suparank 1.2.3 → 1.2.5

package/bin/suparank.js

@@ -23,6 +23,8 @@ const SUPARANK_DIR = path.join(os.homedir(), '.suparank')
 const CONFIG_FILE = path.join(SUPARANK_DIR, 'config.json')
 const CREDENTIALS_FILE = path.join(SUPARANK_DIR, 'credentials.json')
 const SESSION_FILE = path.join(SUPARANK_DIR, 'session.json')
+const CONTENT_DIR = path.join(SUPARANK_DIR, 'content')
+const STATS_FILE = path.join(SUPARANK_DIR, 'stats.json')
 
 // Production API URL
 const DEFAULT_API_URL = 'https://api.suparank.io'
@@ -514,6 +516,165 @@ function showVersion() {
   log('https://suparank.io', 'dim')
 }
 
+function loadStats() {
+  try {
+    if (fs.existsSync(STATS_FILE)) {
+      return JSON.parse(fs.readFileSync(STATS_FILE, 'utf-8'))
+    }
+  } catch (e) {}
+  return { tool_calls: 0, images_generated: 0, articles_created: 0, words_written: 0 }
+}
+
+function loadSession() {
+  try {
+    if (fs.existsSync(SESSION_FILE)) {
+      return JSON.parse(fs.readFileSync(SESSION_FILE, 'utf-8'))
+    }
+  } catch (e) {}
+  return null
+}
+
+function countSavedContent() {
+  try {
+    if (fs.existsSync(CONTENT_DIR)) {
+      const folders = fs.readdirSync(CONTENT_DIR).filter(f => {
+        const stat = fs.statSync(path.join(CONTENT_DIR, f))
+        return stat.isDirectory()
+      })
+      return folders.length
+    }
+  } catch (e) {}
+  return 0
+}
+
+function getRecentContent(limit = 3) {
+  try {
+    if (fs.existsSync(CONTENT_DIR)) {
+      const folders = fs.readdirSync(CONTENT_DIR)
+        .filter(f => fs.statSync(path.join(CONTENT_DIR, f)).isDirectory())
+        .map(f => {
+          const metaPath = path.join(CONTENT_DIR, f, 'metadata.json')
+          let meta = { title: f }
+          try {
+            if (fs.existsSync(metaPath)) {
+              meta = JSON.parse(fs.readFileSync(metaPath, 'utf-8'))
+            }
+          } catch (e) {}
+          return { folder: f, ...meta }
+        })
+        .sort((a, b) => (b.savedAt || '').localeCompare(a.savedAt || ''))
+        .slice(0, limit)
+      return folders
+    }
+  } catch (e) {}
+  return []
+}
+
+async function displayDashboard(config, project) {
+  const packageJson = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf-8'))
+  const credentials = loadCredentials()
+  const session = loadSession()
+  const stats = loadStats()
+  const savedCount = countSavedContent()
+  const recentContent = getRecentContent(3)
+  const projectConfig = project?.config || {}
+
+  // Header
+  console.log()
+  log('╔══════════════════════════════════════════════════════════════════════════════╗', 'cyan')
+  log('║                         🚀 SUPARANK MCP SERVER                               ║', 'cyan')
+  log('╚══════════════════════════════════════════════════════════════════════════════╝', 'cyan')
+  console.log()
+
+  // Version and project info
+  log(`  Version: ${packageJson.version}`, 'dim')
+  log(`  Project: ${colors.bright}${project?.name || config.project_slug}${colors.reset}`, 'reset')
+  log(`  URL: ${projectConfig.site?.url || 'Not set'}`, 'dim')
+  console.log()
+
+  // Project Settings Box
+  log('┌─────────────────────────────────────────────────────────────────────────────┐', 'yellow')
+  log('│  📋 PROJECT SETTINGS (from Supabase)                                        │', 'yellow')
+  log('├─────────────────────────────────────────────────────────────────────────────┤', 'yellow')
+  log(`│  Word Count:      ${String(projectConfig.content?.default_word_count || 'Not set').padEnd(15)} │  Brand Voice: ${String(projectConfig.brand?.voice || 'Not set').substring(0, 25).padEnd(25)}│`, 'reset')
+  log(`│  Reading Level:   ${String(projectConfig.content?.reading_level ? `Grade ${projectConfig.content.reading_level}` : 'Not set').padEnd(15)} │  Target:      ${String(projectConfig.brand?.target_audience || 'Not set').substring(0, 25).padEnd(25)}│`, 'reset')
+  log(`│  Include Images:  ${String(projectConfig.content?.include_images ? 'Yes' : 'No').padEnd(15)} │  Niche:       ${String(projectConfig.site?.niche || 'Not set').substring(0, 25).padEnd(25)}│`, 'reset')
+  log(`│  Keywords:        ${String((projectConfig.seo?.primary_keywords || []).slice(0, 3).join(', ') || 'Not set').substring(0, 56).padEnd(56)}│`, 'reset')
+  log('└─────────────────────────────────────────────────────────────────────────────┘', 'yellow')
+  console.log()
+
+  // Integrations Status
+  log('┌─────────────────────────────────────────────────────────────────────────────┐', 'green')
+  log('│  🔌 INTEGRATIONS                                                            │', 'green')
