backend-manager 5.7.5 → 5.7.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +5 -0
- package/TODO.md +6 -3
- package/package.json +1 -1
- package/src/mcp/handler.js +27 -1
- package/test/mcp/roles.js +20 -0
package/CHANGELOG.md
CHANGED
|
@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
|
14
14
|
- `Fixed` for any bug fixes.
|
|
15
15
|
- `Security` in case of vulnerabilities.
|
|
16
16
|
|
|
17
|
+
# [5.7.6] - 2026-06-18
|
|
18
|
+
|
|
19
|
+
### Fixed
|
|
20
|
+
- **MCP admin role promotion.** Users with `roles.admin=true` on their Firestore doc now see all 25 admin tools when connecting via OAuth. Previously only the `BACKEND_MANAGER_KEY` granted admin MCP access; user-role admins were limited to 3 tools.
|
|
21
|
+
|
|
17
22
|
# [5.7.4] - 2026-06-18
|
|
18
23
|
|
|
19
24
|
### Added
|
package/TODO.md
CHANGED
|
@@ -9,6 +9,12 @@
|
|
|
9
9
|
console.log('*** req.assistant', req.assistant);
|
|
10
10
|
console.log('*** res.assistant', res.assistant);
|
|
11
11
|
|
|
12
|
+
# OAUTH2 (INBOUND + OUTBOUND)
|
|
13
|
+
UJM + BEM CHANGE
|
|
14
|
+
* UJM /oauth2 = for conencting OTHER accounts to user account
|
|
15
|
+
* UJM /token = for connecting user account to OTHER accounts
|
|
16
|
+
* we should rename this (requires backend change too)
|
|
17
|
+
* /authorize (most common says claude) or /connect
|
|
12
18
|
|
|
13
19
|
# PAYMETNS
|
|
14
20
|
https://github.com/invertase/stripe-firebase-extensions/tree/next/firestore-stripe-payments
|
|
@@ -28,9 +34,6 @@ Update deps!!!! theres lots
|
|
|
28
34
|
* we culd have a test that TRIES EACH IMPORT ?? incase updating it fails due to ESM VULLSHIT?
|
|
29
35
|
|
|
30
36
|
|
|
31
|
-
ADD HEALTHCHECK TO BEM!!!
|
|
32
|
-
✗ https://api.clockii.com/backend-manager?command=healthcheck → fetch failed
|
|
33
|
-
|
|
34
37
|
TODO
|
|
35
38
|
PAYMENT
|
|
36
39
|
https://hookdeck.com/webhooks/platforms/guide-to-paypal-webhooks-features-and-best-practices
|
package/package.json
CHANGED
package/src/mcp/handler.js
CHANGED
|
@@ -316,9 +316,35 @@ async function handleMcpProtocol(req, res, options) {
|
|
|
316
316
|
return;
|
|
317
317
|
}
|
|
318
318
|
|
|
319
|
-
// Classify the token
|
|
319
|
+
// Classify the token — fast check first, then DB lookup if needed
|
|
320
320
|
const authInfo = resolveAuthInfo(token);
|
|
321
321
|
|
|
322
|
+
// If token is a user API key, check if the user has admin role in Firestore
|
|
323
|
+
if (authInfo.role === 'user') {
|
|
324
|
+
try {
|
|
325
|
+
const admin = Manager.libraries?.admin;
|
|
326
|
+
|
|
327
|
+
if (admin) {
|
|
328
|
+
const snapshot = await admin.firestore()
|
|
329
|
+
.collection('users')
|
|
330
|
+
.where('api.privateKey', '==', token)
|
|
331
|
+
.limit(1)
|
|
332
|
+
.get();
|
|
333
|
+
|
|
334
|
+
if (!snapshot.empty) {
|
|
335
|
+
const userData = snapshot.docs[0].data();
|
|
336
|
+
|
|
337
|
+
if (userData?.roles?.admin === true) {
|
|
338
|
+
authInfo.role = 'admin';
|
|
339
|
+
authInfo.authType = 'userAdmin';
|
|
340
|
+
}
|
|
341
|
+
}
|
|
342
|
+
}
|
|
343
|
+
} catch (e) {
|
|
344
|
+
// DB lookup failed — proceed with user role (safe fallback)
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
|
|
322
348
|
// Load and merge consumer tools (consumer overrides win)
|
|
323
349
|
const cwd = Manager.cwd || '';
|
|
324
350
|
const consumerTools = getConsumerTools(cwd);
|
package/test/mcp/roles.js
CHANGED
|
@@ -76,6 +76,26 @@ module.exports = {
|
|
|
76
76
|
},
|
|
77
77
|
},
|
|
78
78
|
|
|
79
|
+
{
|
|
80
|
+
name: 'user with roles.admin sees all tools (DB role promotion)',
|
|
81
|
+
async run({ assert, accounts }) {
|
|
82
|
+
const adminUserKey = accounts.admin?.privateKey;
|
|
83
|
+
assert.ok(adminUserKey, 'Admin test account should have a privateKey');
|
|
84
|
+
|
|
85
|
+
const response = await mcpRequest('tools/list', {}, adminUserKey);
|
|
86
|
+
|
|
87
|
+
assert.ok(response?.result?.tools, 'Should return tools list');
|
|
88
|
+
|
|
89
|
+
const tools = response.result.tools;
|
|
90
|
+
assert.equal(tools.length, 25, `Admin-role user should see all 25 tools, got ${tools.length}`);
|
|
91
|
+
|
|
92
|
+
const names = tools.map((t) => t.name);
|
|
93
|
+
assert.ok(names.includes('firestore_read'), 'Should see admin tool firestore_read');
|
|
94
|
+
assert.ok(names.includes('get_user'), 'Should see user tool get_user');
|
|
95
|
+
assert.ok(names.includes('health_check'), 'Should see public tool health_check');
|
|
96
|
+
},
|
|
97
|
+
},
|
|
98
|
+
|
|
79
99
|
{
|
|
80
100
|
name: 'user sees only user + public tools',
|
|
81
101
|
async run({ assert, accounts }) {
|