mcp-coordinator 0.6.1 → 0.7.0

package/dist/src/dependency-map.d.ts

@@ -1,7 +1,28 @@
 import type { ModuleInfo, DependencyMap, BlastRadius } from "./types.js";
 export declare class DependencyMapper {
-    getMap(): DependencyMap;
-    setMap(map: DependencyMap): void;
-    getModuleInfo(moduleId: string): ModuleInfo | null;
-    getBlastRadius(moduleId: string): BlastRadius;
+    /**
+     * Set a single module's dependencies, scoped by org_id.
+     * After Task 5.5, dependency_map PK is (org_id, module_id). Composite conflict target.
+     */
+    setDependencies(orgId: string, moduleId: string, params: {
+        depends_on: string[];
+        exports: string[];
+        owners: string[];
+    }): void;
+    /**
+     * Get a single module's dependencies, scoped by org_id.
+     */
+    getDependencies(orgId: string, moduleId: string): {
+        depends_on: string[];
+        exports: string[];
+        owners: string[];
+    } | null;
+    /**
+     * List all owners in an org's dependency map.
+     */
+    listOwners(orgId: string): string[];
+    getMap(orgId: string): DependencyMap;
+    setMap(orgId: string, map: DependencyMap): void;
+    getModuleInfo(orgId: string, moduleId: string): ModuleInfo | null;
+    getBlastRadius(orgId: string, moduleId: string): BlastRadius;
 }

package/dist/src/dependency-map.js

@@ -1,9 +1,47 @@
 import { getDb } from "./database.js";
 import { withTransaction } from "./db-adapter.js";
 export class DependencyMapper {
-    getMap() {
+    /**
+     * Set a single module's dependencies, scoped by org_id.
+     * After Task 5.5, dependency_map PK is (org_id, module_id). Composite conflict target.
+     */
+    setDependencies(orgId, moduleId, params) {
         const db = getDb();
-        const rows = db.prepare("SELECT * FROM dependency_map").all();
+        db.prepare(`INSERT INTO dependency_map (org_id, module_id, depends_on, exports, owners) VALUES (?, ?, ?, ?, ?)
+       ON CONFLICT(org_id, module_id) DO UPDATE SET
+         depends_on = excluded.depends_on,
+         exports = excluded.exports,
+         owners = excluded.owners`).run(orgId, moduleId, JSON.stringify(params.depends_on), JSON.stringify(params.exports), JSON.stringify(params.owners));
+    }
+    /**
+     * Get a single module's dependencies, scoped by org_id.
+     */
+    getDependencies(orgId, moduleId) {
+        const db = getDb();
+        const row = db.prepare("SELECT depends_on, exports, owners FROM dependency_map WHERE org_id = ? AND module_id = ?").get(orgId, moduleId);
+        if (!row)
+            return null;
+        return {
+            depends_on: JSON.parse(row.depends_on || "[]"),
+            exports: JSON.parse(row.exports || "[]"),
+            owners: JSON.parse(row.owners || "[]"),
+        };
+    }
+    /**
+     * List all owners in an org's dependency map.
+     */
+    listOwners(orgId) {
+        const db = getDb();
+        const rows = db.prepare("SELECT owners FROM dependency_map WHERE org_id = ?").all(orgId);
+        const all = new Set();
+        for (const r of rows)
+            JSON.parse(r.owners || "[]").forEach((o) => all.add(o));
+        return Array.from(all);
+    }
+    // Bulk-shaped helpers (org-scoped)
+    getMap(orgId) {
+        const db = getDb();
+        const rows = db.prepare("SELECT * FROM dependency_map WHERE org_id = ?").all(orgId);
         const map = {};
         for (const row of rows) {
             map[row.module_id] = {
@@ -15,21 +53,21 @@ export class DependencyMapper {
         }
         return map;
     }
-    setMap(map) {
+    setMap(orgId, map) {
         const db = getDb();
-        const stmt = db.prepare(`INSERT INTO dependency_map (module_id, depends_on, exports, owners)
-       VALUES (?, ?, ?, ?)
-       ON CONFLICT(module_id) DO UPDATE SET
+        const stmt = db.prepare(`INSERT INTO dependency_map (org_id, module_id, depends_on, exports, owners)
+       VALUES (?, ?, ?, ?, ?)
+       ON CONFLICT(org_id, module_id) DO UPDATE SET
          depends_on = excluded.depends_on, exports = excluded.exports, owners = excluded.owners`);
         withTransaction(db, () => {
             for (const [id, info] of Object.entries(map)) {
-                stmt.run(id, JSON.stringify(info.depends_on), JSON.stringify(info.exports), JSON.stringify(info.owners));
+                stmt.run(orgId, id, JSON.stringify(info.depends_on), JSON.stringify(info.exports), JSON.stringify(info.owners));
             }
         });
     }
-    getModuleInfo(moduleId) {
+    getModuleInfo(orgId, moduleId) {
         const db = getDb();
-        const row = db.prepare("SELECT * FROM dependency_map WHERE module_id = ?").get(moduleId);
+        const row = db.prepare("SELECT * FROM dependency_map WHERE org_id = ? AND module_id = ?").get(orgId, moduleId);
         if (!row)
             return null;
         return {
@@ -39,8 +77,8 @@ export class DependencyMapper {
             owners: JSON.parse(row.owners),
         };
     }
-    getBlastRadius(moduleId) {
-        const map = this.getMap();
+    getBlastRadius(orgId, moduleId) {
+        const map = this.getMap(orgId);
         const direct = [];
         const indirect = [];
         const visited = new Set();

