ont-run 0.0.1

package/src/server/mcp/index.ts

@@ -0,0 +1,182 @@
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from "@modelcontextprotocol/sdk/types.js";
+import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import type { OntologyConfig, ResolverContext, EnvironmentConfig } from "../../config/types.js";
+import { generateMcpTools, filterToolsByAccess, createToolExecutor } from "./tools.js";
+import { createLogger } from "../resolver.js";
+import { serve } from "../../runtime/index.js";
+
+/**
+ * Extract access groups from AuthInfo
+ */
+function getAccessGroups(authInfo?: AuthInfo): string[] {
+  if (!authInfo?.extra?.accessGroups) return [];
+  return authInfo.extra.accessGroups as string[];
+}
+
+export interface McpServerOptions {
+  /** The ontology configuration */
+  config: OntologyConfig;
+  /** Directory containing the ontology.config.ts */
+  configDir: string;
+  /** Environment to use */
+  env: string;
+  /** Port for the MCP HTTP server */
+  port?: number;
+}
+
+/**
+ * Create the MCP server instance with per-request authentication
+ */
+export function createMcpServer(options: McpServerOptions): Server {
+  const { config, configDir, env } = options;
+
+  // Get environment config
+  const envConfig = config.environments[env];
+  if (!envConfig) {
+    throw new Error(
+      `Unknown environment "${env}". Available: ${Object.keys(config.environments).join(", ")}`
+    );
+  }
+
+  const logger = createLogger(envConfig.debug);
+
+  // Generate all tools (filtering happens per-request)
+  const allTools = generateMcpTools(config);
+
+  // Create tool executor factory that accepts per-request access groups
+  const executeToolWithAccess = createToolExecutor(config, configDir, env, envConfig, logger);
+
+  // Create MCP server
+  const server = new Server(
+    {
+      name: config.name,
+      version: "1.0.0",
+    },
+    {
+      capabilities: {
+        tools: {},
+      },
+    }
+  );
+
+  // Handle list tools request - filter by per-request access groups
+  server.setRequestHandler(ListToolsRequestSchema, async (_request, extra) => {
+    const accessGroups = getAccessGroups(extra.authInfo);
+    const accessibleTools = filterToolsByAccess(allTools, accessGroups);
+
+    return {
+      tools: accessibleTools.map((tool) => ({
+        name: tool.name,
+        description: tool.description,
+        inputSchema: tool.inputSchema,
+      })),
+    };
+  });
+
+  // Handle call tool request - validate access per-request
+  server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
+    const { name, arguments: args } = request.params;
+    const accessGroups = getAccessGroups(extra.authInfo);
+
+    try {
+      const result = await executeToolWithAccess(name, args || {}, accessGroups);
+
+      return {
+        content: [
+          {
+            type: "text" as const,
+            text: JSON.stringify(result, null, 2),
+          },
+        ],
+      };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+
+      return {
+        content: [
+          {
+            type: "text" as const,
+            text: `Error: ${message}`,
+          },
+        ],
+        isError: true,
+      };
+    }
+  });
+
+  return server;
+}
+
+/**
+ * Start the MCP server as an HTTP server with Streamable HTTP transport
+ */
+export async function startMcpServer(options: McpServerOptions): Promise<{ port: number }> {
+  const { config, port = 3001 } = options;
+  const server = createMcpServer(options);
+
+  // Create a stateless transport
+  const transport = new WebStandardStreamableHTTPServerTransport();
+
+  // Connect server to transport
+  await server.connect(transport);
+
+  const app = new Hono();
+
+  // Enable CORS for MCP clients
+  app.use("*", cors({
+    origin: "*",
+    allowMethods: ["GET", "POST", "DELETE", "OPTIONS"],
+    allowHeaders: ["Content-Type", "mcp-session-id", "Last-Event-ID", "mcp-protocol-version", "Authorization"],
+    exposeHeaders: ["mcp-session-id", "mcp-protocol-version"],
+  }));
+
+  // Health check
+  app.get("/health", (c) => {
+    return c.json({ status: "ok", type: "mcp" });
+  });
+
+  // MCP endpoint - handles all MCP communication with per-request auth
+  app.all("/mcp", async (c) => {
+    try {
+      // Authenticate the request using the config's auth function
+      const accessGroups = await config.auth(c.req.raw);
+
+      // Create AuthInfo object with access groups in extra field
+      const authInfo: AuthInfo = {
+        token: c.req.header("Authorization") || "",
+        clientId: "ontology-client",
+        scopes: [],
+        extra: {
+          accessGroups,
+        },
+      };
+
+      // Pass auth info to transport - this will be available in request handlers via extra.authInfo
+      return transport.handleRequest(c.req.raw, { authInfo });
+    } catch (error) {
+      // Return 401 Unauthorized if auth fails
+      return c.json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32000,
+          message: "Authentication failed",
+          data: error instanceof Error ? error.message : "Unknown error"
+        },
+        id: null
+      }, 401);
+    }
+  });
+
+  const httpServer = await serve(app, port);
+
+  return { port: httpServer.port };
+}
+
+export { generateMcpTools, filterToolsByAccess } from "./tools.js";

