zentao-bugfix-mcp 0.1.1

package/.env.example

@@ -0,0 +1,36 @@
+ZENTAO_BASE_URL="http://192.168.4.66"
+ZENTAO_ACCOUNT="admin"
+ZENTAO_PASSWORD="Abcd1234"
+ZENTAO_TOKEN=""
+
+# 当前密码仅适用于内网开发测试环境；生产、个人或其他环境凭证不要提交到仓库。
+
+ZENTAO_ALLOWED_PRODUCTS=""
+ZENTAO_ALLOWED_PROJECTS=""
+ZENTAO_ALLOWED_EXECUTIONS=""
+
+ZENTAO_ALLOW_WRITE_COMMENT="false"
+ZENTAO_ALLOW_ASSIGN_BUG="false"
+ZENTAO_ALLOW_RESOLVE_BUG="false"
+ZENTAO_ALLOW_CLOSE_BUG="false"
+ZENTAO_ALLOW_ALL_REST_WRITE="true"
+
+ZENTAO_ATTACHMENT_DIR="/tmp/zentao-bugfix-mcp"
+
+# 在线 MCP Streamable HTTP。非 localhost 监听必须配置认证。
+ZENTAO_MCP_HTTP_HOST="127.0.0.1"
+ZENTAO_MCP_HTTP_PORT="4333"
+ZENTAO_MCP_HTTP_PATH="/mcp"
+ZENTAO_MCP_HTTP_AUTH_TOKEN=""
+ZENTAO_MCP_ALLOWED_ORIGINS=""
+ZENTAO_MCP_TRUST_PROXY="false"
+ZENTAO_MCP_REQUEST_BODY_LIMIT="1048576"
+ZENTAO_MCP_FILE_DOWNLOAD_TOKEN_TTL_SECONDS="600"
+
+# 在线后台管理和本地持久化配置。生产建议配置 ZENTAO_CONFIG_SECRET。
+ZENTAO_DATA_DIR="/tmp/zentao-bugfix-mcp-data"
+ZENTAO_CONFIG_SECRET=""
+ZENTAO_ADMIN_PASSWORD=""
+ZENTAO_ADMIN_TOKEN=""
+ZENTAO_REQUEST_LOG_RETENTION_DAYS="14"
+ZENTAO_REQUEST_LOG_MAX_MB="100"

package/README.en.md

@@ -0,0 +1,207 @@
+# ZenTao Bugfix MCP stdio / 禅道 Bug 修复 MCP stdio
+
+English | [中文](README.md)
+
+**English**
+
+`zentao-bugfix-mcp` is the local stdio MCP package for AI-assisted ZenTao Bug fixing workflows. It is designed for local AI clients such as Codex, Cursor, Claude Code, and any MCP client that can start a subprocess and talk MCP JSON-RPC over stdio.
+
+Use this package when an AI coding agent needs to read ZenTao Bugs, inspect source-derived REST v1 API metadata, download attachments, and perform controlled REST v1 calls while the actual code changes, verification, and commits happen in the target business repository.
+
+**中文**
+
+`zentao-bugfix-mcp` 是面向 AI 辅助禅道 Bug 修复流程的本地 stdio MCP 包。它适用于 Codex、Cursor、Claude Code，以及所有能够启动子进程并通过 stdio 进行 MCP JSON-RPC 通信的 MCP 客户端。
+
+当 AI 编码 Agent 需要读取禅道 Bug、查询从源码生成的 REST v1 API 元数据、下载附件，或执行受控 REST v1 调用时，使用这个包。实际的代码定位、文件修改、验证和提交仍然由调用方 Agent 在目标业务仓库中完成。
+
+## Capability Snapshot
+
+- 9 MCP tools are registered by the stdio server.
+- 142 REST v1 routes are cataloged from ZenTao 22.1 source code.
+- 135 implemented REST v1 routes are callable through `zentao_call_api`.
+- 7 routes are intentionally marked as missing entries and return `API_ROUTE_NOT_IMPLEMENTED`.
