cyy-mall-mcp 0.1.0

package/README.md

@@ -0,0 +1,85 @@
+# cyy-mall-mcp
+
+通过 **Model Context Protocol (stdio)** 将 [**cyymall-cli**](https://www.npmjs.com/package/cyymall-cli)（命令 `cyy`）暴露给 Cursor、阿里百炼 FC MCP、Claude Desktop 等宿主。
+
+## 原理
+
+本进程使用 **`@modelcontextprotocol/sdk`** 注册工具；每次工具调用通过 **`node /path/to/cyymall-cli/bin/cyy.js …`** 执行，与你在终端手工输入 `cyy …` 等价。会话仍落在 **`~/.cyymall/config.json`**（或由宿主注入的环境变量）。
+
+## 安装
+
+```bash
+npm install -g cyy-mall-mcp cyymall-cli
+```
+
+全局安装 `cyymall-cli` 可保证任意工作目录下都能 `require.resolve('cyymall-cli/bin/cyy.js')`；仅安装 `cyy-mall-mcp` 时，`cyymall-cli` 会作为依赖出现在 `node_modules` 中，同样可用。
+
+本地开发（与本仓库同级的 `cyymall-cli`）可在本目录：
+
+```bash
+npm install
+node src/index.js
+```
+
+## 运行（stdio MCP）
+
+```bash
+npx cyy-mall-mcp
+# 或
+cyy-mall-mcp
+```
+
+**注意：** MCP 使用 **stdio** 通信，请勿再向 **stdout** 打印调试信息。
+
+## 环境变量
+
+| 变量 | 说明 |
+|------|------|
+| `CYY_BASE_URL` | API 根地址，默认 `https://dhcmall.ifoodbuy.com` |
+| `CYY_PASSWORD` | 配合工具 **`auth_login`** 使用（勿把密码写进工具参数或聊天记录） |
+| `CYY_MCP_ALLOW_WRITE` | 设为 `true` 时才允许 **`cart_add`**、**`order_pre_settle`**、**`order_confirm`**、**`order_quick`**（降低误下单风险） |
+| 其它 `CYY_*` | 与 [cyymall-cli README](https://www.npmjs.com/package/cyymall-cli) 一致（如 `CYY_BOOTSTRAP_*`） |
+
+## 工具一览
+
+| 工具名 | 说明 |
+|--------|------|
+| `auth_whoami` | 当前登录态 |
+| `config_show` | 脱敏后的会话配置 |
+| `auth_login` | 登录（需 `CYY_PASSWORD`） |
+| `shop_list` / `shop_sites` / `shop_use` / `shop_use_site` | 门店与站点 |
+| `product_search` | 商品搜索 |
+| `api_call` | 万能 API（对应 `cyy api call`） |
+| `order_pay_url` | 代付链接 |
+| `cart_add` / `order_pre_settle` / `order_confirm` / `order_quick` | 需 **`CYY_MCP_ALLOW_WRITE=true`** |
+
+## 阿里百炼 / FC MCP 部署示例
+
+安装方式选 **npx**，在 **MCP 服务配置** 中可使用（按控制台实际字段调整）：
+
+```json
+{
+  "mcpServers": {
+    "cyy-mall": {
+      "command": "npx",
+      "args": ["-y", "cyy-mall-mcp"],
+      "env": {
+        "CYY_BASE_URL": "https://dhcmall.ifoodbuy.com",
+        "CYY_MCP_ALLOW_WRITE": "false"
+      }
+    }
+  }
+}
+```
+
+首次冷启动时 `npx` 会下载依赖，可能需要 **数十秒**。需要登录时，在 FC 环境变量中配置 **`CYY_PASSWORD`**（注意安全存储与轮换），再通过对话触发 **`auth_login`**。
+
+## 安全说明
+
+- 禁止在模型对话中粘贴 **npm token、商城密码、session token**。  
+- 生产环境应对 MCP 入口做 **鉴权与租户隔离**；本包仅为 thin wrapper。  
+- 下单类工具默认关闭，需显式打开 **`CYY_MCP_ALLOW_WRITE`**。
+
+## 许可证
+
+MIT

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "cyy-mall-mcp",
+  "version": "0.1.0",
+  "description": "MCP server that exposes 菜洋洋 cyymall-cli (cyy) as Model Context Protocol tools (stdio)",
+  "type": "module",
+  "main": "src/index.js",
+  "bin": {
+    "cyy-mall-mcp": "src/index.js"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "package.json"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "start": "node src/index.js",
+    "prepublishOnly": "node --check src/index.js"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "cyymall",
+    "dhcmall",
+    "cyy",
+    "cli"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "cyymall-cli": "^0.1.0",
+    "zod": "^4.4.3"
+  }
+}

package/src/index.js

@@ -0,0 +1,352 @@
+#!/usr/bin/env node
+/**
+ * MCP server: exposes cyymall-cli (`cyy`) as MCP tools via stdio.
