npm - drafted - Versions diffs - 1.4.0 → 1.5.0 - Mend

drafted 1.4.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/mcp/server.mjs +82 -16
package/package.json +1 -1

package/mcp/server.mjs CHANGED Viewed

@@ -32,12 +32,54 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 const requestState = new AsyncLocalStorage();
 const standaloneState = { sessionId: null, projectId: null, projectMeta: null };
+// Per-MCP-session sticky state. Keyed by Clerk sessionId (HTTP /mcp route)
+// or '__stdio__' for the long-lived stdio process. Holds active-project,
+// loaded-skill, and cached-org state that must persist across HTTP request
+// boundaries so a `project open` followed by `frame.read` in a separate
+// request still has an active project.
+//
+// Using a per-session bucket also fixes a multi-tenant correctness bug: with
+// module-global state, user A's loaded skills and cached orgId would leak
+// into user B's request, and the gate would check the wrong org's skills.
+const sessionStates = new Map();
+function getOrCreateSessionState(sid) {
+  const key = sid || '__stdio__';
+  let s = sessionStates.get(key);
+  if (!s) {
+    s = {
+      activeProjectId: null,
+      activeProjectMeta: null,
+      loadedSkillIds: new Set(),
+      cachedOrgId: null,
+      cachedOrgIdTime: 0,
+      wsSessionId: null,
+    };
+    sessionStates.set(key, s);
+  }
+  return s;
+}
+function getSessionState() {
+  const rs = requestState.getStore();
+  if (rs && rs._session) return rs._session;
+  return getOrCreateSessionState(null); // stdio fallback
+}
 function getState() {
   return requestState.getStore() || standaloneState;
 }
 export function runWithRequestState(initial, fn) {
-  return requestState.run({ ...standaloneState, ...initial }, fn);
+  const session = getOrCreateSessionState(initial.sessionId);
+  // Hydrate request state from session: if the caller didn't pass an explicit
+  // projectId, fall back to the active project remembered for this session.
+  const merged = { ...standaloneState, ...initial, _session: session };
+  if (merged.projectId == null && session.activeProjectId) {
+    merged.projectId = session.activeProjectId;
+    merged.projectMeta = session.activeProjectMeta;
+  }
+  return requestState.run(merged, fn);
 }
 // ── MCP server factory ────────────────────────────────────────────
@@ -377,6 +419,12 @@ function setMcpActiveProject(projectId, meta = null) {
   const s = getState();
   s.projectId = projectId;
   s.projectMeta = meta; // { id, slug, name, orgId } — for echo on mutation responses
+  // Persist to session state so subsequent HTTP requests in the same MCP
+  // session inherit the active project (without this, every call after
+  // project.open in HTTP mode would start with projectId=null again).
+  const sess = getSessionState();
+  sess.activeProjectId = projectId;
+  sess.activeProjectMeta = meta;
 }
 // Returns { id, slug, name, orgId } for the project this MCP session most
@@ -494,7 +542,10 @@ async function checkAnchors(layer) {
 // ── Project skill enforcement ─────────────────────────────────────
 // Skills attached to a project must be loaded by the agent before any
 // mutating operation in that project. Same shape as anchor enforcement.
-const loadedSkillIds = new Set();
+//
+// Loaded-skill state is per-MCP-session (see getSessionState) so that
+// (a) skill.load + wiki.write across separate HTTP requests stay coherent
+// and (b) one user's loads never satisfy another user's gate.
 const projectSkillsCache = new Map(); // projectId -> { data, time }
 async function getProjectSkills(projectId) {
@@ -519,7 +570,8 @@ async function checkProjectSkills(projectId, operation) {
   if (!projectId) return null;
   const skills = await getProjectSkills(projectId);
   if (skills.length === 0) return null;
-  const unloaded = skills.filter(s => !loadedSkillIds.has(s.id));
+  const loaded = getSessionState().loadedSkillIds;
+  const unloaded = skills.filter(s => !loaded.has(s.id));
   if (unloaded.length === 0) return null;
   // Fire-and-forget: tell the server so any open browser shows a toast.
@@ -539,24 +591,23 @@ async function checkProjectSkills(projectId, operation) {
 // Same shape as project skill enforcement but for org-attached skills.
 // Wiki mutations require org skills to be loaded first.
-let cachedOrgId = null;
-let cachedOrgIdTime = 0;
 async function getCurrentOrgId() {
   const ctx = await getCurrentOrgContext();
   return ctx?.id || null;
 }
 // Returns { id, name } for the org bound to THIS MCP session. Each session is
-// independent on purpose — parallel agents can run on different orgs.
+// independent on purpose — parallel agents can run on different orgs. Cache
+// is per-session, not module-global, so concurrent OAuth users can't collide.
 async function getCurrentOrgContext() {
-  if (cachedOrgId && Date.now() - cachedOrgIdTime < 30000) return cachedOrgId;
