@vobase/core 0.10.0 → 0.11.0

package/src/mcp/crud.test.ts

@@ -0,0 +1,128 @@
+import { describe, expect, it } from 'bun:test';
+import { Hono } from 'hono';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+
+import { createDatabase } from '../db/client';
+import { auditLog } from '../modules/audit/schema';
+import { registerCrudTools } from './crud';
+import type { VobaseModule } from '../module';
+
+function createTestDb() {
+  const db = createDatabase(':memory:');
+  db.$client.run(`
+    CREATE TABLE IF NOT EXISTS _audit_log (
+      id TEXT PRIMARY KEY NOT NULL,
+      event TEXT NOT NULL,
+      actor_id TEXT,
+      actor_email TEXT,
+      ip TEXT,
+      details TEXT,
+      created_at INTEGER NOT NULL
+    )
+  `);
+  return db;
+}
+
+describe('registerCrudTools', () => {
+  it('registers 5 CRUD tools per real Drizzle table', () => {
+    const server = new McpServer({ name: 'test', version: '0.1.0' });
+    const db = createTestDb();
+
+    const modules: VobaseModule[] = [
+      {
+        name: 'audit',
+        schema: { auditLog },
+        routes: new Hono(),
+      },
+    ];
+
+    registerCrudTools(server, modules, {
+      db,
+      user: { id: 'u1', email: 'a@b.com', name: 'Test', role: 'admin' },
+      organizationEnabled: false,
+    }, new Map());
+
+    // Access the registered tools via the server's internal state
+    const tools = (server as any)._registeredTools;
+    const toolNames = Object.keys(tools);
+
+    expect(toolNames).toContain('list_audit_log');
+    expect(toolNames).toContain('get_audit_log');
+    expect(toolNames).toContain('create_audit_log');
+    expect(toolNames).toContain('update_audit_log');
+    expect(toolNames).toContain('delete_audit_log');
+  });
+
+  it('skips non-Drizzle schema entries gracefully', () => {
+    const server = new McpServer({ name: 'test', version: '0.1.0' });
+    const db = createTestDb();
+
+    const modules: VobaseModule[] = [
+      {
+        name: 'mock',
+        schema: { fakeThing: {} },
+        routes: new Hono(),
+      },
+    ];
+
+    // Should not throw
+    registerCrudTools(server, modules, {
+      db,
+      user: null,
+      organizationEnabled: false,
+    }, new Map());
+
+    const tools = (server as any)._registeredTools;
+    const toolNames = Object.keys(tools);
+    // No CRUD tools registered for non-Drizzle schema
+    expect(toolNames.filter((n: string) => n.includes('fakeThing'))).toEqual([]);
+  });
+
+  it('respects exclude map', () => {
+    const server = new McpServer({ name: 'test', version: '0.1.0' });
+    const db = createTestDb();
+
+    const modules: VobaseModule[] = [
+      {
+        name: 'audit',
+        schema: { auditLog },
+        routes: new Hono(),
+      },
+    ];
+
+    const excludeMap = new Map([['audit', new Set(['auditLog'])]]);
+
+    registerCrudTools(server, modules, {
+      db,
+      user: { id: 'u1', email: 'a@b.com', name: 'Test', role: 'admin' },
+      organizationEnabled: false,
+    }, excludeMap);
+
+    const tools = (server as any)._registeredTools;
+    const toolNames = Object.keys(tools);
+    expect(toolNames.filter((n: string) => n.includes('audit_log'))).toEqual([]);
+  });
+
+  it('write tools check admin role when org is disabled', () => {
+    const server = new McpServer({ name: 'test', version: '0.1.0' });
+    const db = createTestDb();
+
+    const modules: VobaseModule[] = [
+      {
+        name: 'audit',
+        schema: { auditLog },
+        routes: new Hono(),
+      },
+    ];
+
+    // User with non-admin role
+    registerCrudTools(server, modules, {
+      db,
+      user: { id: 'u1', email: 'a@b.com', name: 'Test', role: 'user' },
+      organizationEnabled: false,
+    }, new Map());
+
+    const tools = (server as any)._registeredTools;
+    expect(tools.create_audit_log).toBeDefined();
+  });
+});

