tanuki-telemetry 1.1.0

package/src/index.ts

@@ -0,0 +1,20 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { getDb } from "./db.js";
+import { registerTools } from "./tools.js";
+
+// Initialize database on startup
+getDb();
+
+const server = new McpServer({
+  name: "telemetry-mcp",
+  version: "1.0.0",
+});
+
+// Register all tools — stdio is always local, use DEFAULT_USER_EMAIL or fallback
+const localUserEmail = process.env.DEFAULT_USER_EMAIL || "local@localhost";
+registerTools(server, localUserEmail);
+
+// Stdio transport — used when spawned by Claude Code locally
+const transport = new StdioServerTransport();
+await server.connect(transport);

package/src/middleware.ts

@@ -0,0 +1,76 @@
+import type { Request, Response, NextFunction } from "express";
+import { validateApiKey } from "./api-keys.js";
+
+export const AUTH_ENABLED = !!process.env.GOOGLE_CLIENT_ID;
+
+export interface AuthenticatedRequest extends Request {
+  apiKeyUserId?: string;
+  apiKeyEmail?: string;
+}
+
+/**
+ * Protects dashboard API routes — checks for an active session.
+ * Bypassed when AUTH_ENABLED is false (local dev).
+ */
+export function dashboardAuthMiddleware(req: Request, res: Response, next: NextFunction): void {
+  if (!AUTH_ENABLED) {
+    next();
+    return;
+  }
+
+  if (req.isAuthenticated()) {
+    next();
+    return;
+  }
+
+  res.status(401).json({ error: "Not authenticated" });
+}
+
+/**
+ * Protects MCP SSE routes — checks for API key in Authorization header.
+ * Bypassed when AUTH_ENABLED is false (local dev).
+ */
+export function apiKeyMiddleware(req: Request, res: Response, next: NextFunction): void {
+  if (!AUTH_ENABLED) {
+    next();
+    return;
+  }
+
+  const authHeader = req.headers.authorization;
+  if (!authHeader?.startsWith("Bearer tlm_")) {
+    res.status(401).json({ error: "Missing or invalid API key. Expected: Authorization: Bearer tlm_..." });
+    return;
+  }
+
+  const rawKey = authHeader.slice(7); // Remove "Bearer "
+  const result = validateApiKey(rawKey);
+  if (!result) {
+    res.status(401).json({ error: "Invalid API key" });
+    return;
+  }
+
+  // Attach user info to request for downstream use
+  (req as AuthenticatedRequest).apiKeyUserId = result.user_id;
+  (req as AuthenticatedRequest).apiKeyEmail = result.email;
+  next();
+}
+
+/**
+ * Extract user email from an MCP request (set by apiKeyMiddleware).
+ * Returns the email or a local fallback.
+ */
+export function getUserEmailFromRequest(req: Request): string {
+  const email = (req as AuthenticatedRequest).apiKeyEmail;
+  if (email) return email;
+  // Local dev fallback — use system user
+  return process.env.DEFAULT_USER_EMAIL || "local@localhost";
+}
+
+/**
+ * Parse session from WebSocket upgrade request.
+ * Returns the user from the session cookie, or null if auth is disabled/no session.
+ */
+export function wsAuthCheck(req: Request): boolean {
+  if (!AUTH_ENABLED) return true;
+  return req.isAuthenticated?.() ?? false;
+}