+ * Requires dependency `cyymall-cli` (runs bin/cyy.js with Node).
+ */
+import { createRequire } from "node:module";
+import { spawnSync } from "node:child_process";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import * as z from "zod/v4";
+
+const require = createRequire(import.meta.url);
+
+function resolveCyyScript() {
+  try {
+    return require.resolve("cyymall-cli/bin/cyy.js");
+  } catch {
+    throw new Error(
+      "Cannot find cyymall-cli. Install: npm install cyymall-cli (this package lists it as a dependency).",
+    );
+  }
+}
+
+/**
+ * @param {string[]} argv Arguments after `cyy`
+ */
+function runCyy(argv) {
+  const script = resolveCyyScript();
+  const r = spawnSync(process.execPath, [script, ...argv], {
+    encoding: "utf8",
+    maxBuffer: 50 * 1024 * 1024,
+    windowsHide: true,
+    env: { ...process.env },
+  });
+  let text = (r.stdout ?? "").trim();
+  const err = (r.stderr ?? "").trim();
+  if (r.status !== 0 && err) {
+    text = text ? `${text}\n${err}` : err;
+  } else if (err && !text) {
+    text = err;
+  }
+  if (r.error) {
+    text = text ? `${text}\n${r.error.message}` : String(r.error.message);
+  }
+  return { text: text || "(empty)", ok: r.status === 0 };
+}
+
+function textResult(text, isError) {
+  return {
+    content: [{ type: "text", text }],
+    isError: Boolean(isError),
+  };
+}
+
+function allowWrite() {
+  return process.env.CYY_MCP_ALLOW_WRITE === "true" || process.env.CYY_MCP_ALLOW_WRITE === "1";
+}
+
+const emptyObj = z.object({});
+
+const mcpServer = new McpServer(
+  {
+    name: "cyy-mall-mcp",
+    version: "0.1.0",
+  },
+  {
+    capabilities: { tools: {} },
+    instructions:
+      "菜洋洋商城 MCP：工具通过子进程调用 cyymall-cli（cyy）。会话默认 ~/.cyymall/config.json。购物车/预结算/确认/一键下单需 CYY_MCP_ALLOW_WRITE=true。登录密码仅通过环境变量 CYY_PASSWORD 配合 auth_login，勿在对话中传密码。",
+  },
+);
+
+mcpServer.registerTool(
+  "auth_whoami",
+  {
+    description: "GET /member/getInfo/V2 — current member info using saved session (cyy auth whoami)",
+    inputSchema: emptyObj,
+  },
+  async () => {
+    const r = runCyy(["auth", "whoami"]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "config_show",
+  {
+    description: "Print ~/.cyymall/config.json with masked token (cyy config show)",
+    inputSchema: emptyObj,
+  },
+  async () => {
+    const r = runCyy(["config", "show"]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "auth_login",
+  {
+    description:
+      "Password login (cyy auth login --phone …). Requires env CYY_PASSWORD; password must NOT be passed in tool arguments.",
+    inputSchema: {
+      phone: z.string().describe("Mobile phone"),
+    },
+  },
+  async ({ phone }) => {
+    if (!process.env.CYY_PASSWORD) {
+      return textResult(
+        "Refused: set environment variable CYY_PASSWORD on the MCP server host (do not pass password in chat).",
+        true,
+      );
+    }
+    const r = runCyy(["auth", "login", "--phone", phone]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "shop_list",
+  {
+    description: "POST /shop/member/list — paginated shops (cyy shop list)",
+    inputSchema: {
+      page: z.string().optional().describe('pageNum default "1"'),
+      pageSize: z.string().optional().describe('pageSize default "20"'),
+      name: z.string().optional().describe("shopName filter"),
+      objectCode: z.string().optional().describe('objectCode default "3"'),
+    },
+  },