package/dist/src/file-tracker.d.ts

@@ -1,6 +1,7 @@
 import type { FileActivity } from "./types.js";
 export declare class FileTracker {
     log(params: {
+        org_id: string;
         session_id: string;
         agent_id: string;
         agent_name?: string;
@@ -9,13 +10,13 @@ export declare class FileTracker {
         content_hash?: string | null;
         symbols_touched?: string[] | null;
     }): void;
-    getBySession(sessionId: string): FileActivity[];
-    getHotFiles(sinceMinutes?: number): {
+    getBySession(orgId: string, sessionId: string): FileActivity[];
+    getHotFiles(orgId: string, sinceMinutes?: number): {
         file_path: string;
         agent_count: number;
         agents: string[];
     }[];
-    checkFileConflict(filePath: string, agentId: string, withinMinutes?: number): {
+    checkFileConflict(orgId: string, filePath: string, agentId: string, withinMinutes?: number): {
         conflict: boolean;
         agents: string[];
     };
@@ -28,6 +29,6 @@ export declare class FileTracker {
      * Excludes the calling agent (so the scorer doesn't flag the announcer
      * against themselves). Returns Map<file_path, Set<agent_id>>.
      */
-    getFileToAgentsIndex(filePaths: string[], excludeAgentId: string, withinMinutes?: number): Map<string, Set<string>>;
+    getFileToAgentsIndex(orgId: string, filePaths: string[], excludeAgentId: string, withinMinutes?: number): Map<string, Set<string>>;
     fileToModule(filePath: string): string;
 }