+  log('├─────────────────────────────────────────────────────────────────────────────┤', 'green')
+
+  const wpStatus = credentials.wordpress?.secret_key || credentials.wordpress?.app_password ? '✅ Enabled' : '❌ Not configured'
+  const ghostStatus = credentials.ghost?.admin_api_key ? '✅ Enabled' : '❌ Not configured'
+  const imageStatus = credentials[credentials.image_provider]?.api_key ? `✅ ${credentials.image_provider}` : '❌ Not configured'
+  const webhookStatus = credentials.webhooks && Object.values(credentials.webhooks).some(Boolean) ? '✅ Enabled' : '❌ Not configured'
+  const externalMcps = credentials.external_mcps?.length || 0
+
+  log(`│  WordPress:     ${wpStatus.padEnd(20)} │  Ghost CMS:    ${ghostStatus.padEnd(20)}│`, 'reset')
+  log(`│  Image Gen:     ${imageStatus.padEnd(20)} │  Webhooks:     ${webhookStatus.padEnd(20)}│`, 'reset')
+  log(`│  External MCPs: ${String(externalMcps > 0 ? `✅ ${externalMcps} configured` : '❌ None').padEnd(58)}│`, 'reset')
+  log('└─────────────────────────────────────────────────────────────────────────────┘', 'green')
+  console.log()
+
+  // Session Status
+  log('┌─────────────────────────────────────────────────────────────────────────────┐', 'magenta')
+  log('│  📝 CURRENT SESSION                                                         │', 'magenta')
+  log('├─────────────────────────────────────────────────────────────────────────────┤', 'magenta')
+
+  if (session && session.articles?.length > 0) {
+    const totalWords = session.articles.reduce((sum, a) => sum + (a.wordCount || 0), 0)
+    const unpublished = session.articles.filter(a => !a.published).length
+    log(`│  Articles: ${String(session.articles.length).padEnd(5)} │  Words: ${String(totalWords).padEnd(8)} │  Unpublished: ${String(unpublished).padEnd(14)}│`, 'reset')
+
+    if (session.articles.length > 0) {
+      const latest = session.articles[session.articles.length - 1]
+      log(`│  Latest:   ${String(`"${latest.title?.substring(0, 45) || 'Untitled'}..."`).padEnd(63)}│`, 'reset')
+    }
+  } else {
+    log(`│  No active session - Start with: "Create a blog post about [topic]"         │`, 'dim')
+  }
+  log('└─────────────────────────────────────────────────────────────────────────────┘', 'magenta')
+  console.log()
+
+  // Recent Content
+  if (recentContent.length > 0) {
+    log('┌─────────────────────────────────────────────────────────────────────────────┐', 'blue')
+    log('│  📚 RECENT CONTENT                                                          │', 'blue')
+    log('├─────────────────────────────────────────────────────────────────────────────┤', 'blue')
+    recentContent.forEach((content, i) => {
+      const title = (content.title || content.folder).substring(0, 50)
+      const words = content.wordCount || '?'
+      const date = content.savedAt ? new Date(content.savedAt).toLocaleDateString() : '?'
+      log(`│  ${i + 1}. ${title.padEnd(50)} ${String(words + ' words').padEnd(12)} ${date.padEnd(10)}│`, 'reset')
+    })
+    log(`│  Total saved: ${String(savedCount + ' articles').padEnd(60)}│`, 'dim')
+    log('└─────────────────────────────────────────────────────────────────────────────┘', 'blue')
+    console.log()
+  }
+
+  // Stats (if available)
+  if (stats.tool_calls > 0 || stats.articles_created > 0) {
+    log('┌─────────────────────────────────────────────────────────────────────────────┐', 'cyan')
+    log('│  📊 USAGE STATS                                                             │', 'cyan')
+    log('├─────────────────────────────────────────────────────────────────────────────┤', 'cyan')
+    log(`│  Tool Calls: ${String(stats.tool_calls).padEnd(10)} │  Articles: ${String(stats.articles_created).padEnd(10)} │  Images: ${String(stats.images_generated).padEnd(10)}│`, 'reset')
+    log(`│  Words Written: ${String(stats.words_written?.toLocaleString() || 0).padEnd(58)}│`, 'reset')
+    log('└─────────────────────────────────────────────────────────────────────────────┘', 'cyan')
+    console.log()
+  }
+
+  // Ready message
+  log('─────────────────────────────────────────────────────────────────────────────', 'dim')
+  log('  MCP Server ready. Waiting for AI client connection...', 'green')
+  log('  Tip: Say "Create a blog post about [topic]" to start', 'dim')
+  log('─────────────────────────────────────────────────────────────────────────────', 'dim')
+  console.log()
+}
+
 async function checkForUpdates(showCurrent = false) {
   const packageJson = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf-8'))
   const currentVersion = packageJson.version
@@ -590,16 +751,30 @@ async function runUpdate() {
   }
 }
 
