postgresai 0.11.0-alpha.8 → 0.12.0-alpha.13

package/lib/auth-server.ts

@@ -0,0 +1,267 @@
+import * as http from "http";
+import { URL } from "url";
+
+/**
+ * OAuth callback result
+ */
+export interface CallbackResult {
+  code: string;
+  state: string;
+}
+
+/**
+ * Callback server structure
+ */
+export interface CallbackServer {
+  server: http.Server;
+  promise: Promise<CallbackResult>;
+  getPort: () => number;
+}
+
+/**
+ * Simple HTML escape utility
+ * @param str - String to escape
+ * @returns Escaped string
+ */
+function escapeHtml(str: string | null): string {
+  if (!str) return "";
+  return String(str)
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+/**
+ * Create and start callback server, returning server object and promise
+ * @param port - Port to listen on (0 for random available port)
+ * @param expectedState - Expected state parameter for CSRF protection
+ * @param timeoutMs - Timeout in milliseconds
+ * @returns Server object with promise and getPort function
+ */
+export function createCallbackServer(
+  port: number = 0,
+  expectedState: string | null = null,
+  timeoutMs: number = 300000
+): CallbackServer {
+  let resolved = false;
+  let server: http.Server | null = null;
+  let actualPort = port;
+  let resolveCallback: (value: CallbackResult) => void;
+  let rejectCallback: (reason: Error) => void;
+  
+  const promise = new Promise<CallbackResult>((resolve, reject) => {
+    resolveCallback = resolve;
+    rejectCallback = reject;
+  });
+  
+  // Timeout handler
+  const timeout = setTimeout(() => {
+    if (!resolved) {
+      resolved = true;
+      if (server) {
+        server.close();
+      }
+      rejectCallback(new Error("Authentication timeout. Please try again."));
+    }
+  }, timeoutMs);
+  
+  // Request handler
+  const requestHandler = (req: http.IncomingMessage, res: http.ServerResponse): void => {
+    if (resolved) {
+      return;
+    }
+
+    // Only handle /callback path
+    if (!req.url || !req.url.startsWith("/callback")) {
+      res.writeHead(404, { "Content-Type": "text/plain" });
+      res.end("Not Found");
+      return;
+    }
+
+    try {
+      const url = new URL(req.url, `http://localhost:${actualPort}`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+
+      // Handle OAuth error
+      if (error) {
+        resolved = true;
+        clearTimeout(timeout);
+        
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+    h1 { color: #c33; margin-top: 0; }
+    code { background: #f5f5f5; padding: 2px 6px; border-radius: 3px; }
+  </style>
+</head>
+<body>
+  <div class="error">
+    <h1>Authentication failed</h1>
+    <p><strong>Error:</strong> ${escapeHtml(error)}</p>
+    ${errorDescription ? `<p><strong>Description:</strong> ${escapeHtml(errorDescription)}</p>` : ""}
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+        `);
+        
+        if (server) {
+          server.close();
+        }
+        rejectCallback(new Error(`OAuth error: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`));
+        return;
+      }
+
+      // Validate required parameters
+      if (!code || !state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+    h1 { color: #c33; margin-top: 0; }
+  </style>
+</head>
+<body>
+  <div class="error">
+    <h1>Authentication failed</h1>
+    <p>Missing required parameters (code or state).</p>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+        `);
+        return;
+      }
+
+      // Validate state (CSRF protection)
+      if (expectedState && state !== expectedState) {
+        resolved = true;
+        clearTimeout(timeout);
+        
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+    h1 { color: #c33; margin-top: 0; }
+  </style>
+</head>
+<body>
+  <div class="error">
+    <h1>Authentication failed</h1>
+    <p>Invalid state parameter (possible CSRF attack).</p>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+        `);
+        
+        if (server) {
+          server.close();
+        }
+        rejectCallback(new Error("State mismatch (possible CSRF attack)"));
+        return;
+      }
+
+      // Success!
+      resolved = true;
+      clearTimeout(timeout);
+      
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication successful</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .success { background: #efe; border: 1px solid #cfc; padding: 20px; border-radius: 8px; }
+    h1 { color: #3c3; margin-top: 0; }
+  </style>
+</head>
+<body>
+  <div class="success">
+    <h1>Authentication successful</h1>
+    <p>You have successfully authenticated the PostgresAI CLI.</p>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+      `);
+      
+      if (server) {
+        server.close();
+      }
+      resolveCallback({ code, state });
+    } catch (err) {
+      if (!resolved) {
+        resolved = true;
+        clearTimeout(timeout);
+        res.writeHead(500, { "Content-Type": "text/plain" });
+        res.end("Internal Server Error");
+        if (server) {
+          server.close();
+        }
+        rejectCallback(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+  };
+
+  // Create server
+  server = http.createServer(requestHandler);
+  
+  server.on("error", (err: Error) => {
+    if (!resolved) {
+      resolved = true;
+      clearTimeout(timeout);
+      rejectCallback(err);
+    }
+  });
+
+  server.listen(port, "127.0.0.1", () => {
+    const address = server?.address();
+    if (address && typeof address === "object") {
+      actualPort = address.port;
+    }
+  });
+  
+  return {
+    server,
+    promise,
+    getPort: () => {
+      const address = server?.address();
+      return address && typeof address === "object" ? address.port : 0;
+    },
+  };
+}
+
+/**
+ * Get the actual port the server is listening on
+ * @param server - HTTP server instance
+ * @returns Port number
+ */
+export function getServerPort(server: http.Server): number {
+  const address = server.address();
+  return address && typeof address === "object" ? address.port : 0;
+}
+

