taskover-mcp 1.1.0 → 1.2.0

package/publish/cloud-adapter.js

@@ -0,0 +1,246 @@
+// mcp-server/cloud-adapter.js
+// SECURITY: This module is the cloud-mode replacement for direct data-store access.
+// It forwards allowed methods to api.taskover.gg/api/rpc with the user's API key.
+// The server is the final authority on auth, scope, ownership, and rate limits.
+// Client-side allowlist is defense-in-depth only.
+
+const API_BASE = "https://api.taskover.gg";
+const REQUEST_TIMEOUT_MS = 15000;
+const MAX_REQUEST_BYTES = 1 * 1024 * 1024;   // 1 MB
+const MAX_RESPONSE_BYTES = 5 * 1024 * 1024;   // 5 MB
+
+// SECURITY: Default is DENY. New methods must be explicitly added here after security review.
+// Delete operations are deferred past beta -- users must delete via the web UI.
+// Settings, admin, billing, team, import/export are permanently blocked.
+// REVISED per M0 matrix (33 read methods). Removed: getProject, getTask, getSystem,
+// getMilestone, getLastSession, getBlueprintGraphs (DEFERRED), searchProject,
+// getActivityFeed (no MCP tool). Singular get methods don't exist in RPC.
+const MCP_ALLOWED_READS = new Set([
+  "listProjects",
+  "getTasks",
+  "getBugs",
+  "getSystems",
+  "getMilestones",
+  "getSessions",
+  "getChangelog",
+  "getDecisions",
+  "getBlueprints",
+  "getNotes",
+  "getBuildErrors",
+  "getAssets",
+  "getOptimizeItems",
+  "getPerfBudget",
+  "getLevels",
+  "getMarketingItems",
+  "getDialogues",
+  "getSounds", "getControls",
+  "getRefs",
+  "getPlugins",
+  "getShipChecked",
+  "getIterations",
+  "getPlaytests",
+  "getOpenQuestions",
+  "getWikiPages",
+  "getStories", "getScenes", "getSceneContent", "getStoryBible",
+  "search",
+  "dashboard", "contextExport",
+]);
+
+// REVISED per M0 matrix (52 write methods). Removed: updateBug (no MCP tool),
+// setBlueprintGraph, addGraphNodes (DEFERRED ANOMALY-1), addBoardColumn (DEFERRED ANOMALY-2),
+// updateStoryCharacter, updateSceneContent (DEFERRED ANOMALY-3).
+const MCP_ALLOWED_WRITES = new Set([
+  "addTask", "updateTask", "moveTask", "addTaskComment",
+  "addBug", "fixBug",
+  "logSession",
+  "addChangelog",
+  "logDecision",
+  "addSystem", "updateSystem",
+  "addBlueprint", "updateBlueprint",
+  "addNote",
+  "addBuildError", "fixBuildError",
+  "addOptimizeItem", "updateOptimizeItem",
+  "addPerfBudget",
+  "addLevel", "updateLevel", "addActor", "removeActor",
+  "addPlugin", "updatePlugin",
+  "addPlaytest",
+  "addMilestone", "updateMilestone",
+  "addIteration",
+  "addDialogue", "updateDialogue",
+  "addSound", "updateSound",
+  "addControl", "updateControl",
+  "addAsset", "updateAsset",
+  "addRef",
+  "addMarketingItem", "updateMarketingItem",
+  "addWikiPage", "updateWikiPage",
+  "addOpenQuestion", "toggleQuestion",
+  "toggleShipCheck",
+  "logBackup",
+  "addStory", "updateStory",
+  "addScene", "updateScene",
+  "updateStoryBible",
+  "addStoryCharacter",
+]);
+
+// SECURITY: Methods that are NEVER allowed through MCP, regardless of future changes.
+// Commented for documentation -- they are blocked by not being in the allow sets above.