-function runMCP() {
+async function runMCP() {
   const config = loadConfig()
 
   if (!config) {
     log('No configuration found. Running setup...', 'yellow')
     console.log()
-    runSetup()
+    await runSetup()
     return
   }
 
+  // Fetch project data for dashboard
+  let project = null
+  try {
+    const result = await testConnection(config.api_key, config.project_slug, config.api_url)
+    if (result.success) {
+      project = result.project
+    }
+  } catch (e) {
+    // Continue without project data
+  }
+
+  // Display dashboard
+  await displayDashboard(config, project)
+
   // Find the MCP client script
   const mcpClientPaths = [
     path.join(import.meta.dirname, '..', 'mcp-client.js'),

package/mcp-client.js

@@ -35,6 +35,17 @@ const projectSlug = process.argv[2]
 const apiKey = process.argv[3]
 const apiUrl = process.env.SUPARANK_API_URL || 'https://api.suparank.io'
 
+// ============================================================================
+// EXTERNAL API ENDPOINTS - Configurable via environment variables
+// ============================================================================
+const API_ENDPOINTS = {
+  // Image generation providers
+  fal: process.env.FAL_API_URL || 'https://fal.run/fal-ai/nano-banana-pro',
+  gemini: process.env.GEMINI_API_URL || 'https://generativelanguage.googleapis.com/v1beta/models',
+  wiro: process.env.WIRO_API_URL || 'https://api.wiro.ai/v1',
+  wiroTaskDetail: process.env.WIRO_TASK_URL || 'https://api.wiro.ai/v1/Task/Detail'
+}
+
 if (!projectSlug) {
   console.error('Error: Project slug is required')
   console.error('Usage: node mcp-client.js <project-slug> <api-key>')
@@ -144,6 +155,49 @@ function ensureContentDir() {
   return dir
 }
 
+/**
+ * Get the path to the stats file (~/.suparank/stats.json)
+ */
+function getStatsFile() {
+  return path.join(getSuparankDir(), 'stats.json')
+}
+
+/**
+ * Load usage stats
+ */
+function loadStats() {
+  try {
+    const file = getStatsFile()
+    if (fs.existsSync(file)) {
+      return JSON.parse(fs.readFileSync(file, 'utf-8'))
+    }
+  } catch (e) {
+    log(`Warning: Could not load stats: ${e.message}`)
+  }
+  return { tool_calls: 0, images_generated: 0, articles_created: 0, words_written: 0 }
+}
+
+/**
+ * Save usage stats
+ */
+function saveStats(stats) {
+  try {
+    ensureSuparankDir()
+    fs.writeFileSync(getStatsFile(), JSON.stringify(stats, null, 2))
+  } catch (e) {
+    log(`Error saving stats: ${e.message}`)
+  }
+}
+
+/**
+ * Increment a stat counter
+ */
+function incrementStat(key, amount = 1) {
+  const stats = loadStats()
+  stats[key] = (stats[key] || 0) + amount
+  saveStats(stats)
+}
+
 /**
  * Generate a slug from title for folder naming
  */
@@ -155,6 +209,46 @@ function slugify(text) {
     .substring(0, 50)
 }
 