+- 221 HTTP method entries are described in the catalog: 101 `GET`, 74 `POST`, 22 `PUT`, and 24 `DELETE`.
+- The confirmed REST base path is `${ZENTAO_BASE_URL}/api.php/v1`.
+- The API catalog is generated from ZenTao source, not from demo pages or handwritten examples.
+
+## Registered Tools
+
+| Tool | Purpose | Write behavior |
+| --- | --- | --- |
+| `zentao_health_check` | Check config, catalog status, authentication capability, and write switches. | Read-only |
+| `zentao_get_workflow_guide` | Read built-in workflow guide topics for Bug fixing, API catalog usage, attachments, and write rules. | Read-only |
+| `zentao_search_api` | Search the local REST v1 catalog without calling ZenTao. | Read-only |
+| `zentao_call_api` | Call cataloged ZenTao REST v1 APIs with path params, query, body, and dry-run support. | Real non-GET calls require `ZENTAO_ALLOW_ALL_REST_WRITE=true` |
+| `zentao_list_bugs` | List Bugs by product, project, or execution scope with normalized summaries and raw response data. | Read-only |
+| `zentao_list_my_work` | Read the current user's ZenTao "My Work" list, defaulting to Bugs assigned to the current user. | Read-only |
+| `zentao_get_bug` | Read a single Bug detail with normalized summary and raw response data. | Read-only |
+| `zentao_download_file` | Download a ZenTao attachment into `ZENTAO_ATTACHMENT_DIR`. | Filesystem write limited to attachment directory |
+| `zentao_add_bug_comment` | Prepare Bug comment write-back. The current REST v1 catalog has no `/comments` entry, so this remains dry-run. | Dry-run by default |
+
+## Architecture
+
+The stdio package is intentionally thin. It owns the local process entry and MCP transport, while shared tool registration and ZenTao behavior live in workspace packages:
+
+```text
+AI MCP client
+  -> zentao-bugfix-mcp binary
+  -> apps/mcp-stdio/src/main.ts
+  -> @modelcontextprotocol/sdk StdioServerTransport
+  -> @zentao-bugfix/mcp-tools
+       createMcpServer()
+       registerTools()
+  -> @zentao-bugfix/zentao-core
+       ReloadableZentaoRuntime
+       ZentaoService
+       ZentaoClient
+       local REST v1 catalog
+       workflow guide data
+  -> ZenTao REST v1: ${ZENTAO_BASE_URL}/api.php/v1
+```
+
+Package boundaries:
+
+| Area | Location | Responsibility |
+| --- | --- | --- |
+| stdio MCP package | `apps/mcp-stdio` | Published npm package, CLI binary, stdio transport, smoke test |
+| MCP tool registration | `packages/mcp-tools` | MCP server creation, tool schemas, safe result envelope, tool call observer hook |
+| ZenTao core runtime | `packages/zentao-core` | Config loading, auth, REST v1 client, catalog lookup, normalizers, attachment handling, workflow guide lookup |
+| REST v1 catalog data | `packages/zentao-core/data/zentao-api-v1-catalog.json` | Generated route metadata from ZenTao 22.1 source |
+| HTTP MCP server | `apps/mcp-http` | Separate Streamable HTTP MCP deployment target |
+| Debug and web UI | `apps/debug-api`, `apps/web`, `apps/admin-web` | Local REST explorer, development UI, and online admin console |
+
+The stdio server does not directly implement business-specific code fixes. It exposes ZenTao context and controlled API access to the caller agent; the caller agent remains responsible for locating code, editing files, running tests, and committing changes in the target repository.