package/src/server/mcp/tools.ts

@@ -0,0 +1,199 @@
+import { z } from "zod";
+import { zodToJsonSchema } from "zod-to-json-schema";
+import type {
+  OntologyConfig,
+  FunctionDefinition,
+  ResolverContext,
+  EnvironmentConfig,
+} from "../../config/types.js";
+import { getFieldFromMetadata } from "../../config/categorical.js";
+import { loadResolver, type Logger } from "../resolver.js";
+
+/**
+ * Field reference info for MCP tools
+ */
+export interface McpFieldReference {
+  /** Path to the field in the schema */
+  path: string;
+  /** Name of the function that provides options */
+  functionName: string;
+}
+
+/**
+ * MCP Tool definition
+ */
+export interface McpTool {
+  name: string;
+  description: string;
+  inputSchema: Record<string, unknown>;
+  outputSchema?: Record<string, unknown>;
+  access: string[];
+  entities: string[];
+  fieldReferences?: McpFieldReference[];
+}
+
+/**
+ * Recursively extract field references from a Zod schema
+ */
+function extractFieldReferencesForMcp(
+  schema: z.ZodType<unknown>,
+  path: string = ""
+): McpFieldReference[] {
+  const results: McpFieldReference[] = [];
+
+  // Check if this schema has fieldFrom metadata
+  const metadata = getFieldFromMetadata(schema);
+  if (metadata) {
+    results.push({
+      path: path || "(root)",
+      functionName: metadata.functionName,
+    });
+  }
+
+  // Handle ZodObject - recurse into properties
+  if (schema instanceof z.ZodObject) {
+    const shape = schema.shape;
+    for (const [key, value] of Object.entries(shape)) {
+      const fieldPath = path ? `${path}.${key}` : key;
+      results.push(
+        ...extractFieldReferencesForMcp(value as z.ZodType<unknown>, fieldPath)
+      );
+    }
+  }
+
+  // Handle ZodOptional - unwrap
+  if (schema instanceof z.ZodOptional) {
+    results.push(...extractFieldReferencesForMcp(schema.unwrap(), path));
+  }
+
+  // Handle ZodNullable - unwrap
+  if (schema instanceof z.ZodNullable) {
+    results.push(...extractFieldReferencesForMcp(schema.unwrap(), path));
+  }
+
+  // Handle ZodArray - recurse into element
+  if (schema instanceof z.ZodArray) {
+    results.push(...extractFieldReferencesForMcp(schema.element, `${path}[]`));
+  }
+
+  // Handle ZodDefault - unwrap
+  if (schema instanceof z.ZodDefault) {
+    results.push(
+      ...extractFieldReferencesForMcp(schema._def.innerType, path)
+    );
+  }
+
+  return results;
+}
+
+/**
+ * Generate MCP tool definitions from ontology config
+ */
+export function generateMcpTools(config: OntologyConfig): McpTool[] {
+  const tools: McpTool[] = [];
+
+  for (const [name, fn] of Object.entries(config.functions)) {
+    // Convert Zod schema to JSON Schema for MCP
+    let inputSchema: Record<string, unknown>;
+    try {
+      inputSchema = zodToJsonSchema(fn.inputs, {
+        $refStrategy: "none",
+      }) as Record<string, unknown>;
+      // Remove $schema key if present
+      delete inputSchema.$schema;
+    } catch {
+      inputSchema = { type: "object", properties: {} };
+    }
+
+    // Convert output schema if present
+    let outputSchema: Record<string, unknown> | undefined;
+    if (fn.outputs) {
+      try {
+        outputSchema = zodToJsonSchema(fn.outputs, {
+          $refStrategy: "none",
+        }) as Record<string, unknown>;
+        delete outputSchema.$schema;
+      } catch {
+        outputSchema = undefined;
+      }
+    }
+
+    // Extract field references
+    const fieldReferences = extractFieldReferencesForMcp(fn.inputs);
+
+    tools.push({
+      name,
+      description: fn.description,
+      inputSchema,
+      outputSchema,
+      access: fn.access,
+      entities: fn.entities,
+      fieldReferences:
+        fieldReferences.length > 0 ? fieldReferences : undefined,
+    });
+  }
+
+  return tools;
+}
+
+/**
+ * Filter tools by access groups
+ */
+export function filterToolsByAccess(
+  tools: McpTool[],
+  accessGroups: string[]
+): McpTool[] {
+  return tools.filter((tool) =>
+    tool.access.some((group) => accessGroups.includes(group))
+  );
+}
+
+/**
+ * Create a tool executor function that accepts per-request access groups
+ */
+export function createToolExecutor(
+  config: OntologyConfig,
+  configDir: string,
+  env: string,
+  envConfig: EnvironmentConfig,
+  logger: Logger
+) {
+  return async (toolName: string, args: unknown, accessGroups: string[]): Promise<unknown> => {
+    const fn = config.functions[toolName];
+
+    if (!fn) {
+      throw new Error(`Unknown tool: ${toolName}`);
+    }
+
+    // Check access using per-request access groups
+    const hasAccess = fn.access.some((group) =>
+      accessGroups.includes(group)
+    );
+
+    if (!hasAccess) {
+      throw new Error(
+        `Access denied to tool "${toolName}". Requires: ${fn.access.join(", ")}`
+      );
+    }
+
+    // Validate input
+    const parsed = fn.inputs.safeParse(args);
+    if (!parsed.success) {
+      throw new Error(
+        `Invalid input for tool "${toolName}": ${parsed.error.message}`
+      );
+    }
+
+    // Create resolver context with per-request access groups
+    const resolverContext: ResolverContext = {
+      env,
+      envConfig,
+      logger,
+      accessGroups,
+    };
+
+    // Load and execute resolver
+    const resolver = await loadResolver(fn.resolver, configDir);
+    return resolver(resolverContext, parsed.data);
+  };
+}

