npm - drafted - Versions diffs - 1.3.0 → 1.5.0 - Mend

drafted 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/mcp/server.mjs +125 -18
package/package.json +1 -1

package/mcp/server.mjs CHANGED Viewed

@@ -32,12 +32,54 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const requestState = new AsyncLocalStorage();
 const standaloneState = { sessionId: null, projectId: null, projectMeta: null };
+// Per-MCP-session sticky state. Keyed by Clerk sessionId (HTTP /mcp route)
+// or '__stdio__' for the long-lived stdio process. Holds active-project,
+// loaded-skill, and cached-org state that must persist across HTTP request
+// boundaries so a `project open` followed by `frame.read` in a separate
+// request still has an active project.
+//
+// Using a per-session bucket also fixes a multi-tenant correctness bug: with
+// module-global state, user A's loaded skills and cached orgId would leak
+// into user B's request, and the gate would check the wrong org's skills.
+const sessionStates = new Map();
+function getOrCreateSessionState(sid) {
+  const key = sid || '__stdio__';
+  let s = sessionStates.get(key);
+  if (!s) {
+    s = {
+      activeProjectId: null,
+      activeProjectMeta: null,
+      loadedSkillIds: new Set(),
+      cachedOrgId: null,
+      cachedOrgIdTime: 0,
+      wsSessionId: null,
+    };
+    sessionStates.set(key, s);
+  }
+  return s;
+}
+function getSessionState() {
+  const rs = requestState.getStore();
+  if (rs && rs._session) return rs._session;
+  return getOrCreateSessionState(null); // stdio fallback
+}
 function getState() {
   return requestState.getStore() || standaloneState;
 }
 export function runWithRequestState(initial, fn) {
-  return requestState.run({ ...standaloneState, ...initial }, fn);
+  const session = getOrCreateSessionState(initial.sessionId);
+  // Hydrate request state from session: if the caller didn't pass an explicit
+  // projectId, fall back to the active project remembered for this session.
+  const merged = { ...standaloneState, ...initial, _session: session };
+  if (merged.projectId == null && session.activeProjectId) {
+    merged.projectId = session.activeProjectId;
+    merged.projectMeta = session.activeProjectMeta;
+  }
+  return requestState.run(merged, fn);
 }
 // ── MCP server factory ────────────────────────────────────────────
@@ -377,6 +419,12 @@ function setMcpActiveProject(projectId, meta = null) {
   const s = getState();
   s.projectId = projectId;
   s.projectMeta = meta; // { id, slug, name, orgId } — for echo on mutation responses
+  // Persist to session state so subsequent HTTP requests in the same MCP
+  // session inherit the active project (without this, every call after
+  // project.open in HTTP mode would start with projectId=null again).
+  const sess = getSessionState();
+  sess.activeProjectId = projectId;
+  sess.activeProjectMeta = meta;
 }
 // Returns { id, slug, name, orgId } for the project this MCP session most
@@ -494,7 +542,10 @@ async function checkAnchors(layer) {
 // ── Project skill enforcement ─────────────────────────────────────
 // Skills attached to a project must be loaded by the agent before any
 // mutating operation in that project. Same shape as anchor enforcement.
-const loadedSkillIds = new Set();
+//
+// Loaded-skill state is per-MCP-session (see getSessionState) so that
+// (a) skill.load + wiki.write across separate HTTP requests stay coherent
+// and (b) one user's loads never satisfy another user's gate.
 const projectSkillsCache = new Map(); // projectId -> { data, time }
 async function getProjectSkills(projectId) {
@@ -519,7 +570,8 @@ async function checkProjectSkills(projectId, operation) {
   if (!projectId) return null;
   const skills = await getProjectSkills(projectId);
   if (skills.length === 0) return null;
-  const unloaded = skills.filter(s => !loadedSkillIds.has(s.id));
+  const loaded = getSessionState().loadedSkillIds;
+  const unloaded = skills.filter(s => !loaded.has(s.id));
   if (unloaded.length === 0) return null;
   // Fire-and-forget: tell the server so any open browser shows a toast.
@@ -539,24 +591,23 @@ async function checkProjectSkills(projectId, operation) {
 // Same shape as project skill enforcement but for org-attached skills.
 // Wiki mutations require org skills to be loaded first.
-let cachedOrgId = null;
-let cachedOrgIdTime = 0;
 async function getCurrentOrgId() {
   const ctx = await getCurrentOrgContext();
   return ctx?.id || null;
 }
 // Returns { id, name } for the org bound to THIS MCP session. Each session is
-// independent on purpose — parallel agents can run on different orgs.
