@upstash/redis": "^1.35.4",
+    "aws-jwt-verify": "^5.1.1",
     "olca-ipc": "^2.2.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {
-    "@modelcontextprotocol/inspector": "^0.16.5",
+    "@modelcontextprotocol/inspector": "^0.16.8",
     "dotenv-cli": "^10.0.0",
-    "npm-check-updates": "^18.0.2",
+    "npm-check-updates": "^19.0.0",
     "prettier": "^3.6.2",
-    "prettier-plugin-organize-imports": "^4.2.0",
+    "prettier-plugin-organize-imports": "^4.3.0",
     "shx": "^0.4.0",
-    "tsx": "^4.20.5",
-    "typescript": "^5.9.2"
+    "tsx": "^4.20.6",
+    "typescript": "^5.9.3"
   }
 }