package/lib/config.ts

@@ -0,0 +1,161 @@
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+/**
+ * Configuration object structure
+ */
+export interface Config {
+  apiKey: string | null;
+  baseUrl: string | null;
+  orgId: number | null;
+}
+
+/**
+ * Get the user-level config directory path
+ * @returns Path to ~/.config/postgresai
+ */
+export function getConfigDir(): string {
+  const configHome = process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config");
+  return path.join(configHome, "postgresai");
+}
+
+/**
+ * Get the user-level config file path
+ * @returns Path to ~/.config/postgresai/config.json
+ */
+export function getConfigPath(): string {
+  return path.join(getConfigDir(), "config.json");
+}
+
+/**
+ * Get the legacy project-local config file path
+ * @returns Path to .pgwatch-config in current directory
+ */
+export function getLegacyConfigPath(): string {
+  return path.resolve(process.cwd(), ".pgwatch-config");
+}
+
+/**
+ * Read configuration from file
+ * Tries user-level config first, then falls back to legacy project-local config
+ * @returns Configuration object with apiKey, baseUrl, orgId
+ */
+export function readConfig(): Config {
+  const config: Config = {
+    apiKey: null,
+    baseUrl: null,
+    orgId: null,
+  };
+
+  // Try user-level config first
+  const userConfigPath = getConfigPath();
+  if (fs.existsSync(userConfigPath)) {
+    try {
+      const content = fs.readFileSync(userConfigPath, "utf8");
+      const parsed = JSON.parse(content);
+      config.apiKey = parsed.apiKey || null;
+      config.baseUrl = parsed.baseUrl || null;
+      config.orgId = parsed.orgId || null;
+      return config;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`Warning: Failed to read config from ${userConfigPath}: ${message}`);
+    }
+  }
+
+  // Fall back to legacy project-local config
+  const legacyPath = getLegacyConfigPath();
+  if (fs.existsSync(legacyPath)) {
+    try {
+      const stats = fs.statSync(legacyPath);
+      if (stats.isFile()) {
+        const content = fs.readFileSync(legacyPath, "utf8");
+        const lines = content.split(/\r?\n/);
+        for (const line of lines) {
+          const match = line.match(/^api_key=(.+)$/);
+          if (match) {
+            config.apiKey = match[1].trim();
+            break;
+          }
+        }
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`Warning: Failed to read legacy config from ${legacyPath}: ${message}`);
+    }
+  }
+
+  return config;
+}
+
+/**
+ * Write configuration to user-level config file
+ * @param config - Configuration object with apiKey, baseUrl, orgId
+ */
+export function writeConfig(config: Partial<Config>): void {
+  const configDir = getConfigDir();
+  const configPath = getConfigPath();
+
+  // Ensure config directory exists
+  if (!fs.existsSync(configDir)) {
+    fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+  }
+
+  // Read existing config and merge
+  let existingConfig: Record<string, unknown> = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      const content = fs.readFileSync(configPath, "utf8");
+      existingConfig = JSON.parse(content);
+    } catch (err) {
+      // Ignore parse errors, will overwrite
+    }
+  }
+
+  const mergedConfig = {
+    ...existingConfig,
+    ...config,
+  };
+
+  // Write config file with restricted permissions
+  fs.writeFileSync(configPath, JSON.stringify(mergedConfig, null, 2) + "\n", {
+    mode: 0o600,
+  });
+}
+
+/**
+ * Delete specific keys from configuration
+ * @param keys - Array of keys to delete (e.g., ['apiKey'])
+ */
+export function deleteConfigKeys(keys: string[]): void {
+  const configPath = getConfigPath();
+  if (!fs.existsSync(configPath)) {
+    return;
+  }
+
+  try {
+    const content = fs.readFileSync(configPath, "utf8");
+    const config: Record<string, unknown> = JSON.parse(content);
+
+    for (const key of keys) {
+      delete config[key];
+    }
+
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", {
+      mode: 0o600,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`Warning: Failed to update config: ${message}`);
+  }
+}
+
+/**
+ * Check if config file exists
+ * @returns True if config exists
+ */
+export function configExists(): boolean {
+  return fs.existsSync(getConfigPath()) || fs.existsSync(getLegacyConfigPath());
+}
+