+// independent on purpose — parallel agents can run on different orgs. Cache
+// is per-session, not module-global, so concurrent OAuth users can't collide.
 async function getCurrentOrgContext() {
-  if (cachedOrgId && Date.now() - cachedOrgIdTime < 30000) return cachedOrgId;
+  const sess = getSessionState();
+  if (sess.cachedOrgId && Date.now() - sess.cachedOrgIdTime < 30000) return sess.cachedOrgId;
   try {
     const data = await api('GET', '/auth/me');
     if (!data?.orgId) return null;
-    cachedOrgId = { id: data.orgId, name: data.currentOrg?.name || null };
-    cachedOrgIdTime = Date.now();
-    return cachedOrgId;
+    sess.cachedOrgId = { id: data.orgId, name: data.currentOrg?.name || null };
+    sess.cachedOrgIdTime = Date.now();
+    return sess.cachedOrgId;
   } catch { return null; }
 }
@@ -574,7 +625,8 @@ async function checkOrgSkills(orgId, operation) {
   if (!orgId) return null;
   const skills = await getOrgSkills(orgId);
   if (skills.length === 0) return null;
-  const unloaded = skills.filter(s => !loadedSkillIds.has(s.id));
+  const loaded = getSessionState().loadedSkillIds;
+  const unloaded = skills.filter(s => !loaded.has(s.id));
   if (unloaded.length === 0) return null;
   const lines = unloaded.map(s => `  skill(action="load", skill="${s.slug || s.id}")  -- ${s.name}`);
   return `This org has ${skills.length} attached skill(s) that must be loaded before making changes. ` +
@@ -828,7 +880,7 @@ tool('project', 'START HERE for project management. Dispatch by `action`: list (
               s.files = full.files || [];
               // Skill content was inlined in this response — count it as loaded
               // so the project-skill gate doesn't immediately demand a re-load.
-              loadedSkillIds.add(s.id);
+              getSessionState().loadedSkillIds.add(s.id);
             } catch { /* skip */ }
           }
         }
@@ -838,7 +890,8 @@ tool('project', 'START HERE for project management. Dispatch by `action`: list (
         const responseExtras = { url, opened: true, navigated, skills: projectSkillsList };
         if (projectSkillsList.length > 3) {
-          const unloaded = projectSkillsList.filter(s => !loadedSkillIds.has(s.id));
+          const sessionLoaded = getSessionState().loadedSkillIds;
+          const unloaded = projectSkillsList.filter(s => !sessionLoaded.has(s.id));
           if (unloaded.length > 0) {
             responseExtras.skillGateNotice =
               `This project has ${projectSkillsList.length} attached skills (too many to auto-inline). ` +
@@ -1151,6 +1204,7 @@ tool('frame', 'Frame CRUD in the ACTIVE PROJECT. Dispatch by `action`: read (by
   })).optional().describe('[edit] hashline edit operations'),
   from: z.string().optional().describe('[mv] source path /{layer}/{lane}/{filename}'),
   to: z.string().optional().describe('[mv] destination path /{layer}/{lane}/{filename}'),
+  dryRun: z.boolean().optional().describe('[mv] preview the move without applying it; returns the resolved frame and current path so you can confirm before retrying with dryRun=false.'),
   anchored: z.boolean().optional().describe('[anchor] true to anchor, false to unanchor. Anchored frames MUST be read before writing/editing in the same layer.'),
   query: z.string().optional().describe('[search] term to match against frame names'),
   projectId: z.string().optional().describe('[search] limit to a specific project (optional)'),
@@ -1254,8 +1308,20 @@ tool('frame', 'Frame CRUD in the ACTIVE PROJECT. Dispatch by `action`: read (by
         });
       }
       case 'mv': {
-        const { from, to } = args;
+        const { from, to, dryRun = false } = args;
         if (!from || !to) throw new Error('from and to required for action=mv');
+        if (dryRun) {
+          // Resolve current frame at `from`. Don't apply the rename, just
+          // confirm the source exists and report what `to` will become.
+          const current = await api('GET', `/api/fs?path=${encodeURIComponent(from)}`);
+          return ok(withProject({
+            dryRun: true,
+            from,
+            to,
+            currentFrame: current?.frame || current,
+            note: 'No changes applied. Re-call with dryRun=false (or omit) to perform the rename.',
+          }));
+        }
         const skillErr = await checkProjectSkills(getState().projectId);
         if (skillErr) return err(new Error(skillErr));
         const fromErr = await checkAnchors(parseLayer(from));
@@ -1693,7 +1759,7 @@ tool('skill', 'Manage the Drafted skill library. Skills are reusable prompts/gui
         const isUuid = /^[a-f0-9-]{36}$/.test(skill);
         const endpoint = isUuid ? `/api/skills/${skill}` : `/api/skills/slug/${skill}`;
         const result = await api('GET', endpoint);
-        if (result?.id) loadedSkillIds.add(result.id);
+        if (result?.id) getSessionState().loadedSkillIds.add(result.id);
         return ok(result);
       }
       case 'list': {
@@ -1772,7 +1838,7 @@ tool('skill', 'Manage the Drafted skill library. Skills are reusable prompts/gui
 // skill gate; mutations require org-level wiki-maintainer skills loaded.