+
+## Install and Run
+
+Use with `npx`:
+
+```bash
+npx zentao-bugfix-mcp
+```
+
+Install globally:
+
+```bash
+npm install -g zentao-bugfix-mcp
+zentao-bugfix-mcp
+```
+
+Run from this workspace during development:
+
+```bash
+pnpm install
+pnpm build:stdio
+node apps/mcp-stdio/bin/zentao-bugfix-mcp.js
+```
+
+Run only this package:
+
+```bash
+pnpm --filter zentao-bugfix-mcp build
+pnpm --filter zentao-bugfix-mcp start
+```
+
+## MCP Client Configuration
+
+```json
+{
+  "mcpServers": {
+    "zentao-bugfix": {
+      "command": "zentao-bugfix-mcp",
+      "env": {
+        "ZENTAO_BASE_URL": "http://192.168.4.66",
+        "ZENTAO_ACCOUNT": "admin",
+        "ZENTAO_PASSWORD": "Abcd1234",
+        "ZENTAO_TOKEN": "",
+        "ZENTAO_ALLOW_ALL_REST_WRITE": "true"
+      }
+    }
+  }
+}
+```
+
+The example above targets the current internal development test environment. Keep `ZENTAO_ALLOW_ALL_REST_WRITE` disabled outside trusted test environments unless the client is explicitly allowed to perform real non-GET REST calls.
+
+For local source development, point the client to the repository binary after building:
+
+```json
+{
+  "mcpServers": {
+    "zentao-bugfix": {
+      "command": "node",
+      "args": ["/Users/zoujunkun/study/zentao-bugfix-mcp/apps/mcp-stdio/bin/zentao-bugfix-mcp.js"],
+      "env": {
+        "ZENTAO_BASE_URL": "http://192.168.4.66",
+        "ZENTAO_ACCOUNT": "admin",
+        "ZENTAO_PASSWORD": "Abcd1234",
+        "ZENTAO_TOKEN": "",
+        "ZENTAO_ALLOW_ALL_REST_WRITE": "true"
+      }
+    }
+  }
+}
+```
+
+## Environment Variables
+
+| Variable | Required | Purpose |
+| --- | --- | --- |
+| `ZENTAO_BASE_URL` | Yes | ZenTao site root. The server appends `/api.php/v1`. |
+| `ZENTAO_TOKEN` | No | Existing ZenTao REST token. Used before account/password auth. |
+| `ZENTAO_ACCOUNT` | No | Account used to request a token when `ZENTAO_TOKEN` is empty. |
+| `ZENTAO_PASSWORD` | No | Password used with `ZENTAO_ACCOUNT`. |
+| `ZENTAO_ALLOWED_PRODUCTS` | No | Optional comma-separated allowlist for product-scoped reads. |
+| `ZENTAO_ALLOWED_PROJECTS` | No | Optional comma-separated allowlist for project-scoped reads. |
+| `ZENTAO_ALLOWED_EXECUTIONS` | No | Optional comma-separated allowlist for execution-scoped reads. |
+| `ZENTAO_ALLOW_ALL_REST_WRITE` | No | Enables real non-GET calls through `zentao_call_api`. |
+| `ZENTAO_ATTACHMENT_DIR` | No | Directory for downloaded attachments. Defaults to `/tmp/zentao-bugfix-mcp`. |
+
+Authentication order:
+
+1. Use `ZENTAO_TOKEN` if it is provided.
+2. Otherwise call `POST /api.php/v1/tokens` with `ZENTAO_ACCOUNT` and `ZENTAO_PASSWORD`.
+
+The test credentials shown in examples are only for the current internal development test environment. Do not use production, personal, or other environment credentials in committed docs, logs, or test records.
+
+## Safety Model
+
+The default design is read-first and catalog-gated:
+
+- `zentao_call_api` only calls routes present in the generated REST v1 catalog.
+- `GET` calls are allowed by default.
+- `POST /tokens` is allowed for authentication.
+- Other `POST`, `PUT`, `PATCH`, and `DELETE` calls require `ZENTAO_ALLOW_ALL_REST_WRITE=true`.
+- `dryRun=true` returns the prepared request without performing the write.
+- Missing catalog entries return `API_ROUTE_NOT_IMPLEMENTED`; the server does not silently fall back to legacy endpoints.
+- Attachment downloads are confined to `ZENTAO_ATTACHMENT_DIR`.
+- The server never defaults to resolving, closing, or assigning Bugs.