package/dist/src/file-tracker.js

@@ -4,32 +4,33 @@ export class FileTracker {
         const db = getDb();
         const module = this.fileToModule(params.file_path);
         db.prepare(`INSERT INTO file_activity
-       (session_id, agent_id, agent_name, tool_name, file_path, module, content_hash, symbols_touched)
-       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`).run(params.session_id, params.agent_id, params.agent_name || null, params.tool_name, params.file_path, module, params.content_hash || null, params.symbols_touched ? JSON.stringify(params.symbols_touched) : null);
+       (org_id, session_id, agent_id, agent_name, tool_name, file_path, module, content_hash, symbols_touched)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(params.org_id, params.session_id, params.agent_id, params.agent_name || null, params.tool_name, params.file_path, module, params.content_hash || null, params.symbols_touched ? JSON.stringify(params.symbols_touched) : null);
     }
-    getBySession(sessionId) {
+    getBySession(orgId, sessionId) {
         const db = getDb();
-        return db.prepare("SELECT * FROM file_activity WHERE session_id = ? ORDER BY created_at").all(sessionId);
+        return db.prepare("SELECT * FROM file_activity WHERE org_id = ? AND session_id = ? ORDER BY created_at").all(orgId, sessionId);
     }
-    getHotFiles(sinceMinutes = 30) {
+    getHotFiles(orgId, sinceMinutes = 30) {
         const db = getDb();
         const rows = db.prepare(`SELECT file_path, COUNT(DISTINCT agent_id) as agent_count, GROUP_CONCAT(DISTINCT agent_id) as agents
        FROM file_activity
-       WHERE created_at > datetime('now', '-' || ? || ' minutes')
+       WHERE org_id = ?
+         AND created_at > datetime('now', '-' || ? || ' minutes')
        GROUP BY file_path
        HAVING COUNT(DISTINCT agent_id) > 1
-       ORDER BY agent_count DESC`).all(sinceMinutes);
+       ORDER BY agent_count DESC`).all(orgId, sinceMinutes);
         return rows.map((r) => ({
             file_path: r.file_path,
             agent_count: r.agent_count,
             agents: r.agents.split(","),
         }));
     }
-    checkFileConflict(filePath, agentId, withinMinutes = 30) {
+    checkFileConflict(orgId, filePath, agentId, withinMinutes = 30) {
         const db = getDb();
         const rows = db.prepare(`SELECT DISTINCT agent_id FROM file_activity
-       WHERE file_path = ? AND agent_id != ?
-       AND created_at > datetime('now', '-' || ? || ' minutes')`).all(filePath, agentId, withinMinutes);
+       WHERE org_id = ? AND file_path = ? AND agent_id != ?
+         AND created_at > datetime('now', '-' || ? || ' minutes')`).all(orgId, filePath, agentId, withinMinutes);
         return { conflict: rows.length > 0, agents: rows.map((r) => r.agent_id) };
     }
     /**
@@ -41,7 +42,7 @@ export class FileTracker {
      * Excludes the calling agent (so the scorer doesn't flag the announcer
      * against themselves). Returns Map<file_path, Set<agent_id>>.
      */
-    getFileToAgentsIndex(filePaths, excludeAgentId, withinMinutes = 30) {
+    getFileToAgentsIndex(orgId, filePaths, excludeAgentId, withinMinutes = 30) {
         const index = new Map();
         if (filePaths.length === 0)
             return index;
@@ -51,9 +52,10 @@ export class FileTracker {
         // a handful of files per announce_work call).
         const placeholders = filePaths.map(() => "?").join(",");
         const rows = db.prepare(`SELECT DISTINCT file_path, agent_id FROM file_activity
-       WHERE file_path IN (${placeholders})
-       AND agent_id != ?
-       AND created_at > datetime('now', '-' || ? || ' minutes')`).all(...filePaths, excludeAgentId, withinMinutes);
+       WHERE org_id = ?
+         AND file_path IN (${placeholders})
+         AND agent_id != ?
+         AND created_at > datetime('now', '-' || ? || ' minutes')`).all(orgId, ...filePaths, excludeAgentId, withinMinutes);
         for (const r of rows) {
             let set = index.get(r.file_path);
             if (!set) {

package/dist/src/git-cochange-builder.d.ts

@@ -22,11 +22,20 @@ export declare class GitCochangeBuilder {
     private timer;
     constructor(opts: BuilderOpts);
     /** Build once. Resolves after persistence. */
-    build(): Promise<void>;
+    build(orgId: string): Promise<void>;
+    /** Query co-change partners for a file, scoped to the given org. */
+    query(orgId: string, filePath: string): Array<{
+        org_id: string;
+        file_a: string;
+        file_b: string;
+        count: number;
+        total_commits: number;
+        computed_at: string;
+    }>;
     private runGitLog;
     private parseLog;
     /** Schedule a refresh loop. unref() so it doesn't keep the loop alive. */
-    startScheduler(): void;
+    startScheduler(orgId: string): void;
     stopScheduler(): void;
 }
 export {};