 tool('wiki', 'Per-org wiki. Markdown pages with paths as hierarchy. You and other agents/humans share maintenance — every edit broadcasts live, and edits from others appear in `recent` and on `read`.\n\nBefore mutating: check `recent` and `search` for relevant existing pages. Before mv/rm: check `links` (or pass `dryRun=true`). After completing a logical session of work, append a `log` entry.\n\nThe tool handles bookkeeping you\'d otherwise forget: `mv` rewrites inbound references via the link index, `read` shows who edited last and when. Use `health` to find unlinked pages and broken links.\n\n**Skill gate:** the org may attach a `wiki-maintainer` skill that you MUST load before mutations. If you get a skill-gate error, run skill(action="load", skill="wiki-maintainer") then retry.', {
-  action: z.enum(['ls', 'recent', 'read', 'search', 'links', 'log', 'health', 'write', 'edit', 'mv', 'rm', 'source-register', 'source-list', 'source-get']).describe('Operation to perform.'),
+  action: z.enum(['ls', 'recent', 'read', 'search', 'links', 'log', 'health', 'write', 'edit', 'mv', 'rm', 'source-register', 'source-list', 'source-get', 'bulk-write']).describe('Operation to perform.'),
   path: z.string().optional().describe('[ls|read|links] wiki path. For ls: default / (root). For read: required. For links: required.'),
   recursive: z.boolean().optional().describe('[ls] list recursively with depth indicators'),
   limit: z.number().optional().describe('[recent|search] max results (recent default 10, search default 25)'),
@@ -1797,6 +1863,8 @@ tool('wiki', 'Per-org wiki. Markdown pages with paths as hierarchy. You and othe
   contentType: z.string().optional().describe('[source-register] MIME type (informational)'),
   size: z.number().optional().describe('[source-register] byte size (informational)'),
   sourceId: z.string().optional().describe('[source-get] source ID returned from source-register'),
+  manifest_path: z.string().optional().describe('[bulk-write] absolute path to a JSON file containing {pages: [{path, title, content, type?, frontmatter?}, ...]}. The MCP wrapper reads the file locally and posts the array to the server in a single request — avoids round-tripping every page through tool args.'),
+  pages: z.array(z.any()).optional().describe('[bulk-write] alternative to manifest_path: pass the pages array inline.'),
 }, async (args) => {
   try {
     const { action } = args;
@@ -1813,7 +1881,7 @@ tool('wiki', 'Per-org wiki. Markdown pages with paths as hierarchy. You and othe
     // Ensure the wiki-maintainer skill is attached to this org BEFORE the
     // gate check, so the gate fires reliably on the very first wiki call —
     // not just after the org has visited /wiki in a browser. Idempotent.
-    const MUTATING = new Set(['write', 'edit', 'mv', 'rm', 'log', 'source-register']);
+    const MUTATING = new Set(['write', 'edit', 'mv', 'rm', 'log', 'source-register', 'bulk-write']);
     if (MUTATING.has(action)) {
       try { await api('POST', '/api/wiki/_ensure-skill'); } catch { /* non-fatal */ }
       const skillErr = await checkOrgSkills(orgId, action);
@@ -2049,6 +2117,45 @@ tool('wiki', 'Per-org wiki. Markdown pages with paths as hierarchy. You and othe
         return ok(withOrg({ deleted: true, path: normalized, id: page.id, brokenReferences: broken }));
       }
+      // ── bulk-write ──────────────────────────────────────────────
+      // Commit many pages in a single transaction. The MCP wrapper reads
+      // the manifest file locally and posts the pages array inline to
+      // /api/wiki/pages/bulk — avoids paying a tool-call round-trip per
+      // page and keeps the orchestrator's context clean.
+      case 'bulk-write': {
+        const { manifest_path, pages: inlinePages } = args;
+        let pages;
+        if (manifest_path) {
+          if (!existsSync(manifest_path)) throw new Error(`manifest not found: ${manifest_path}`);
+          const text = readFileSync(manifest_path, 'utf8');
+          let parsed;
+          try { parsed = JSON.parse(text); } catch (e) { throw new Error(`invalid JSON in ${manifest_path}: ${e.message}`); }
+          // Accept either {pages: [...]} or a bare array
+          pages = Array.isArray(parsed) ? parsed : parsed.pages;
+        } else if (Array.isArray(inlinePages)) {
+          pages = inlinePages;
+        } else {
+          throw new Error('bulk-write requires either manifest_path or pages array');
+        }
+        if (!Array.isArray(pages) || pages.length === 0) throw new Error('pages array is empty');
+        // Strip surplus fields the server ignores; keep payload tight.
+        const payload = pages.map((p) => ({
+          path: p.path,
+          title: p.title,
+          content: p.content,
+          type: p.type,
+          frontmatter: p.frontmatter,
+        }));
+        const result = await api('POST', '/api/wiki/pages/bulk', { pages: payload });
+        return ok(withOrg({
+          created: result.created?.length ?? 0,
+          updated: result.updated?.length ?? 0,
+          createdPaths: (result.created ?? []).map((r) => r.path),
+          updatedPaths: (result.updated ?? []).map((r) => r.path),
+          errors: result.errors ?? [],
+        }));
+      }
       // ── source-register ────────────────────────────────────────
       // Register an external source (paper, article, transcript) by content
       // hash. Idempotent: same hash + same org returns the existing source

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "drafted",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "Drafted CLI - Design preview server for Claude agents",
   "type": "module",
   "files": [