+
+## Development
+
+Useful commands from the workspace root:
+
+```bash
+pnpm typecheck
+pnpm build:stdio
+pnpm smoke:mcp
+pnpm pack:stdio
+```
+
+Useful commands inside this package:
+
+```bash
+pnpm build
+pnpm typecheck
+pnpm smoke
+```
+
+The smoke test starts the built stdio server and lists the tools exposed through MCP.
+
+## Related Documentation
+
+- Workspace README: `../../README.md`
+- Deployment notes: `../../docs/DEPLOYMENT.md`
+- Development rules: `../../docs/DEVELOPMENT.md`
+- Tool contract: `../../docs/TOOL_CONTRACT.md`
+- Generated REST v1 catalog docs: `../../docs/ZENTAO_API_V1.md`

package/README.md

@@ -0,0 +1,207 @@
+# ZenTao Bugfix MCP stdio / 禅道 Bug 修复 MCP stdio
+
+中文 | [English](README.en.md)
+
+**中文**
+
+`zentao-bugfix-mcp` 是面向 AI 辅助禅道 Bug 修复流程的本地 stdio MCP 包。它适用于 Codex、Cursor、Claude Code，以及所有能够启动子进程并通过 stdio 进行 MCP JSON-RPC 通信的 MCP 客户端。
+
+当 AI 编码 Agent 需要读取禅道 Bug、查询从源码生成的 REST v1 API 元数据、下载附件，或执行受控 REST v1 调用时，使用这个包。实际的代码定位、文件修改、验证和提交仍然由调用方 Agent 在目标业务仓库中完成。
+
+**English**
+
+`zentao-bugfix-mcp` is the local stdio MCP package for AI-assisted ZenTao Bug fixing workflows. It is designed for local AI clients such as Codex, Cursor, Claude Code, and any MCP client that can start a subprocess and talk MCP JSON-RPC over stdio.
+
+Use this package when an AI coding agent needs to read ZenTao Bugs, inspect source-derived REST v1 API metadata, download attachments, and perform controlled REST v1 calls while the actual code changes, verification, and commits happen in the target business repository.
+
+## 能力概览
+
+- stdio Server 当前注册 9 个 MCP tools。
+- 从禅道 22.1 源码 catalog 出 142 条 REST v1 route。
+- 其中 135 条已实现 REST v1 route 可通过 `zentao_call_api` 调用。
+- 7 条 route 明确标记为缺 entry，调用时返回 `API_ROUTE_NOT_IMPLEMENTED`。
+- catalog 中包含 221 个 HTTP method entry：101 个 `GET`、74 个 `POST`、22 个 `PUT`、24 个 `DELETE`。
+- 已确认 REST 基路径为 `${ZENTAO_BASE_URL}/api.php/v1`。
+- API catalog 来源于禅道源码，不依赖页面演示文档或手写示例。
+
+## 已注册工具
+
+| Tool | 用途 | 写操作行为 |
+| --- | --- | --- |
+| `zentao_health_check` | 检查配置、catalog 状态、认证能力和写操作开关。 | 只读 |
+| `zentao_get_workflow_guide` | 读取内置工作流指南模块，包括 Bug 修复、API catalog 使用、附件和写操作规则。 | 只读 |
+| `zentao_search_api` | 查询本地 REST v1 catalog，不访问禅道服务。 | 只读 |
+| `zentao_call_api` | 调用 catalog 中已登记的禅道 REST v1 API，支持 path params、query、body 和 dry-run。 | 非 GET 真实调用需要 `ZENTAO_ALLOW_ALL_REST_WRITE=true` |