+  async (args) => {
+    const argv = ["shop", "list"];
+    if (args.page != null) argv.push("--page", String(args.page));
+    if (args.pageSize != null) argv.push("--page-size", String(args.pageSize));
+    if (args.name != null) argv.push("--name", String(args.name));
+    if (args.objectCode != null) argv.push("--object-code", String(args.objectCode));
+    const r = runCyy(argv);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "shop_sites",
+  {
+    description: "GET /shop/member/store/list — sites for a shop (cyy shop sites)",
+    inputSchema: {
+      shopId: z.string().optional().describe("Shop id; omit to use session shop_id"),
+      siteName: z.string().optional().describe("Optional site name filter"),
+    },
+  },
+  async (args) => {
+    const argv = ["shop", "sites"];
+    if (args.shopId != null && String(args.shopId).length)
+      argv.push("--shop-id", String(args.shopId));
+    if (args.siteName != null && String(args.siteName).length)
+      argv.push("--site-name", String(args.siteName));
+    const r = runCyy(argv);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "shop_use",
+  {
+    description: "Set default shop_id only in session config (cyy shop use --shop-id)",
+    inputSchema: {
+      shopId: z.string().describe("Numeric shop id from shop_list"),
+    },
+  },
+  async ({ shopId }) => {
+    const r = runCyy(["shop", "use", "--shop-id", String(shopId)]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "shop_use_site",
+  {
+    description: "Set default site_id for current shop (cyy shop use-site --site-id)",
+    inputSchema: {
+      siteId: z.string().describe("Site id from shop_sites"),
+    },
+  },
+  async ({ siteId }) => {
+    const r = runCyy(["shop", "use-site", "--site-id", String(siteId)]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "product_search",
+  {
+    description: "POST /app/product/getSkuList — search SKU (cyy product search)",
+    inputSchema: {
+      keyword: z.string().describe("spuName keyword"),
+      shopId: z.string().optional(),
+      siteId: z.string().optional(),
+      page: z.string().optional(),
+      pageSize: z.string().optional(),
+      stockFlag: z.string().optional().describe('stockFlag string e.g. "0"'),
+    },
+  },
+  async (args) => {
+    const argv = ["product", "search", "--keyword", args.keyword];
+    if (args.shopId != null) argv.push("--shop-id", String(args.shopId));
+    if (args.siteId != null) argv.push("--site-id", String(args.siteId));
+    if (args.page != null) argv.push("--page", String(args.page));
+    if (args.pageSize != null) argv.push("--page-size", String(args.pageSize));
+    if (args.stockFlag != null) argv.push("--stock-flag", String(args.stockFlag));
+    const r = runCyy(argv);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "api_call",
+  {
+    description:
+      "Low-level API call (cyy api call). module = DEFAULT|ORDER|PRODUCT|PLATFORM|PAYMENT|OSS|BIZ",
+    inputSchema: {
+      method: z.enum(["GET", "POST", "PUT", "PATCH", "DELETE"]),
+      module: z.enum(["DEFAULT", "ORDER", "PRODUCT", "PLATFORM", "PAYMENT", "OSS", "BIZ"]),
+      path: z.string().describe("Path starting with /"),
+      bodyJson: z.string().optional().describe("JSON body string for non-GET"),
+      query: z.array(z.string()).optional().describe('Repeated query pairs key=value e.g. ["shopId=1"]'),
+      bare: z.boolean().optional().describe("Bootstrap headers only (no merged session)"),