+// ============================================================================
+// PATH SANITIZATION - Prevents path traversal attacks
+// ============================================================================
+
+/**
+ * Sanitize and validate a path to prevent traversal attacks
+ * @param {string} userPath - User-provided path segment
+ * @param {string} allowedBase - Base directory that paths must stay within
+ * @returns {string} - Resolved safe path
+ * @throws {Error} - If path would escape the allowed base
+ */
+function sanitizePath(userPath, allowedBase) {
+  // Remove any null bytes (common attack vector)
+  const cleanPath = userPath.replace(/\0/g, '')
+
+  // Resolve to absolute path
+  const resolved = path.resolve(allowedBase, cleanPath)
+
+  // Ensure the resolved path starts with the allowed base
+  // Adding path.sep ensures we don't match partial directory names
+  const normalizedBase = path.normalize(allowedBase + path.sep)
+  const normalizedResolved = path.normalize(resolved + path.sep)
+
+  if (!normalizedResolved.startsWith(normalizedBase)) {
+    throw new Error(`Path traversal detected: "${userPath}" would escape allowed directory`)
+  }
+
+  return resolved
+}
+
+/**
+ * Get content folder path safely
+ * @param {string} folderName - Folder name (article ID or title slug)
+ * @returns {string} - Safe path to content folder
+ */
+function getContentFolderSafe(folderName) {
+  const contentDir = path.join(getSuparankDir(), 'content')
+  return sanitizePath(folderName, contentDir)
+}
+
 /**
  * Atomic file write - prevents corruption on concurrent writes
  */
@@ -315,9 +409,56 @@ function loadSession() {
   return false
 }
 
+// ============================================================================
+// SESSION MUTEX - Prevents race conditions on concurrent session writes
+// ============================================================================
+
+let sessionLock = false
+const sessionLockQueue = []
+
+/**
+ * Acquire session lock for safe concurrent access
+ * @returns {Promise<void>}
+ */
+async function acquireSessionLock() {
+  if (!sessionLock) {
+    sessionLock = true
+    return
+  }
+  return new Promise(resolve => {
+    sessionLockQueue.push(resolve)
+  })
+}
+
+/**
+ * Release session lock, allowing next queued operation
+ */
+function releaseSessionLock() {
+  if (sessionLockQueue.length > 0) {
+    const next = sessionLockQueue.shift()
+    next()
+  } else {
+    sessionLock = false
+  }
+}
+
+/**
+ * Safe session save with mutex - use this for concurrent operations
+ * @returns {Promise<void>}
+ */
+async function saveSessionSafe() {
+  await acquireSessionLock()
+  try {
+    saveSession()
+  } finally {
+    releaseSessionLock()
+  }
+}
+
 /**
  * Save session state to file (persists across MCP restarts)
  * Uses atomic write to prevent corruption
+ * NOTE: For concurrent operations, use saveSessionSafe() instead
  */
 function saveSession() {
   try {
@@ -416,11 +557,13 @@ function saveContentToFolder() {
   try {
     ensureContentDir()
 
-    // Create folder name: YYYY-MM-DD-slug
+    // Create folder name: YYYY-MM-DD-slug (slugify removes dangerous characters)
     const date = new Date().toISOString().split('T')[0]
     const slug = slugify(sessionState.title)
     const folderName = `${date}-${slug}`
-    const folderPath = path.join(getContentDir(), folderName)
+
+    // Use safe path function to prevent any path traversal
+    const folderPath = getContentFolderSafe(folderName)
 
