ont-run 0.0.1 → 0.0.3

package/src/lockfile/differ.ts

@@ -114,6 +114,8 @@ export function diffOntology(
       const fieldReferencesChanged =
         JSON.stringify(oldFn.fieldReferences) !==
         JSON.stringify(newFn.fieldReferences);
+      const userContextChanged =
+        !!oldFn.usesUserContext !== !!newFn.usesUserContext;
 
       if (
         accessChanged ||
@@ -121,7 +123,8 @@ export function diffOntology(
         inputsChanged ||
         outputsChanged ||
         entitiesChanged ||
-        fieldReferencesChanged
+        fieldReferencesChanged ||
+        userContextChanged
       ) {
         functions.push({
           name,
@@ -136,6 +139,8 @@ export function diffOntology(
           oldEntities: entitiesChanged ? oldFn.entities : undefined,
           newEntities: entitiesChanged ? newFn.entities : undefined,
           fieldReferencesChanged: fieldReferencesChanged || undefined,
+          userContextChanged: userContextChanged || undefined,
+          usesUserContext: userContextChanged ? newFn.usesUserContext : undefined,
         });
       }
     }
@@ -234,6 +239,9 @@ export function formatDiffForConsole(diff: OntologyDiff): string {
         if (fn.fieldReferencesChanged) {
           lines.push(`    Field references: changed`);
         }
+        if (fn.userContextChanged) {
+          lines.push(`    User context: ${fn.usesUserContext ? 'added' : 'removed'}`);
+        }
       }
     }
   }

package/src/lockfile/hasher.ts

@@ -2,7 +2,7 @@ import { createHash } from "crypto";
 import { z } from "zod";
 import { zodToJsonSchema } from "zod-to-json-schema";
 import type { OntologyConfig } from "../config/types.js";
-import { getFieldFromMetadata } from "../config/categorical.js";
+import { getFieldFromMetadata, getUserContextFields } from "../config/categorical.js";
 import type {
   OntologySnapshot,
   FunctionShape,
@@ -112,6 +112,10 @@ export function extractOntology(config: OntologyConfig): OntologySnapshot {
     // Extract field references
     const fieldReferences = extractFieldReferences(fn.inputs);
 
+    // Check if function uses userContext
+    const userContextFields = getUserContextFields(fn.inputs);
+    const usesUserContext = userContextFields.length > 0;
+
     functions[name] = {
       description: fn.description,
       // Sort access groups for consistent hashing
@@ -122,6 +126,7 @@ export function extractOntology(config: OntologyConfig): OntologySnapshot {
       outputsSchema,
       fieldReferences:
         fieldReferences.length > 0 ? fieldReferences : undefined,
+      usesUserContext: usesUserContext || undefined,
     };
   }
 

package/src/lockfile/types.ts

@@ -24,6 +24,8 @@ export interface FunctionShape {
   outputsSchema?: Record<string, unknown>;
   /** Fields that reference other functions for their options */
   fieldReferences?: FieldReference[];
+  /** Whether this function uses userContext() for row-level access control */
+  usesUserContext?: boolean;
 }
 
 /**
@@ -70,6 +72,8 @@ export interface FunctionChange {
   oldEntities?: string[];
   newEntities?: string[];
   fieldReferencesChanged?: boolean;
+  userContextChanged?: boolean;
+  usesUserContext?: boolean;
 }
 
 /**

package/src/server/api/middleware.ts

@@ -1,15 +1,27 @@
 import { createMiddleware } from "hono/factory";
 import type { Context, Next } from "hono";
 import type { ContentfulStatusCode } from "hono/utils/http-status";
-import type { OntologyConfig, ResolverContext, EnvironmentConfig } from "../../config/types.js";
+import type { OntologyConfig, ResolverContext, EnvironmentConfig, AuthResult } from "../../config/types.js";
 import { createLogger } from "../resolver.js";
 