package/src/mcp/crud.ts

@@ -0,0 +1,171 @@
+import { eq, getTableColumns, getTableName } from 'drizzle-orm';
+import type { SQLiteTable } from 'drizzle-orm/sqlite-core';
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { z } from 'zod';
+
+import type { AuthUser } from '../contracts/auth';
+import type { VobaseDb } from '../db';
+import type { VobaseModule } from '../module';
+
+interface CrudContext {
+  db: VobaseDb;
+  user: AuthUser | null;
+  organizationEnabled: boolean;
+}
+
+function checkWritePermission(ctx: CrudContext): string | null {
+  if (!ctx.user) return 'Authentication required';
+  if (ctx.organizationEnabled) {
+    // When org is enabled, any authenticated user can write
+    return null;
+  }
+  // Without org, require admin role for writes
+  if (ctx.user.role !== 'admin') return 'Forbidden: admin role required for write operations';
+  return null;
+}
+
+function errorResult(message: string) {
+  return { content: [{ type: 'text' as const, text: JSON.stringify({ error: message }) }], isError: true as const };
+}
+
+function jsonResult(data: Record<string, unknown>) {
+  return {
+    content: [{ type: 'text' as const, text: JSON.stringify(data) }],
+    structuredContent: data,
+  };
+}
+
+export function registerCrudTools(
+  server: McpServer,
+  modules: VobaseModule[],
+  ctx: CrudContext,
+  excludeMap: Map<string, Set<string>>,
+) {
+  for (const mod of modules) {
+    if (!mod.schema || Object.keys(mod.schema).length === 0) continue;
+
+    const moduleExcludes = excludeMap.get(mod.name) ?? new Set();
+
+    for (const [schemaKey, tableObj] of Object.entries(mod.schema)) {
+      if (moduleExcludes.has(schemaKey)) continue;
+
+      // Verify it's a Drizzle table
+      let tableName: string;
+      try {
+        tableName = getTableName(tableObj as any);
+      } catch {
+        continue;
+      }
+
+      const table = tableObj as SQLiteTable;
+      let columns: ReturnType<typeof getTableColumns>;
+      try {
+        columns = getTableColumns(table);
+      } catch {
+        continue;
+      }
+      if (!columns) continue;
+
+      // Find primary key column
+      const pkEntry = Object.entries(columns).find(([, col]) => (col as any).primary);
+      if (!pkEntry) continue;
+      const [pkKey] = pkEntry;
+      const pkCol = columns[pkKey]!;
+      const pkZod = (pkCol as any).dataType === 'number' ? z.number() : z.string();
+
+      // Clean name for tools (strip _ prefix from built-in tables)
+      const cleanName = tableName.replace(/^_/, '');
+
+      // LIST
+      server.registerTool(
+        `list_${cleanName}`,
+        {
+          description: `List rows from ${tableName} table.`,
+          inputSchema: z.object({
+            limit: z.number().int().positive().max(100).optional(),
+            offset: z.number().int().nonnegative().optional(),
+          }),