     // Create folder if doesn't exist
     if (!fs.existsSync(folderPath)) {
@@ -1922,6 +2065,10 @@ ${plan.steps[0].instruction}
       // Add to articles array (not overwriting previous articles!)
       sessionState.articles.push(newArticle)
 
+      // Track stats
+      incrementStat('articles_created')
+      incrementStat('words_written', wordCount)
+
       // Also keep in current working fields for backwards compatibility
       sessionState.title = title
       sessionState.article = content
@@ -2513,8 +2660,18 @@ Once loaded, you can run optimization tools:
         }
       }
 
-      const contentDir = getContentDir()
-      const folderPath = path.join(contentDir, folder_name)
+      // Sanitize folder_name to prevent path traversal attacks
+      let folderPath
+      try {
+        folderPath = getContentFolderSafe(folder_name)
+      } catch (error) {
+        return {
+          content: [{
+            type: 'text',
+            text: `❌ Invalid folder name: ${error.message}`
+          }]
+        }
+      }
 
       if (!fs.existsSync(folderPath)) {
         return {
@@ -2660,7 +2817,7 @@ async function executeImageGeneration(args) {
   switch (provider) {
     case 'fal': {
       // fal.ai Nano Banana Pro (gemini-3-pro-image)
-      const response = await fetchWithRetry('https://fal.run/fal-ai/nano-banana-pro', {
+      const response = await fetchWithRetry(API_ENDPOINTS.fal, {
         method: 'POST',
         headers: {
           'Authorization': `Key ${config.api_key}`,
@@ -2694,6 +2851,9 @@ async function executeImageGeneration(args) {
       // Persist session to file
       saveSession()
 
+      // Track stats
+      incrementStat('images_generated')
+
       const imageNumber = 1 + sessionState.inlineImages.length
       const totalImages = sessionState.currentWorkflow?.settings?.total_images || 1
       const imageType = imageNumber === 1 ? 'Cover Image' : `Inline Image ${imageNumber - 1}`
@@ -2718,7 +2878,7 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
       // Google Gemini 3 Pro Image (Nano Banana Pro) - generateContent API
       const model = config.model || 'gemini-3-pro-image-preview'
       const response = await fetch(
-        `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent`,
+        `${API_ENDPOINTS.gemini}/${model}:generateContent`,
         {
           method: 'POST',
           headers: {
@@ -2757,6 +2917,9 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
       // Return base64 data URI
       const dataUri = `data:${mimeType};base64,${imageData}`
 
+      // Track stats
+      incrementStat('images_generated')
+
       return {
         content: [{
           type: 'text',
@@ -2786,7 +2949,7 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
 
       // Submit task
       log(`Submitting wiro.ai task for model: ${model}`)
-      const submitResponse = await fetch(`https://api.wiro.ai/v1/Run/${model}`, {
+      const submitResponse = await fetch(`${API_ENDPOINTS.wiro}/Run/${model}`, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
@@ -2829,7 +2992,7 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
           .update(pollSignatureData)
           .digest('hex')
 
-        const pollResponse = await fetch('https://api.wiro.ai/v1/Task/Detail', {
+        const pollResponse = await fetch(API_ENDPOINTS.wiroTaskDetail, {
           method: 'POST',
           headers: {
             'Content-Type': 'application/json',
@@ -2871,6 +3034,9 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
           // Persist session to file
           saveSession()
 
+          // Track stats
+          incrementStat('images_generated')
+
           const imageNumber = 1 + sessionState.inlineImages.length
           const totalImages = sessionState.currentWorkflow?.settings?.total_images || 1
           const imageType = imageNumber === 1 ? 'Cover Image' : `Inline Image ${imageNumber - 1}`
@@ -3430,6 +3596,9 @@ async function main() {
     progress('Tool', `Executing ${name}`)
     log(`Executing tool: ${name}`)
 
+    // Track tool call stats
+    incrementStat('tool_calls')
+
     // Check if this is an orchestrator tool
     const orchestratorTool = ORCHESTRATOR_TOOLS.find(t => t.name === name)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "suparank",
-  "version": "1.2.3",
+  "version": "1.2.5",
   "description": "AI-powered SEO content creation MCP - generate and publish optimized blog posts with Claude, ChatGPT, or Cursor",
   "main": "mcp-client.js",
   "type": "module",