package/src/server/resolver.ts

@@ -0,0 +1,109 @@
+import { join, dirname, isAbsolute } from "path";
+import { existsSync } from "fs";
+import type { ResolverFunction, ResolverContext, OntologyConfig } from "../config/types.js";
+
+/**
+ * Cache of loaded resolvers to avoid re-importing
+ */
+const resolverCache = new Map<string, ResolverFunction>();
+
+/**
+ * Load a resolver from a file path.
+ * The path is relative to the config file location.
+ *
+ * @param resolverPath - Path to the resolver file (relative to configDir)
+ * @param configDir - Directory containing the ontology.config.ts
+ */
+export async function loadResolver(
+  resolverPath: string,
+  configDir: string
+): Promise<ResolverFunction> {
+  // Resolve the full path
+  const fullPath = isAbsolute(resolverPath)
+    ? resolverPath
+    : join(configDir, resolverPath);
+
+  // Check cache
+  if (resolverCache.has(fullPath)) {
+    return resolverCache.get(fullPath)!;
+  }
+
+  try {
+    // Dynamic import the resolver
+    const module = await import(fullPath);
+
+    // Expect default export to be the resolver function
+    const resolver = module.default;
+
+    if (typeof resolver !== "function") {
+      throw new Error(
+        `Resolver at ${resolverPath} must export a default function`
+      );
+    }
+
+    // Cache and return
+    resolverCache.set(fullPath, resolver);
+    return resolver;
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === "ERR_MODULE_NOT_FOUND") {
+      throw new Error(`Resolver not found: ${resolverPath}`);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Clear the resolver cache (useful for hot reloading)
+ */
+export function clearResolverCache(): void {
+  resolverCache.clear();
+}
+
+/**
+ * Check which resolvers are missing and return their paths
+ */
+export function findMissingResolvers(
+  config: OntologyConfig,
+  configDir: string
+): string[] {
+  const missing: string[] = [];
+
+  for (const [name, fn] of Object.entries(config.functions)) {
+    const fullPath = isAbsolute(fn.resolver)
+      ? fn.resolver
+      : join(configDir, fn.resolver);
+
+    if (!existsSync(fullPath)) {
+      missing.push(fn.resolver);
+    }
+  }
+
+  return missing;
+}
+
+/**
+ * Logger type returned by createLogger
+ */
+export type Logger = ReturnType<typeof createLogger>;
+
+/**
+ * Create a logger for a resolver context
+ */
+export function createLogger(debug: boolean = false) {
+  return {
+    info: (message: string, ...args: unknown[]) => {
+      console.log(`[INFO] ${message}`, ...args);
+    },
+    warn: (message: string, ...args: unknown[]) => {
+      console.warn(`[WARN] ${message}`, ...args);
+    },
+    error: (message: string, ...args: unknown[]) => {
+      console.error(`[ERROR] ${message}`, ...args);
+    },
+    debug: (message: string, ...args: unknown[]) => {
+      if (debug) {
+        console.log(`[DEBUG] ${message}`, ...args);
+      }
+    },
+  };
+}

