backend-manager 5.7.5 → 5.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
14
14
  - `Fixed` for any bug fixes.
15
15
  - `Security` in case of vulnerabilities.
16
16
 
17
+ # [5.7.6] - 2026-06-18
18
+
19
+ ### Fixed
20
+ - **MCP admin role promotion.** Users with `roles.admin=true` on their Firestore doc now see all 25 admin tools when connecting via OAuth. Previously only the `BACKEND_MANAGER_KEY` granted admin MCP access; user-role admins were limited to 3 tools.
21
+
17
22
  # [5.7.4] - 2026-06-18
18
23
 
19
24
  ### Added
package/TODO.md CHANGED
@@ -9,6 +9,12 @@
9
9
  console.log('*** req.assistant', req.assistant);
10
10
  console.log('*** res.assistant', res.assistant);
11
11
 
12
+ # OAUTH2 (INBOUND + OUTBOUND)
13
+ UJM + BEM CHANGE
14
+ * UJM /oauth2 = for conencting OTHER accounts to user account
15
+ * UJM /token = for connecting user account to OTHER accounts
16
+ * we should rename this (requires backend change too)
17
+ * /authorize (most common says claude) or /connect
12
18
 
13
19
  # PAYMETNS
14
20
  https://github.com/invertase/stripe-firebase-extensions/tree/next/firestore-stripe-payments
@@ -28,9 +34,6 @@ Update deps!!!! theres lots
28
34
  * we culd have a test that TRIES EACH IMPORT ?? incase updating it fails due to ESM VULLSHIT?
29
35
 
30
36
 
31
- ADD HEALTHCHECK TO BEM!!!
32
- ✗ https://api.clockii.com/backend-manager?command=healthcheck → fetch failed
33
-
34
37
  TODO
35
38
  PAYMENT
36
39
  https://hookdeck.com/webhooks/platforms/guide-to-paypal-webhooks-features-and-best-practices
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "backend-manager",
3
- "version": "5.7.5",
3
+ "version": "5.7.6",
4
4
  "description": "Quick tools for developing Firebase functions",
5
5
  "main": "src/manager/index.js",
6
6
  "bin": {
@@ -316,9 +316,35 @@ async function handleMcpProtocol(req, res, options) {
316
316
  return;
317
317
  }
318
318
 
319
- // Classify the token
319
+ // Classify the token — fast check first, then DB lookup if needed
320
320
  const authInfo = resolveAuthInfo(token);
321
321
 
322
+ // If token is a user API key, check if the user has admin role in Firestore
323
+ if (authInfo.role === 'user') {
324
+ try {
325
+ const admin = Manager.libraries?.admin;
326
+
327
+ if (admin) {
328
+ const snapshot = await admin.firestore()
329
+ .collection('users')
330
+ .where('api.privateKey', '==', token)
331
+ .limit(1)
332
+ .get();
333
+
334
+ if (!snapshot.empty) {
335
+ const userData = snapshot.docs[0].data();
336
+
337
+ if (userData?.roles?.admin === true) {
338
+ authInfo.role = 'admin';
339
+ authInfo.authType = 'userAdmin';
340
+ }
341
+ }
342
+ }
343
+ } catch (e) {
344
+ // DB lookup failed — proceed with user role (safe fallback)
345
+ }
346
+ }
347
+
322
348
  // Load and merge consumer tools (consumer overrides win)
323
349
  const cwd = Manager.cwd || '';
324
350
  const consumerTools = getConsumerTools(cwd);
package/test/mcp/roles.js CHANGED
@@ -76,6 +76,26 @@ module.exports = {
76
76
  },
77
77
  },
78
78
 
79
+ {
80
+ name: 'user with roles.admin sees all tools (DB role promotion)',
81
+ async run({ assert, accounts }) {
82
+ const adminUserKey = accounts.admin?.privateKey;
83
+ assert.ok(adminUserKey, 'Admin test account should have a privateKey');
84
+
85
+ const response = await mcpRequest('tools/list', {}, adminUserKey);
86
+
87
+ assert.ok(response?.result?.tools, 'Should return tools list');
88
+
89
+ const tools = response.result.tools;
90
+ assert.equal(tools.length, 25, `Admin-role user should see all 25 tools, got ${tools.length}`);
91
+
92
+ const names = tools.map((t) => t.name);
93
+ assert.ok(names.includes('firestore_read'), 'Should see admin tool firestore_read');
94
+ assert.ok(names.includes('get_user'), 'Should see user tool get_user');
95
+ assert.ok(names.includes('health_check'), 'Should see public tool health_check');
96
+ },
97
+ },
98
+
79
99
  {
80
100
  name: 'user sees only user + public tools',
81
101
  async run({ assert, accounts }) {