+// addProject, deleteProject, updateProject
+// generateApiKey, revokeApiKey
+// any user/auth/team/billing/subscription methods
+// exportData, importData
+// any settings methods
+// any friend/social methods
+// loadAll (returns entire user dataset -- too broad)
+// deleteSystem, deletePlugin, deleteScene (delete ops deferred past beta)
+// DEFERRED per M0: getBlueprintGraphs, setBlueprintGraph, addGraphNodes (ANOMALY-1: ownership)
+// DEFERRED per M0: addBoardColumn (ANOMALY-2: no RPC method)
+// DEFERRED per M0: updateStoryCharacter, updateSceneContent (ANOMALY-3: arg/ownership)
+// REMOVED (no MCP tool): updateBug, getProject, getTask, getSystem, getMilestone,
+//   getLastSession, searchProject, getActivityFeed
+
+const MCP_ALLOWED_METHODS = new Set([...MCP_ALLOWED_READS, ...MCP_ALLOWED_WRITES]);
+
+let _apiKey = null;
+
+// Token-based auth state (OAuth flow — set via initWithToken)
+let _accessToken = null;
+let _refreshToken = null;
+
+function init(apiKey) {
+  _apiKey = apiKey;
+}
+
+function initWithToken(accessToken, refreshToken) {
+  _accessToken = accessToken;
+  _refreshToken = refreshToken;
+}
+
+function isAllowed(method) {
+  return MCP_ALLOWED_METHODS.has(method);
+}
+
+function isWrite(method) {
+  return MCP_ALLOWED_WRITES.has(method);
+}
+
+async function _doRpcCall(method, args, token) {
+  if (!token) throw new Error("Cloud adapter not initialized — no token");
+  if (!isAllowed(method)) throw new Error(`Method "${method}" is not allowed through MCP`);
+
+  const body = JSON.stringify({ method, args: args || [] });
+  if (Buffer.byteLength(body, "utf8") > MAX_REQUEST_BYTES) {
+    throw new Error("Request too large (max 1 MB)");
+  }
+
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+
+  try {
+    const res = await fetch(`${API_BASE}/api/rpc`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${token}`,
+      },
+      body,
+      signal: controller.signal,
+    });
+
+    clearTimeout(timer);
+
+    if (res.status === 401) throw new Error("AUTH_FAILED");
+    if (res.status === 429) {
+      const retryAfter = res.headers.get("retry-after") || "60";
+      throw new Error(`RATE_LIMITED:${retryAfter}`);
+    }
+    if (!res.ok) {
+      // Privacy: extract machine-readable code only — raw error body may echo customer content.
+      let errDetail = "";
+      try {
+        const errJson = await res.json();
+        // Data Control denials have a server-generated message safe to surface (no customer content)
+        if (errJson.code && errJson.code.startsWith("DATA_CONTROL_") && errJson.message) throw new Error(errJson.message);
+        if (errJson.code) errDetail = ` code=${errJson.code}`;
+        else if (typeof errJson.error === "string" && errJson.error.length <= 60) errDetail = ` msg=${errJson.error}`;
+      } catch (e) { if (e.message && !e.message.startsWith("Cloud API")) throw e; await res.text().catch(() => ""); /* drain body */ }
+      throw new Error(`Cloud API error ${res.status}${errDetail}`);
+    }
+
+    // SECURITY: Enforce response size limit using byte-accurate check.
+    // text.length counts UTF-16 code units, not bytes. Multi-byte content
+    // (emoji, CJK, etc.) would undercount. Buffer.byteLength is correct.