+/**
+ * Normalize auth function result to AuthResult format.
+ * Supports both legacy string[] format and new AuthResult object.
+ */
+export function normalizeAuthResult(result: string[] | AuthResult): AuthResult {
+  if (Array.isArray(result)) {
+    return { groups: result };
+  }
+  return result;
+}
+
 /**
  * Context variables added by middleware
  */
 export interface OntologyVariables {
   resolverContext: ResolverContext;
   accessGroups: string[];
+  authResult: AuthResult;
 }
 
 /**
@@ -20,9 +32,11 @@ export function createAuthMiddleware(config: OntologyConfig) {
   return createMiddleware<{ Variables: OntologyVariables }>(
     async (c: Context<{ Variables: OntologyVariables }>, next: Next) => {
       try {
-        // Call user's auth function
-        const accessGroups = await config.auth(c.req.raw);
-        c.set("accessGroups", accessGroups);
+        // Call user's auth function and normalize result
+        const rawResult = await config.auth(c.req.raw);
+        const authResult = normalizeAuthResult(rawResult);
+        c.set("authResult", authResult);
+        c.set("accessGroups", authResult.groups);
         await next();
       } catch (error) {
         return c.json(

package/src/server/api/router.ts

@@ -1,6 +1,7 @@
 import { Hono } from "hono";
 import type { OntologyConfig, FunctionDefinition } from "../../config/types.js";
 import { loadResolver } from "../resolver.js";
+import { getUserContextFields } from "../../config/categorical.js";
 import {
   createAccessControlMiddleware,
   type OntologyVariables,
@@ -19,6 +20,9 @@ export function createApiRoutes(
   for (const [name, fn] of Object.entries(config.functions)) {
     const path = `/${name}`;
 
+    // Pre-compute userContext fields for this function
+    const userContextFields = getUserContextFields(fn.inputs);
+
     router.post(
       path,
       // Access control for this specific function
@@ -26,11 +30,21 @@ export function createApiRoutes(
       // Handler
       async (c) => {
         const resolverContext = c.get("resolverContext");
+        const authResult = c.get("authResult");
 
         // Parse and validate input
         let args: unknown;
         try {
-          const body = await c.req.json();
+          let body = await c.req.json();
+
+          // Inject user context if function requires it
+          if (userContextFields.length > 0 && authResult.user) {
+            body = { ...body };
+            for (const field of userContextFields) {
+              (body as Record<string, unknown>)[field] = authResult.user;
+            }
+          }
+
           const parsed = fn.inputs.safeParse(body);
 
           if (!parsed.success) {
@@ -45,8 +59,17 @@ export function createApiRoutes(
 
           args = parsed.data;
         } catch {
-          // No body or invalid JSON - try with empty object
-          const parsed = fn.inputs.safeParse({});
+          // No body or invalid JSON - try with empty object (with user context if needed)
+          let emptyBody: Record<string, unknown> = {};
+
+          // Inject user context even for empty body
+          if (userContextFields.length > 0 && authResult.user) {
+            for (const field of userContextFields) {
+              emptyBody[field] = authResult.user;
+            }
+          }
+
+          const parsed = fn.inputs.safeParse(emptyBody);
           if (!parsed.success) {
             return c.json(
               {

package/src/server/mcp/index.ts

@@ -7,17 +7,33 @@ import {
 import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
-import type { OntologyConfig, ResolverContext, EnvironmentConfig } from "../../config/types.js";
+import type { OntologyConfig, ResolverContext, EnvironmentConfig, AuthResult } from "../../config/types.js";
 import { generateMcpTools, filterToolsByAccess, createToolExecutor } from "./tools.js";
 import { createLogger } from "../resolver.js";
 import { serve } from "../../runtime/index.js";
 