+          annotations: { readOnlyHint: true },
+        },
+        async ({ limit, offset }) => {
+          const rows = ctx.db.select().from(table).limit(limit ?? 50).offset(offset ?? 0).all();
+          return jsonResult({ rows, count: rows.length });
+        },
+      );
+
+      // GET
+      server.registerTool(
+        `get_${cleanName}`,
+        {
+          description: `Get a single row from ${tableName} by ID.`,
+          inputSchema: z.object({ id: pkZod }),
+          annotations: { readOnlyHint: true },
+        },
+        async ({ id }) => {
+          const row = ctx.db.select().from(table).where(eq(pkCol, id)).get();
+          if (!row) return errorResult('Not found');
+          return jsonResult(row as Record<string, unknown>);
+        },
+      );
+
+      // CREATE
+      server.registerTool(
+        `create_${cleanName}`,
+        {
+          description: `Insert a new row into ${tableName}.`,
+          inputSchema: z.object({ data: z.record(z.string(), z.unknown()) }),
+        },
+        async ({ data }) => {
+          const permError = checkWritePermission(ctx);
+          if (permError) return errorResult(permError);
+          try {
+            const result = ctx.db.insert(table).values(data as any).returning().get();
+            return jsonResult(result as Record<string, unknown>);
+          } catch (e: any) {
+            return errorResult(e.message);
+          }
+        },
+      );
+
+      // UPDATE
+      server.registerTool(
+        `update_${cleanName}`,
+        {
+          description: `Update a row in ${tableName} by ID.`,
+          inputSchema: z.object({ id: pkZod, data: z.record(z.string(), z.unknown()) }),
+        },
+        async ({ id, data }) => {
+          const permError = checkWritePermission(ctx);
+          if (permError) return errorResult(permError);
+          try {
+            const result = ctx.db.update(table).set(data as any).where(eq(pkCol, id)).returning().get();
+            if (!result) return errorResult('Not found');
+            return jsonResult(result as Record<string, unknown>);
+          } catch (e: any) {
+            return errorResult(e.message);
+          }
+        },
+      );
+
+      // DELETE
+      server.registerTool(
+        `delete_${cleanName}`,
+        {
+          description: `Delete a row from ${tableName} by ID.`,
+          inputSchema: z.object({ id: pkZod }),
+        },
+        async ({ id }) => {
+          const permError = checkWritePermission(ctx);
+          if (permError) return errorResult(permError);
+          try {
+            const result = ctx.db.delete(table).where(eq(pkCol, id)).returning().get();
+            if (!result) return errorResult('Not found');
+            return jsonResult({ deleted: true });
+          } catch (e: any) {
+            return errorResult(e.message);
+          }
+        },
+      );
+    }
+  }
+}