package/src/server/start.ts

@@ -0,0 +1,151 @@
+import consola from "consola";
+import { findConfigFile, loadConfig } from "../cli/utils/config-loader.js";
+import {
+  computeOntologyHash,
+  readLockfile,
+  diffOntology,
+  formatDiffForConsole,
+  lockfileExists,
+} from "../lockfile/index.js";
+import { createApiApp } from "./api/index.js";
+import { startMcpServer } from "./mcp/index.js";
+import { serve, type ServerHandle } from "../runtime/index.js";
+
+export interface StartOntOptions {
+  /** Port for API server (default: 3000) */
+  port?: number;
+  /** Port for MCP server (default: 3001) */
+  mcpPort?: number;
+  /** Environment to use (default: 'dev') */
+  env?: string;
+  /** Mode: 'development' warns on lockfile issues, 'production' fails. Auto-detected from NODE_ENV if not set. */
+  mode?: "development" | "production";
+  /** Set to true to only start the API server */
+  apiOnly?: boolean;
+  /** Set to true to only start the MCP server */
+  mcpOnly?: boolean;
+}
+
+export interface StartOntResult {
+  api?: ServerHandle;
+  mcp?: { port: number };
+}
+
+/**
+ * Detect mode from NODE_ENV if not explicitly set
+ */
+function detectMode(explicit?: "development" | "production"): "development" | "production" {
+  if (explicit) return explicit;
+  return process.env.NODE_ENV === "production" ? "production" : "development";
+}
+
+/**
+ * Start the ont API and MCP servers.
+ *
+ * Automatically discovers ontology.config.ts and handles lockfile validation.
+ *
+ * @example
+ * ```ts
+ * import { startOnt } from 'ont-run';
+ *
+ * await startOnt({
+ *   port: 3000,
+ *   mcpPort: 3001,
+ * });
+ * ```
+ */
+export async function startOnt(options: StartOntOptions = {}): Promise<StartOntResult> {
+  const {
+    port = 3000,
+    mcpPort = 3001,
+    env = "dev",
+    apiOnly = false,
+    mcpOnly = false,
+  } = options;
+
+  const mode = detectMode(options.mode);
+  const isDev = mode === "development";
+
+  // Load config
+  consola.info("Loading ontology config...");
+  const { config, configDir } = await loadConfig();
+
+  // Check lockfile
+  consola.info("Checking lockfile...");
+  const { ontology, hash } = computeOntologyHash(config);
+
+  if (!lockfileExists(configDir)) {
+    const message = `No ont.lock file found.\nRun \`bun run review\` to approve the initial ontology.`;
+
+    if (isDev) {
+      consola.warn("No ont.lock file found.");
+      consola.warn("Run `npx ont-run review` to approve the initial ontology.\n");
+    } else {
+      consola.error(message);
+      throw new Error("Missing lockfile in production mode");
+    }
+  } else {
+    const lockfile = await readLockfile(configDir);
+    const oldOntology = lockfile?.ontology || null;
+    const diff = diffOntology(oldOntology, ontology);
+
+    if (diff.hasChanges) {
+      const message = `Ontology has changed since last review.\nRun \`bun run review\` to approve the changes.`;
+
+      if (isDev) {
+        consola.warn("Lockfile mismatch detected:");
+        console.log("\n" + formatDiffForConsole(diff) + "\n");
+        consola.warn("Run `npx ont-run review` to approve these changes.\n");
+      } else {
+        consola.error(message);
+        console.log("\n" + formatDiffForConsole(diff) + "\n");
+        throw new Error("Lockfile mismatch in production mode");
+      }
+    } else {
+      consola.success("Lockfile verified");
+    }
+  }
+
+  const result: StartOntResult = {};
+
+  // Start API server
+  if (!mcpOnly) {
+    const api = createApiApp({
+      config,
+      configDir,
+      env,
+    });
+
+    const server = await serve(api, port);
+    result.api = server;
+
+    consola.success(`API server running at http://localhost:${server.port}`);
+    consola.info(`Environment: ${env}`);
+    consola.info(`Mode: ${mode}`);
+    consola.info(`Functions: ${Object.keys(config.functions).length}`);
+    console.log("");
+    consola.info("Available endpoints:");
+    for (const name of Object.keys(config.functions)) {
+      console.log(`  POST /api/${name}`);
+    }
+    console.log("");
+  }
+
+  // Start MCP server
+  if (!apiOnly) {
+    const mcpServer = await startMcpServer({
+      config,
+      configDir,
+      env,
+      port: mcpPort,
+    });
+    result.mcp = mcpServer;
+
+    consola.success(`MCP server running at http://localhost:${mcpServer.port}/mcp`);
+    consola.info(`Auth: per-request (using config.auth)`);
+  }
+
+  consola.info("Press Ctrl+C to stop");
+
+  return result;
+}