 /**
- * Extract access groups from AuthInfo
+ * Normalize auth function result to AuthResult format.
  */
-function getAccessGroups(authInfo?: AuthInfo): string[] {
-  if (!authInfo?.extra?.accessGroups) return [];
-  return authInfo.extra.accessGroups as string[];
+function normalizeAuthResult(result: string[] | AuthResult): AuthResult {
+  if (Array.isArray(result)) {
+    return { groups: result };
+  }
+  return result;
+}
+
+/**
+ * Extract AuthResult from AuthInfo
+ */
+function getAuthResult(authInfo?: AuthInfo): AuthResult {
+  if (!authInfo?.extra?.authResult) {
+    // Fallback to legacy format
+    if (authInfo?.extra?.accessGroups) {
+      return { groups: authInfo.extra.accessGroups as string[] };
+    }
+    return { groups: [] };
+  }
+  return authInfo.extra.authResult as AuthResult;
 }
 
 export interface McpServerOptions {
@@ -68,8 +84,8 @@ export function createMcpServer(options: McpServerOptions): Server {
 
   // Handle list tools request - filter by per-request access groups
   server.setRequestHandler(ListToolsRequestSchema, async (_request, extra) => {
-    const accessGroups = getAccessGroups(extra.authInfo);
-    const accessibleTools = filterToolsByAccess(allTools, accessGroups);
+    const authResult = getAuthResult(extra.authInfo);
+    const accessibleTools = filterToolsByAccess(allTools, authResult.groups);
 
     return {
       tools: accessibleTools.map((tool) => ({
@@ -83,10 +99,10 @@ export function createMcpServer(options: McpServerOptions): Server {
   // Handle call tool request - validate access per-request
   server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
     const { name, arguments: args } = request.params;
-    const accessGroups = getAccessGroups(extra.authInfo);
+    const authResult = getAuthResult(extra.authInfo);
 
     try {
-      const result = await executeToolWithAccess(name, args || {}, accessGroups);
+      const result = await executeToolWithAccess(name, args || {}, authResult);
 
       return {
         content: [
@@ -146,15 +162,18 @@ export async function startMcpServer(options: McpServerOptions): Promise<{ port:
   app.all("/mcp", async (c) => {
     try {
       // Authenticate the request using the config's auth function
-      const accessGroups = await config.auth(c.req.raw);
+      const rawResult = await config.auth(c.req.raw);
+      const authResult = normalizeAuthResult(rawResult);
 
-      // Create AuthInfo object with access groups in extra field
+      // Create AuthInfo object with full auth result in extra field
       const authInfo: AuthInfo = {
         token: c.req.header("Authorization") || "",
         clientId: "ontology-client",
         scopes: [],
         extra: {
-          accessGroups,
+          authResult,
+          // Keep accessGroups for backwards compatibility
+          accessGroups: authResult.groups,
         },
       };
 

package/src/server/mcp/tools.ts

@@ -5,8 +5,9 @@ import type {
   FunctionDefinition,
   ResolverContext,
   EnvironmentConfig,
+  AuthResult,
 } from "../../config/types.js";
-import { getFieldFromMetadata } from "../../config/categorical.js";
+import { getFieldFromMetadata, getUserContextFields, hasUserContextMetadata } from "../../config/categorical.js";
 import { loadResolver, type Logger } from "../resolver.js";
 
 /**
@@ -32,6 +33,48 @@ export interface McpTool {
   fieldReferences?: McpFieldReference[];
 }
 