+| `zentao_list_bugs` | 按产品、项目或执行维度读取 Bug 列表，返回归一化摘要和原始响应。 | 只读 |
+| `zentao_list_my_work` | 读取当前登录用户的禅道“我的工作”列表，默认返回指派给当前用户的 Bug。 | 只读 |
+| `zentao_get_bug` | 读取单个 Bug 详情，返回归一化摘要和原始响应。 | 只读 |
+| `zentao_download_file` | 下载禅道附件到 `ZENTAO_ATTACHMENT_DIR`。 | 文件写入限制在附件目录 |
+| `zentao_add_bug_comment` | 准备 Bug 评论回写。当前 REST v1 catalog 中没有 `/comments` entry，因此保持 dry-run。 | 默认 dry-run |
+
+## 架构设计
+
+stdio 包刻意保持轻量，只负责本地进程入口和 MCP 传输；工具注册和禅道访问行为由 workspace 内共享包承载：
+
+```text
+AI MCP client
+  -> zentao-bugfix-mcp binary
+  -> apps/mcp-stdio/src/main.ts
+  -> @modelcontextprotocol/sdk StdioServerTransport
+  -> @zentao-bugfix/mcp-tools
+       createMcpServer()
+       registerTools()
+  -> @zentao-bugfix/zentao-core
+       ReloadableZentaoRuntime
+       ZentaoService
+       ZentaoClient
+       local REST v1 catalog
+       workflow guide data
+  -> ZenTao REST v1: ${ZENTAO_BASE_URL}/api.php/v1
+```
+
+包边界：
+
+| 模块 | 位置 | 职责 |
+| --- | --- | --- |
+| stdio MCP 包 | `apps/mcp-stdio` | 发布到 npm 的包、CLI binary、stdio transport、smoke test |
+| MCP 工具注册 | `packages/mcp-tools` | MCP server 创建、工具 schema、安全结果信封、工具调用观察钩子 |
+| 禅道核心运行时 | `packages/zentao-core` | 配置加载、认证、REST v1 client、catalog 查询、归一化、附件处理、workflow guide 查询 |
+| REST v1 catalog 数据 | `packages/zentao-core/data/zentao-api-v1-catalog.json` | 从禅道 22.1 源码生成的 route 元数据 |
+| HTTP MCP Server | `apps/mcp-http` | 独立的 Streamable HTTP MCP 部署目标 |
+| Debug 和 Web UI | `apps/debug-api`、`apps/web`、`apps/admin-web` | 本地 REST explorer、开发调试 UI、在线后台管理 |
+
+stdio Server 不直接实现业务代码修复。它向调用方 Agent 提供禅道上下文和受控 API 访问能力；调用方 Agent 负责在目标仓库中定位代码、修改文件、运行测试并提交变更。
+
+## 安装与运行
+
+使用 `npx`：
+
+```bash
+npx zentao-bugfix-mcp
+```
+
+全局安装：
+
+```bash
+npm install -g zentao-bugfix-mcp
+zentao-bugfix-mcp
+```
+
+在当前 workspace 中开发运行：
+
+```bash
+pnpm install
+pnpm build:stdio
+node apps/mcp-stdio/bin/zentao-bugfix-mcp.js
+```
+
+只运行当前包：
+
+```bash
+pnpm --filter zentao-bugfix-mcp build
+pnpm --filter zentao-bugfix-mcp start
+```
+
+## MCP 客户端配置
+
+```json
+{
+  "mcpServers": {
+    "zentao-bugfix": {
+      "command": "zentao-bugfix-mcp",
+      "env": {
+        "ZENTAO_BASE_URL": "http://192.168.4.66",
+        "ZENTAO_ACCOUNT": "admin",
+        "ZENTAO_PASSWORD": "Abcd1234",
+        "ZENTAO_TOKEN": "",
+        "ZENTAO_ALLOW_ALL_REST_WRITE": "true"
+      }
+    }
+  }
+}
+```
+
+上面的示例面向当前内网开发测试环境。除非明确允许客户端执行真实非 GET REST 调用，否则不要在可信测试环境之外开启 `ZENTAO_ALLOW_ALL_REST_WRITE`。