package/{dist/mcp/index.d.ts → src/mcp/index.ts}

@@ -1,3 +1,2 @@
 export { createMcpServer, createMcpHandler, type McpDeps } from './server';
 export { registerCrudTools } from './crud';
-//# sourceMappingURL=index.d.ts.map

package/src/mcp/server.test.ts

@@ -0,0 +1,153 @@
+import { describe, expect, it } from 'bun:test';
+import { Hono } from 'hono';
+
+import { createDatabase } from '../db/client';
+import { createMcpHandler } from './server';
+import type { VobaseModule } from '../module';
+
+const MODULES: VobaseModule[] = [
+  {
+    name: 'billing',
+    schema: { customers: {}, invoices: {} },
+    routes: new Hono(),
+  },
+  {
+    name: 'catalog',
+    schema: { invoices: {}, products: {} },
+    routes: new Hono(),
+  },
+];
+
+function createTestDb() {
+  const db = createDatabase(':memory:');
+  db.$client.run(`
+    CREATE TABLE IF NOT EXISTS _audit_log (
+      id TEXT PRIMARY KEY NOT NULL,
+      event TEXT NOT NULL,
+      actor_id TEXT,
+      actor_email TEXT,
+      ip TEXT,
+      details TEXT,
+      created_at INTEGER NOT NULL
+    )
+  `);
+  return db;
+}
+
+async function postMcp(
+  handler: (req: Request) => Promise<Response>,
+  payload: Record<string, unknown>,
+): Promise<{ response: Response; body: Record<string, unknown> }> {
+  const request = new Request('http://localhost/mcp', {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      accept: 'application/json, text/event-stream',
+    },
+    body: JSON.stringify(payload),
+  });
+
+  const response = await handler(request);
+  const body = (await response.json()) as Record<string, unknown>;
+  return { response, body };
+}
+
+function parseStructuredToolResult(
+  body: Record<string, unknown>,
+): Record<string, unknown> {
+  const result = body.result as {
+    structuredContent?: Record<string, unknown>;
+    content?: Array<{ type: string; text?: string }>;
+  };
+
+  if (result.structuredContent) {
+    return result.structuredContent;
+  }
+
+  const text = result.content?.find((item) => item.type === 'text')?.text;
+  return text ? (JSON.parse(text) as Record<string, unknown>) : {};
+}
+
+describe('createMcpHandler()', () => {
+  it('creates a request handler function', () => {
+    const handler = createMcpHandler({ db: createTestDb(), modules: MODULES });
+    expect(typeof handler).toBe('function');
+  });
+
+  it('returns all four read-only tools for tools/list', async () => {
+    const handler = createMcpHandler({ db: createTestDb(), modules: MODULES });
+
+    const { response, body } = await postMcp(handler, {
+      jsonrpc: '2.0',
+      id: 1,
+      method: 'tools/list',
+    });
+
+    const tools = (
+      (body.result as { tools?: Array<{ name: string }> }).tools ?? []
+    ).map((tool) => tool.name);
+
+    expect(response.status).toBe(200);
+    expect(tools).toEqual([
+      'list_modules',
+      'read_module',
+      'get_schema',
+      'view_logs',
+    ]);
+  });
+
+  it('list_modules returns registered module names', async () => {
+    const handler = createMcpHandler({ db: createTestDb(), modules: MODULES });
+
+    const { response, body } = await postMcp(handler, {
+      jsonrpc: '2.0',
+      id: 2,
+      method: 'tools/call',
+      params: {
+        name: 'list_modules',
+        arguments: {},
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(parseStructuredToolResult(body)).toEqual({
+      modules: [{ name: 'billing' }, { name: 'catalog' }],
+    });
+  });
+
+  it('get_schema returns table names across modules', async () => {
+    const handler = createMcpHandler({ db: createTestDb(), modules: MODULES });
+
+    const { response, body } = await postMcp(handler, {
+      jsonrpc: '2.0',
+      id: 3,
+      method: 'tools/call',
+      params: {
+        name: 'get_schema',
+        arguments: {},
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(parseStructuredToolResult(body)).toEqual({
+      tables: ['customers', 'invoices', 'products'],
+    });
+  });
+
+  it('does not expose write tools', async () => {
+    const handler = createMcpHandler({ db: createTestDb(), modules: MODULES });
+
+    const { body } = await postMcp(handler, {
+      jsonrpc: '2.0',
+      id: 4,
+      method: 'tools/list',
+    });
+
+    const toolNames = (
+      (body.result as { tools?: Array<{ name: string }> }).tools ?? []
+    ).map((tool) => tool.name);
+
+    expect(toolNames).not.toContain('deploy_module');
+    expect(toolNames).not.toContain('install_package');
+  });
+});