+    const text = await res.text();
+    if (Buffer.byteLength(text, "utf8") > MAX_RESPONSE_BYTES) {
+      throw new Error("Response too large (max 5 MB)");
+    }
+
+    const parsed = JSON.parse(text);
+    return parsed.result !== undefined ? parsed.result : parsed;
+  } catch (err) {
+    clearTimeout(timer);
+    if (err.name === "AbortError") {
+      throw new Error("Cloud API request timed out (15s)");
+    }
+    throw err;
+  }
+}
+
+async function callRpc(method, args) {
+  const token = _accessToken || _apiKey;
+  try {
+    return await _doRpcCall(method, args, token);
+  } catch (err) {
+    if (err.message === "AUTH_FAILED" && _accessToken && _refreshToken) {
+      try {
+        const authFlow = require("./auth-flow.js");
+        const tokens = await authFlow.reauthenticate(_refreshToken);
+        _accessToken = tokens.access_token;
+        _refreshToken = tokens.refresh_token;
+        return await _doRpcCall(method, args, _accessToken);
+      } catch (refreshErr) {
+        throw new Error("Session expired. Restart the MCP server to re-authenticate.");
+      }
+    }
+    throw err;
+  }
+}
+
+async function validateKey() {
+  const token = _accessToken || _apiKey;
+  if (!token) return { valid: false, error: "No token or API key configured" };
+
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+
+  try {
+    const res = await fetch(`${API_BASE}/api/auth/validate`, {
+      method: "POST",
+      headers: { "Authorization": `Bearer ${token}` },
+      signal: controller.signal,
+    });
+
+    clearTimeout(timer);
+
+    if (res.status === 401) return { valid: false, error: "Token/key invalid or expired." };
+    if (!res.ok) return { valid: false, error: `Unexpected response (HTTP ${res.status})` };
+
+    const data = await res.json();
+    return { valid: true, displayName: data.displayName || "user" };
+  } catch (err) {
+    clearTimeout(timer);
+    if (err.name === "AbortError") return { valid: false, error: "Cannot reach api.taskover.gg (timeout)" };
+    return { valid: false, error: `Cannot reach api.taskover.gg: ${err.message}` };
+  }
+}
+
+module.exports = {
+  init,
+  initWithToken,
+  isAllowed,
+  isWrite,
+  callRpc,
+  validateKey,
+  MCP_ALLOWED_METHODS,
+  MCP_ALLOWED_READS,
+  MCP_ALLOWED_WRITES,
+};

package/publish/credential-store.js

@@ -0,0 +1,93 @@
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+const SERVICE_NAME = "taskover-mcp";
+const ACCOUNT_NAME = "default";
+const AUTH_DIR = path.join(os.homedir(), ".taskover");
+const TOKEN_FILE = path.join(AUTH_DIR, "auth.json");
+
+let _keytar = null;
+let _keytarAvailable = null;
+
+async function _getKeytar() {
+  if (_keytarAvailable === false) return null;
+  if (_keytar) return _keytar;
+  try {
+    _keytar = require("keytar");
+    await _keytar.getPassword(SERVICE_NAME, "__probe__");
+    _keytarAvailable = true;
+    return _keytar;
+  } catch (_) {
+    _keytarAvailable = false;
+    _keytar = null;
+    return null;
+  }
+}
+
+function _ensureAuthDir() {
+  if (!fs.existsSync(AUTH_DIR)) {
+    fs.mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function _readFile() {
+  try {
+    return JSON.parse(fs.readFileSync(TOKEN_FILE, "utf8"));
+  } catch (_) {
+    return null;
+  }
+}
+
+function _writeFile(data) {
+  _ensureAuthDir();
+  fs.writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
+}
+
+function _deleteFile() {
+  try { fs.unlinkSync(TOKEN_FILE); } catch (_) {}
+}
+
+async function read() {
+  const kt = await _getKeytar();
+  if (kt) {
+    try {
+      const raw = await kt.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+      if (raw) return JSON.parse(raw);
+    } catch (_) {}
+  }
+  return _readFile();
+}
+
+async function write(tokens) {
+  const kt = await _getKeytar();
+  if (kt) {
+    try {
+      await kt.setPassword(SERVICE_NAME, ACCOUNT_NAME, JSON.stringify(tokens));
+      // Metadata-only stub — NO tokens or secrets in the file when keychain is available
+      _writeFile({ host_type: tokens.host_type, storage: "keychain", expires_at: tokens.expires_at, issued_at: Date.now() });
+      return "keychain";
+    } catch (_) {}
+  }
+  _writeFile(tokens);
+  if (process.platform === "win32") {
+    console.error("[AUTH] Tokens stored in " + TOKEN_FILE);
+    console.error("[AUTH] Ensure this directory is not shared or synced to cloud storage.");
+  }
+  return "file";
+}
+
+async function clear() {
+  const kt = await _getKeytar();
+  if (kt) {
+    try { await kt.deletePassword(SERVICE_NAME, ACCOUNT_NAME); } catch (_) {}
+  }
+  _deleteFile();
+}
+
+async function getStorageType() {
+  const kt = await _getKeytar();
+  return kt ? "keychain" : "file";
+}
+
+module.exports = { read, write, clear, getStorageType };