package/dist/src/git-cochange-builder.js

@@ -30,9 +30,9 @@ export class GitCochangeBuilder {
         this.metrics = opts.metrics;
     }
     /** Build once. Resolves after persistence. */
-    async build() {
+    async build(orgId) {
         const db = getDb();
-        const setMeta = (k, v) => db.prepare("INSERT OR REPLACE INTO git_cochange_meta (k, v) VALUES (?, ?)").run(k, v);
+        const setMeta = (k, v) => db.prepare("INSERT OR REPLACE INTO git_cochange_meta (org_id, k, v) VALUES (?, ?, ?)").run(orgId, k, v);
         if (!existsSync(path.join(this.repoRoot, ".git"))) {
             this.log.info({}, "Layer 4 unavailable: no .git");
             setMeta("available", "false");
@@ -85,8 +85,9 @@ export class GitCochangeBuilder {
         if (promiscuous.size > 0) {
             this.log.info({ count: promiscuous.size, files: Array.from(promiscuous) }, "Layer 4 dynamic predictor cap excluded files");
         }
-        db.exec("DELETE FROM git_cochange");
-        const stmt = db.prepare("INSERT INTO git_cochange (file_a, file_b, count, total_commits, computed_at) VALUES (?, ?, ?, ?, datetime('now'))");
+        // Scope the DELETE to this org only — never wipe another org's rows.
+        db.prepare("DELETE FROM git_cochange WHERE org_id = ?").run(orgId);
+        const stmt = db.prepare("INSERT INTO git_cochange (org_id, file_a, file_b, count, total_commits, computed_at) VALUES (?, ?, ?, ?, ?, datetime('now'))");
         const insertMany = db.transaction(() => {
             for (const [key, count] of pairs.entries()) {
                 const [a, b] = key.split("|");
@@ -96,7 +97,7 @@ export class GitCochangeBuilder {
                 if (promiscuous.has(a) || promiscuous.has(b))
                     continue;
                 if (a < b)
-                    stmt.run(a, b, count, totalCommits);
+                    stmt.run(orgId, a, b, count, totalCommits);
             }
         });
         insertMany();
@@ -105,6 +106,13 @@ export class GitCochangeBuilder {
         this.metrics?.gitCochangeBuilds.inc({ outcome: "success" });
         this.metrics?.gitCochangePairs.set(pairs.size);
     }
+    /** Query co-change partners for a file, scoped to the given org. */
+    query(orgId, filePath) {
+        const db = getDb();
+        return db.prepare(`SELECT org_id, file_a, file_b, count, total_commits, computed_at FROM git_cochange
+       WHERE org_id = ? AND (file_a = ? OR file_b = ?)
+       ORDER BY count DESC LIMIT 50`).all(orgId, filePath, filePath);
+    }
     runGitLog() {
         return new Promise((resolve, reject) => {
             const args = [
@@ -211,10 +219,10 @@ export class GitCochangeBuilder {
         return { pairs, totalCommits };
     }
     /** Schedule a refresh loop. unref() so it doesn't keep the loop alive. */
-    startScheduler() {
+    startScheduler(orgId) {
         const tick = async () => {
             try {
-                await this.build();
+                await this.build(orgId);
                 this.timer = setTimeout(tick, this.refreshMs);
             }
             catch (err) {