package/src/mcp/server.ts

@@ -0,0 +1,178 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { desc } from 'drizzle-orm';
+import { z } from 'zod';
+
+import type { AuthUser } from '../contracts/auth';
+import type { VobaseDb } from '../db';
+import { auditLog } from '../modules/audit/schema';
+import type { VobaseModule } from '../module';
+import { registerCrudTools } from './crud';
+
+const DEFAULT_LOG_LIMIT = 50;
+const MAX_LOG_LIMIT = 100;
+
+export interface McpDeps {
+  db: VobaseDb;
+  modules: VobaseModule[];
+  /** Validate an API key. Returns user ID if valid, null if invalid. */
+  verifyApiKey?: (key: string) => Promise<{ userId: string } | null>;
+  /** Whether the organization plugin is enabled (affects CRUD authorization). */
+  organizationEnabled?: boolean;
+}
+
+function toToolResult(payload: Record<string, unknown>) {
+  return {
+    content: [{ type: 'text' as const, text: JSON.stringify(payload) }],
+    structuredContent: payload,
+  };
+}
+
+function getSortedTableNames(schema: Record<string, unknown>): string[] {
+  return Object.keys(schema).sort((left, right) => left.localeCompare(right));
+}
+
+function getSchemaTableNames(modules: VobaseModule[]): string[] {
+  return Array.from(
+    new Set(modules.flatMap((module) => getSortedTableNames(module.schema))),
+  ).sort((left, right) => left.localeCompare(right));
+}
+
+export async function createMcpServer(deps: McpDeps): Promise<McpServer> {
+  const { McpServer } = await import('@modelcontextprotocol/sdk/server/mcp.js');
+  const server = new McpServer({ name: 'vobase', version: '0.1.0' });
+
+  server.registerTool(
+    'list_modules',
+    {
+      description: 'List registered vobase modules.',
+      annotations: { readOnlyHint: true },
+    },
+    async () => {
+      return toToolResult({
+        modules: deps.modules.map((module) => ({ name: module.name })),
+      });
+    },
+  );
+
+  server.registerTool(
+    'read_module',
+    {
+      description: 'Read table names from one module schema.',
+      inputSchema: z.object({ name: z.string().min(1) }),
+      annotations: { readOnlyHint: true },
+    },
+    async ({ name }) => {
+      const selectedModule = deps.modules.find(
+        (module) => module.name === name,
+      );
+
+      return toToolResult({
+        name,
+        tables: selectedModule
+          ? getSortedTableNames(selectedModule.schema)
+          : [],
+      });
+    },
+  );
+
+  server.registerTool(
+    'get_schema',
+    {
+      description: 'List all table names across every module schema.',
+      annotations: { readOnlyHint: true },
+    },
+    async () => {
+      return toToolResult({ tables: getSchemaTableNames(deps.modules) });
+    },
+  );
+
+  server.registerTool(
+    'view_logs',
+    {
+      description: 'Return recent entries from _audit_log.',
+      inputSchema: z.object({
+        limit: z.number().int().positive().max(MAX_LOG_LIMIT).optional(),
+      }),
+      annotations: { readOnlyHint: true },
+    },
+    async ({ limit }) => {
+      const effectiveLimit = limit ?? DEFAULT_LOG_LIMIT;
+      const entries = deps.db
+        .select()
+        .from(auditLog)
+        .orderBy(desc(auditLog.createdAt))
+        .limit(effectiveLimit)
+        .all()
+        .map((entry) => ({
+          id: entry.id,
+          event: entry.event,
+          actorId: entry.actorId,
+          actorEmail: entry.actorEmail,
+          ip: entry.ip,
+          details: entry.details,
+          createdAt:
+            entry.createdAt instanceof Date
+              ? entry.createdAt.toISOString()
+              : String(entry.createdAt),
+        }));
+
+      return toToolResult({ entries });
+    },
+  );
+
+  return server;
+}
+
+export function createMcpHandler(
+  deps: McpDeps,
+): (req: Request) => Promise<Response> {
+  return async (req: Request) => {
+    // API key authentication (optional — CRUD tools require it, discovery tools don't)
+    let authenticatedUser: AuthUser | null = null;
+
+    if (deps.verifyApiKey) {
+      const authHeader = req.headers.get('authorization');
+      const key = authHeader?.startsWith('Bearer ')
+        ? authHeader.slice(7)
+        : null;
+
+      if (key) {
+        const result = await deps.verifyApiKey(key);
+        if (result) {
+          authenticatedUser = {
+            id: result.userId,
+            email: '',
+            name: '',
+            role: 'admin', // API key holders get admin role for CRUD
+          };
+        }
+      }
+    }
+
+    const server = await createMcpServer(deps);
+
+    // Register CRUD tools only when authenticated via API key
+    if (authenticatedUser) {
+      const excludeMap = new Map<string, Set<string>>();
+      registerCrudTools(server, deps.modules, {
+        db: deps.db,
+        user: authenticatedUser,
+        organizationEnabled: deps.organizationEnabled ?? false,
+      }, excludeMap);
+    }
+
+    const { WebStandardStreamableHTTPServerTransport } = await import('@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js');
+    const transport = new WebStandardStreamableHTTPServerTransport({
+      sessionIdGenerator: undefined,
+      enableJsonResponse: true,
+    });
+
+    await server.connect(transport);
+
+    try {
+      return await transport.handleRequest(req);
+    } finally {
+      await server.close();
+    }
+  };
+}