package/lib/issues.ts

@@ -0,0 +1,83 @@
+import * as https from "https";
+import { URL } from "url";
+import { maskSecret, normalizeBaseUrl } from "./util";
+
+export interface FetchIssuesParams {
+  apiKey: string;
+  apiBaseUrl: string;
+  debug?: boolean;
+}
+
+export async function fetchIssues(params: FetchIssuesParams): Promise<unknown> {
+  const { apiKey, apiBaseUrl, debug } = params;
+  if (!apiKey) {
+    throw new Error("API key is required");
+  }
+
+  const base = normalizeBaseUrl(apiBaseUrl);
+  const url = new URL(`${base}/issues`);
+
+  const headers: Record<string, string> = {
+    "access-token": apiKey,
+    "Prefer": "return=representation",
+    "Content-Type": "application/json",
+  };
+
+  if (debug) {
+    const debugHeaders: Record<string, string> = { ...headers, "access-token": maskSecret(apiKey) };
+    // eslint-disable-next-line no-console
+    console.log(`Debug: Resolved API base URL: ${base}`);
+    // eslint-disable-next-line no-console
+    console.log(`Debug: GET URL: ${url.toString()}`);
+    // eslint-disable-next-line no-console
+    console.log(`Debug: Auth scheme: access-token`);
+    // eslint-disable-next-line no-console
+    console.log(`Debug: Request headers: ${JSON.stringify(debugHeaders)}`);
+  }
+
+  return new Promise((resolve, reject) => {
+    const req = https.request(
+      url,
+      {
+        method: "GET",
+        headers,
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => (data += chunk));
+        res.on("end", () => {
+          if (debug) {
+            // eslint-disable-next-line no-console
+            console.log(`Debug: Response status: ${res.statusCode}`);
+            // eslint-disable-next-line no-console
+            console.log(`Debug: Response headers: ${JSON.stringify(res.headers)}`);
+          }
+          if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) {
+            try {
+              const parsed = JSON.parse(data);
+              resolve(parsed);
+            } catch {
+              resolve(data);
+            }
+          } else {
+            let errMsg = `Failed to fetch issues: HTTP ${res.statusCode}`;
+            if (data) {
+              try {
+                const errObj = JSON.parse(data);
+                errMsg += `\n${JSON.stringify(errObj, null, 2)}`;
+              } catch {
+                errMsg += `\n${data}`;
+              }
+            }
+            reject(new Error(errMsg));
+          }
+        });
+      }
+    );
+
+    req.on("error", (err: Error) => reject(err));
+    req.end();
+  });
+}
+
+