+  const sess = getSessionState();
+  if (sess.cachedOrgId && Date.now() - sess.cachedOrgIdTime < 30000) return sess.cachedOrgId;
   try {
     const data = await api('GET', '/auth/me');
     if (!data?.orgId) return null;
-    cachedOrgId = { id: data.orgId, name: data.currentOrg?.name || null };
-    cachedOrgIdTime = Date.now();
-    return cachedOrgId;
+    sess.cachedOrgId = { id: data.orgId, name: data.currentOrg?.name || null };
+    sess.cachedOrgIdTime = Date.now();
+    return sess.cachedOrgId;
   } catch { return null; }
 }
@@ -574,7 +625,8 @@ async function checkOrgSkills(orgId, operation) {
   if (!orgId) return null;
   const skills = await getOrgSkills(orgId);
   if (skills.length === 0) return null;
-  const unloaded = skills.filter(s => !loadedSkillIds.has(s.id));
+  const loaded = getSessionState().loadedSkillIds;
+  const unloaded = skills.filter(s => !loaded.has(s.id));
   if (unloaded.length === 0) return null;
   const lines = unloaded.map(s => `  skill(action="load", skill="${s.slug || s.id}")  -- ${s.name}`);
   return `This org has ${skills.length} attached skill(s) that must be loaded before making changes. ` +
@@ -828,7 +880,7 @@ tool('project', 'START HERE for project management. Dispatch by `action`: list (
               s.files = full.files || [];
               // Skill content was inlined in this response — count it as loaded
               // so the project-skill gate doesn't immediately demand a re-load.
-              loadedSkillIds.add(s.id);
+              getSessionState().loadedSkillIds.add(s.id);
             } catch { /* skip */ }
           }
         }
@@ -838,7 +890,8 @@ tool('project', 'START HERE for project management. Dispatch by `action`: list (
         const responseExtras = { url, opened: true, navigated, skills: projectSkillsList };
         if (projectSkillsList.length > 3) {
-          const unloaded = projectSkillsList.filter(s => !loadedSkillIds.has(s.id));
+          const sessionLoaded = getSessionState().loadedSkillIds;
+          const unloaded = projectSkillsList.filter(s => !sessionLoaded.has(s.id));
           if (unloaded.length > 0) {
             responseExtras.skillGateNotice =
               `This project has ${projectSkillsList.length} attached skills (too many to auto-inline). ` +
@@ -1151,6 +1204,7 @@ tool('frame', 'Frame CRUD in the ACTIVE PROJECT. Dispatch by `action`: read (by
   })).optional().describe('[edit] hashline edit operations'),
   from: z.string().optional().describe('[mv] source path /{layer}/{lane}/{filename}'),
   to: z.string().optional().describe('[mv] destination path /{layer}/{lane}/{filename}'),
+  dryRun: z.boolean().optional().describe('[mv] preview the move without applying it; returns the resolved frame and current path so you can confirm before retrying with dryRun=false.'),
   anchored: z.boolean().optional().describe('[anchor] true to anchor, false to unanchor. Anchored frames MUST be read before writing/editing in the same layer.'),
   query: z.string().optional().describe('[search] term to match against frame names'),
   projectId: z.string().optional().describe('[search] limit to a specific project (optional)'),
@@ -1254,8 +1308,20 @@ tool('frame', 'Frame CRUD in the ACTIVE PROJECT. Dispatch by `action`: read (by
         });
       }
       case 'mv': {
-        const { from, to } = args;
+        const { from, to, dryRun = false } = args;
         if (!from || !to) throw new Error('from and to required for action=mv');
+        if (dryRun) {
+          // Resolve current frame at `from`. Don't apply the rename, just
+          // confirm the source exists and report what `to` will become.
+          const current = await api('GET', `/api/fs?path=${encodeURIComponent(from)}`);
+          return ok(withProject({
+            dryRun: true,
+            from,
+            to,
+            currentFrame: current?.frame || current,
+            note: 'No changes applied. Re-call with dryRun=false (or omit) to perform the rename.',
+          }));
+        }
         const skillErr = await checkProjectSkills(getState().projectId);
         if (skillErr) return err(new Error(skillErr));
         const fromErr = await checkAnchors(parseLayer(from));
@@ -1693,7 +1759,7 @@ tool('skill', 'Manage the Drafted skill library. Skills are reusable prompts/gui
         const isUuid = /^[a-f0-9-]{36}$/.test(skill);
         const endpoint = isUuid ? `/api/skills/${skill}` : `/api/skills/slug/${skill}`;
         const result = await api('GET', endpoint);
-        if (result?.id) loadedSkillIds.add(result.id);
+        if (result?.id) getSessionState().loadedSkillIds.add(result.id);
         return ok(result);
       }
       case 'list': {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "drafted",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Drafted CLI - Design preview server for Claude agents",
   "type": "module",
   "files": [