+/**
+ * Strip userContext fields from a JSON Schema object.
+ * These fields are injected at runtime and should not be exposed to callers.
+ */
+function stripUserContextFromJsonSchema(
+  jsonSchema: Record<string, unknown>,
+  zodSchema: z.ZodType<unknown>
+): Record<string, unknown> {
+  // Only strip from object schemas
+  if (jsonSchema.type !== "object" || !jsonSchema.properties) {
+    return jsonSchema;
+  }
+
+  // Get userContext field names from the Zod schema
+  const userContextFields = getUserContextFields(zodSchema);
+  if (userContextFields.length === 0) {
+    return jsonSchema;
+  }
+
+  // Create a new schema without userContext fields
+  const properties = { ...(jsonSchema.properties as Record<string, unknown>) };
+  const required = jsonSchema.required
+    ? [...(jsonSchema.required as string[])]
+    : undefined;
+
+  for (const field of userContextFields) {
+    delete properties[field];
+    if (required) {
+      const idx = required.indexOf(field);
+      if (idx !== -1) {
+        required.splice(idx, 1);
+      }
+    }
+  }
+
+  return {
+    ...jsonSchema,
+    properties,
+    required: required && required.length > 0 ? required : undefined,
+  };
+}
+
 /**
  * Recursively extract field references from a Zod schema
  */
@@ -101,6 +144,8 @@ export function generateMcpTools(config: OntologyConfig): McpTool[] {
       }) as Record<string, unknown>;
       // Remove $schema key if present
       delete inputSchema.$schema;
+      // Strip userContext fields - these are injected at runtime
+      inputSchema = stripUserContextFromJsonSchema(inputSchema, fn.inputs);
     } catch {
       inputSchema = { type: "object", properties: {} };
     }
@@ -149,7 +194,7 @@ export function filterToolsByAccess(
 }
 
 /**
- * Create a tool executor function that accepts per-request access groups
+ * Create a tool executor function that accepts per-request auth result
  */
 export function createToolExecutor(
   config: OntologyConfig,
@@ -158,7 +203,13 @@ export function createToolExecutor(
   envConfig: EnvironmentConfig,
   logger: Logger
 ) {
-  return async (toolName: string, args: unknown, accessGroups: string[]): Promise<unknown> => {
+  // Pre-compute userContext fields for each function
+  const userContextFieldsCache = new Map<string, string[]>();
+  for (const [name, fn] of Object.entries(config.functions)) {
+    userContextFieldsCache.set(name, getUserContextFields(fn.inputs));
+  }
+
+  return async (toolName: string, args: unknown, authResult: AuthResult): Promise<unknown> => {
     const fn = config.functions[toolName];
 
     if (!fn) {
@@ -167,7 +218,7 @@ export function createToolExecutor(
 
     // Check access using per-request access groups
     const hasAccess = fn.access.some((group) =>
-      accessGroups.includes(group)
+      authResult.groups.includes(group)
     );
 
     if (!hasAccess) {
@@ -176,8 +227,18 @@ export function createToolExecutor(
       );
     }
 
+    // Inject user context if function requires it
+    const userContextFields = userContextFieldsCache.get(toolName) || [];
+    let argsWithContext = args;
+    if (userContextFields.length > 0 && authResult.user) {
+      argsWithContext = { ...(args as Record<string, unknown>) };
+      for (const field of userContextFields) {
+        (argsWithContext as Record<string, unknown>)[field] = authResult.user;
+      }
+    }
+
     // Validate input
-    const parsed = fn.inputs.safeParse(args);
+    const parsed = fn.inputs.safeParse(argsWithContext);
     if (!parsed.success) {
       throw new Error(
         `Invalid input for tool "${toolName}": ${parsed.error.message}`
@@ -189,7 +250,7 @@ export function createToolExecutor(
       env,
       envConfig,
       logger,
-      accessGroups,
+      accessGroups: authResult.groups,
     };
 
     // Load and execute resolver

package/src/server/start.ts

@@ -7,6 +7,7 @@ import {
   formatDiffForConsole,
   lockfileExists,
 } from "../lockfile/index.js";
+import { validateUserContextRequirements } from "../config/schema.js";
 import { createApiApp } from "./api/index.js";
 import { startMcpServer } from "./mcp/index.js";
 import { serve, type ServerHandle } from "../runtime/index.js";
@@ -70,6 +71,14 @@ export async function startOnt(options: StartOntOptions = {}): Promise<StartOntR
   consola.info("Loading ontology config...");
   const { config, configDir } = await loadConfig();
 
+  // Validate userContext requirements
+  try {
+    await validateUserContextRequirements(config);
+  } catch (error) {
+    consola.error("User context validation failed:");
+    throw error;
+  }
+
   // Check lockfile
   consola.info("Checking lockfile...");
   const { ontology, hash } = computeOntologyHash(config);