package/lib/mcp-server.ts

@@ -0,0 +1,98 @@
+import * as pkg from "../package.json";
+import * as config from "./config";
+import { fetchIssues } from "./issues";
+import { resolveBaseUrls } from "./util";
+
+// MCP SDK imports
+import { Server } from "@modelcontextprotocol/sdk/server";
+import * as path from "path";
+// Types schemas will be loaded dynamically from the SDK's CJS bundle
+
+interface RootOptsLike {
+  apiKey?: string;
+  apiBaseUrl?: string;
+}
+
+export async function startMcpServer(rootOpts?: RootOptsLike, extra?: { debug?: boolean }): Promise<void> {
+  // Resolve stdio transport at runtime to avoid subpath export resolution issues
+  const serverEntry = require.resolve("@modelcontextprotocol/sdk/server");
+  const stdioPath = path.join(path.dirname(serverEntry), "stdio.js");
+  // eslint-disable-next-line @typescript-eslint/no-var-requires
+  const { StdioServerTransport } = require(stdioPath);
+  // Load schemas dynamically to avoid subpath export resolution issues
+  const typesPath = path.resolve(path.dirname(serverEntry), "../types.js");
+  // eslint-disable-next-line @typescript-eslint/no-var-requires
+  const { CallToolRequestSchema, ListToolsRequestSchema } = require(typesPath);
+
+  const server = new Server(
+    { name: "postgresai-mcp", version: pkg.version },
+    { capabilities: { tools: {} } }
+  );
+
+  server.setRequestHandler(ListToolsRequestSchema, async () => {
+    return {
+      tools: [
+        {
+          name: "list_issues",
+          description: "List issues from PostgresAI API (same as CLI 'issues list')",
+          inputSchema: {
+            type: "object",
+            properties: {
+              debug: { type: "boolean", description: "Enable verbose debug logs" },
+            },
+            additionalProperties: false,
+          },
+        },
+      ],
+    };
+  });
+
+  server.setRequestHandler(CallToolRequestSchema, async (req: any) => {
+    const toolName = req.params.name;
+    const args = (req.params.arguments as Record<string, unknown>) || {};
+
+    if (toolName !== "list_issues") {
+      throw new Error(`Unknown tool: ${toolName}`);
+    }
+
+    const cfg = config.readConfig();
+    const apiKey = (rootOpts?.apiKey || process.env.PGAI_API_KEY || cfg.apiKey || "").toString();
+    const { apiBaseUrl } = resolveBaseUrls(rootOpts, cfg);
+
+    const debug = Boolean(args.debug ?? extra?.debug);
+
+    if (!apiKey) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: "API key is required. Run 'pgai auth' or set PGAI_API_KEY.",
+          },
+        ],
+        isError: true,
+      };
+    }
+
+    try {
+      const result = await fetchIssues({ apiKey, apiBaseUrl, debug });
+      return {
+        content: [
+          { type: "text", text: JSON.stringify(result, null, 2) },
+        ],
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      return {
+        content: [
+          { type: "text", text: message },
+        ],
+        isError: true,
+      };
+    }
+  });
+
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+
+

package/lib/pkce.ts

@@ -0,0 +1,79 @@
+import * as crypto from "crypto";
+
+/**
+ * PKCE parameters for OAuth 2.0 Authorization Code Flow with PKCE
+ */
+export interface PKCEParams {
+  codeVerifier: string;
+  codeChallenge: string;
+  codeChallengeMethod: "S256";
+  state: string;
+}
+
+/**
+ * Generate a cryptographically random string for PKCE
+ * @param length - Length of the string (43-128 characters per RFC 7636)
+ * @returns Base64URL-encoded random string
+ */
+function generateRandomString(length: number = 64): string {
+  const bytes = crypto.randomBytes(length);
+  return base64URLEncode(bytes);
+}
+
+/**
+ * Base64URL encode (without padding)
+ * @param buffer - Buffer to encode
+ * @returns Base64URL-encoded string
+ */
+function base64URLEncode(buffer: Buffer): string {
+  return buffer
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+}
+
+/**
+ * Generate PKCE code verifier
+ * @returns Random code verifier (43-128 characters)
+ */
+export function generateCodeVerifier(): string {
+  return generateRandomString(32); // 32 bytes = 43 chars after base64url encoding
+}
+
+/**
+ * Generate PKCE code challenge from verifier
+ * Uses S256 method (SHA256)
+ * @param verifier - Code verifier string
+ * @returns Base64URL-encoded SHA256 hash of verifier
+ */
+export function generateCodeChallenge(verifier: string): string {
+  const hash = crypto.createHash("sha256").update(verifier).digest();
+  return base64URLEncode(hash);
+}
+
+/**
+ * Generate random state for CSRF protection
+ * @returns Random state string
+ */
+export function generateState(): string {
+  return generateRandomString(16); // 16 bytes = 22 chars
+}
+
+/**
+ * Generate complete PKCE parameters
+ * @returns Object with verifier, challenge, challengeMethod, and state
+ */
+export function generatePKCEParams(): PKCEParams {
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const state = generateState();
+
+  return {
+    codeVerifier: verifier,
+    codeChallenge: challenge,
+    codeChallengeMethod: "S256",
+    state: state,
+  };
+}
+