+
+本地源码开发时，先完成构建，再让客户端直接指向仓库内 binary：
+
+```json
+{
+  "mcpServers": {
+    "zentao-bugfix": {
+      "command": "node",
+      "args": ["/Users/zoujunkun/study/zentao-bugfix-mcp/apps/mcp-stdio/bin/zentao-bugfix-mcp.js"],
+      "env": {
+        "ZENTAO_BASE_URL": "http://192.168.4.66",
+        "ZENTAO_ACCOUNT": "admin",
+        "ZENTAO_PASSWORD": "Abcd1234",
+        "ZENTAO_TOKEN": "",
+        "ZENTAO_ALLOW_ALL_REST_WRITE": "true"
+      }
+    }
+  }
+}
+```
+
+## 环境变量
+
+| 变量 | 是否必需 | 用途 |
+| --- | --- | --- |
+| `ZENTAO_BASE_URL` | 是 | 禅道站点根路径。Server 会拼接 `/api.php/v1`。 |
+| `ZENTAO_TOKEN` | 否 | 已有禅道 REST token，优先使用。 |
+| `ZENTAO_ACCOUNT` | 否 | `ZENTAO_TOKEN` 为空时，用于换取 token 的账号。 |
+| `ZENTAO_PASSWORD` | 否 | 配合 `ZENTAO_ACCOUNT` 使用的密码。 |
+| `ZENTAO_ALLOWED_PRODUCTS` | 否 | 可选的产品维度读取白名单，逗号分隔。 |
+| `ZENTAO_ALLOWED_PROJECTS` | 否 | 可选的项目维度读取白名单，逗号分隔。 |
+| `ZENTAO_ALLOWED_EXECUTIONS` | 否 | 可选的执行维度读取白名单，逗号分隔。 |
+| `ZENTAO_ALLOW_ALL_REST_WRITE` | 否 | 允许 `zentao_call_api` 执行真实非 GET 调用。 |
+| `ZENTAO_ATTACHMENT_DIR` | 否 | 附件下载目录，默认 `/tmp/zentao-bugfix-mcp`。 |
+
+认证顺序：
+
+1. 如果提供了 `ZENTAO_TOKEN`，优先使用 token。
+2. 否则使用 `ZENTAO_ACCOUNT` 和 `ZENTAO_PASSWORD` 调用 `POST /api.php/v1/tokens` 换取 token。
+
+示例中的测试账号密码仅适用于当前内网开发测试环境。生产、个人或其他环境凭证不得写入已提交文档、日志或验收记录。
+
+## 安全模型
+
+默认设计是优先只读，并且所有通用 API 调用都受 catalog 约束：
+
+- `zentao_call_api` 只能调用生成的 REST v1 catalog 中存在的 route。
+- 默认允许 `GET` 调用。
+- 认证用 `POST /tokens` 默认允许。
+- 其他 `POST`、`PUT`、`PATCH`、`DELETE` 需要 `ZENTAO_ALLOW_ALL_REST_WRITE=true`。
+- `dryRun=true` 只返回准备好的请求，不执行写入。
+- 缺 entry 的 catalog route 返回 `API_ROUTE_NOT_IMPLEMENTED`，Server 不会静默退回 legacy endpoint。
+- 附件下载限制在 `ZENTAO_ATTACHMENT_DIR`。
+- Server 不默认解决 Bug、不默认关闭 Bug、不默认指派 Bug。
+
+## 开发
+
+在 workspace 根目录常用命令：
+
+```bash
+pnpm typecheck
+pnpm build:stdio
+pnpm smoke:mcp
+pnpm pack:stdio
+```
+
+在当前包目录常用命令：
+
+```bash
+pnpm build
+pnpm typecheck
+pnpm smoke
+```
+
+smoke test 会启动构建后的 stdio Server，并通过 MCP 列出当前暴露的 tools。
+
+## 相关文档
+
+- Workspace README：`../../README.md`
+- 部署说明：`../../docs/DEPLOYMENT.md`
+- 开发规范：`../../docs/DEVELOPMENT.md`
+- 工具契约：`../../docs/TOOL_CONTRACT.md`
+- 自动生成的 REST v1 catalog 文档：`../../docs/ZENTAO_API_V1.md`

package/bin/zentao-bugfix-mcp.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../dist/main.js'

package/dist/main.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node