+    },
+  },
+  async (args) => {
+    const argv = ["api", "call", "--method", args.method, "--module", args.module, "--path", args.path];
+    if (args.bodyJson != null && args.bodyJson.length) argv.push("--body-json", args.bodyJson);
+    if (args.query && args.query.length) {
+      for (const q of args.query) argv.push("--query", q);
+    }
+    if (args.bare) argv.push("--bare");
+    const r = runCyy(argv);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+function gateWrite(name) {
+  if (!allowWrite()) {
+    return textResult(
+      `Tool "${name}" is disabled. Set env CYY_MCP_ALLOW_WRITE=true on the MCP server to enable cart/order tools.`,
+      true,
+    );
+  }
+  return null;
+}
+
+mcpServer.registerTool(
+  "cart_add",
+  {
+    description: "POST /app/order/cart — requires CYY_MCP_ALLOW_WRITE=true",
+    inputSchema: {
+      bodyJson: z.string().describe("Full cart JSON body"),
+    },
+  },
+  async ({ bodyJson }) => {
+    const g = gateWrite("cart_add");
+    if (g) return g;
+    const r = runCyy(["cart", "add", "--body-json", bodyJson]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "order_pre_settle",
+  {
+    description: "POST /app/order/preSettleOrder — requires CYY_MCP_ALLOW_WRITE=true",
+    inputSchema: {
+      bodyJson: z.string(),
+    },
+  },
+  async ({ bodyJson }) => {
+    const g = gateWrite("order_pre_settle");
+    if (g) return g;
+    const r = runCyy(["order", "pre-settle", "--body-json", bodyJson]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "order_confirm",
+  {
+    description: "POST /app/order/confirmOrder — DESTRUCTIVE; requires CYY_MCP_ALLOW_WRITE=true and user confirmation in host app",
+    inputSchema: {
+      bodyJson: z.string(),
+    },
+  },
+  async ({ bodyJson }) => {
+    const g = gateWrite("order_confirm");
+    if (g) return g;
+    const r = runCyy(["order", "confirm", "--body-json", bodyJson]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "order_quick",
+  {
+    description:
+      "Search→cart→pre-settle→confirm — DESTRUCTIVE; requires CYY_MCP_ALLOW_WRITE=true",
+    inputSchema: {
+      keyword: z.string(),
+      quantity: z.string().optional().describe('default "1"'),
+      unit: z.string().optional().describe('e.g. 袋'),
+      shopId: z.string().optional(),
+      siteId: z.string().optional(),
+    },
+  },
+  async (args) => {
+    const g = gateWrite("order_quick");
+    if (g) return g;
+    const argv = [
+      "order",
+      "quick",
+      "--keyword",
+      args.keyword,
+      "--quantity",
+      args.quantity ?? "1",
+      "--unit",
+      args.unit ?? "袋",
+    ];
+    if (args.shopId != null) argv.push("--shop-id", String(args.shopId));
+    if (args.siteId != null) argv.push("--site-id", String(args.siteId));
+    const r = runCyy(argv);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+mcpServer.registerTool(
+  "order_pay_url",
+  {
+    description: "Build H5 replacePay URL (cyy order pay-url --order-id)",
+    inputSchema: {
+      orderId: z.string(),
+    },
+  },
+  async ({ orderId }) => {
+    const r = runCyy(["order", "pay-url", "--order-id", orderId]);
+    return textResult(r.text, !r.ok);
+  },
+);
+
+async function main() {
+  const transport = new StdioServerTransport();
+  await mcpServer.connect(transport);
+}
+
+main().catch((e) => {
+  console.error(e);
+  process.exit(1);
+});