package/dist/src/http/handle-health.d.ts

@@ -14,10 +14,14 @@ export declare function handleLivez(_req: IncomingMessage, res: ServerResponse):
  * identical between 200 and 503 so consumers can parse uniformly.
  */
 export declare function handleReadyz(_req: IncomingMessage, res: ServerResponse, services: Pick<CoordinatorServices, "mqttBridge" | "treeSitter" | "gitCochange">): void;
+export interface HealthOptions {
+    authEnabled?: boolean;
+    jwtSecretSet?: boolean;
+}
 /**
- * Backwards-compatible alias. The original /health route returned a fixed
- * {status:"ok",version} payload with no dep checks; semantically that is a
- * liveness probe, so we delegate. Anything that polled /health for "is the
- * process up" continues to work without changes.
+ * Backwards-compatible alias extended with auth config status reporting.
+ * The original /health route returned a fixed {status:"ok",version} payload;
+ * we preserve that shape and ADD auth_enabled, jwt_secret_set, and warnings
+ * so operators can verify auth config without inspecting logs.
  */
-export declare function handleHealth(req: IncomingMessage, res: ServerResponse): void;
+export declare function handleHealth(_req: IncomingMessage, res: ServerResponse, options?: HealthOptions): Promise<void>;

package/dist/src/http/handle-health.js

@@ -83,8 +83,8 @@ export function handleReadyz(_req, res, services) {
     // Optional: git_cochange availability (does NOT gate readiness — Layer 4 degrades gracefully)
     try {
         const row = getDb()
-            .prepare("SELECT v FROM git_cochange_meta WHERE k = ?")
-            .get("available");
+            .prepare("SELECT v FROM git_cochange_meta WHERE org_id = ? AND k = ?")
+            .get("default", "available");
         checks.git_cochange = {
             available: row?.v === "true",
             status: row?.v ?? "unavailable",
@@ -102,11 +102,25 @@ export function handleReadyz(_req, res, services) {
     }, allOk ? 200 : 503);
 }
 /**
- * Backwards-compatible alias. The original /health route returned a fixed
- * {status:"ok",version} payload with no dep checks; semantically that is a
- * liveness probe, so we delegate. Anything that polled /health for "is the
- * process up" continues to work without changes.
+ * Backwards-compatible alias extended with auth config status reporting.
+ * The original /health route returned a fixed {status:"ok",version} payload;
+ * we preserve that shape and ADD auth_enabled, jwt_secret_set, and warnings
+ * so operators can verify auth config without inspecting logs.
  */
-export function handleHealth(req, res) {
-    return handleLivez(req, res);
+export async function handleHealth(_req, res, options = {}) {
+    const authEnabled = options.authEnabled ?? false;
+    const jwtSecretSet = options.jwtSecretSet ?? false;
+    const warnings = [];
+    if (authEnabled && !jwtSecretSet) {
+        warnings.push("AUTH_ENABLED=true but COORDINATOR_JWT_SECRET is unset — sessions invalidate on restart");
+    }
+    const body = {
+        status: "alive",
+        uptime_seconds: uptimeSeconds(),
+        version: VERSION,
+        auth_enabled: authEnabled,
+        jwt_secret_set: jwtSecretSet,
+        warnings,
+    };
+    json(res, body);
 }

package/dist/src/http/handle-rest.d.ts

@@ -1,6 +1,7 @@
 import type { IncomingMessage, ServerResponse } from "http";
 import type { CoordinatorServices } from "../server-setup.js";
 import type { Logger } from "../logger.js";
+import type { AuthClaims } from "../auth.js";
 /**
  * S1: REST router extracted from serve-http.ts. Was a 382-line `handleRest`
  * function inside startServer's closure with module-scope captures for
@@ -17,6 +18,8 @@ export interface RestContext {
     services: CoordinatorServices;
     httpLog: Logger;
     authEnabled: boolean;
+    /** Authenticated identity for this request. Synthetic legacy claims when AUTH_ENABLED=false and no Bearer. */
+    claims: AuthClaims;
     getRunConfig: () => Record<string, unknown> | null;
     setRunConfig: (cfg: Record<string, unknown> | null) => void;
 }