basic-memory 0.12.2__py3-none-any.whl → 0.13.0__py3-none-any.whl

basic_memory/mcp/supabase_auth_provider.py

@@ -0,0 +1,463 @@
+"""Supabase OAuth provider for Basic Memory MCP server."""
+
+import os
+import secrets
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any
+
+import httpx
+import jwt
+from loguru import logger
+from mcp.server.auth.provider import (
+    OAuthAuthorizationServerProvider,
+    AuthorizationParams,
+    AuthorizationCode,
+    RefreshToken,
+    AccessToken,
+    TokenError,
+    AuthorizeError,
+)
+from mcp.shared.auth import OAuthClientInformationFull, OAuthToken
+
+
+@dataclass
+class SupabaseAuthorizationCode(AuthorizationCode):
+    """Authorization code with Supabase metadata."""
+
+    user_id: Optional[str] = None
+    email: Optional[str] = None
+
+
+@dataclass
+class SupabaseRefreshToken(RefreshToken):
+    """Refresh token with Supabase metadata."""
+
+    supabase_refresh_token: Optional[str] = None
+    user_id: Optional[str] = None
+
+
+@dataclass
+class SupabaseAccessToken(AccessToken):
+    """Access token with Supabase metadata."""
+
+    supabase_access_token: Optional[str] = None
+    user_id: Optional[str] = None
+    email: Optional[str] = None
+
+
+class SupabaseOAuthProvider(
+    OAuthAuthorizationServerProvider[
+        SupabaseAuthorizationCode, SupabaseRefreshToken, SupabaseAccessToken
+    ]
+):
+    """OAuth provider that integrates with Supabase Auth.
+
+    This provider uses Supabase as the authentication backend while
+    maintaining compatibility with MCP's OAuth requirements.
+    """
+
+    def __init__(
+        self,
+        supabase_url: str,
+        supabase_anon_key: str,
+        supabase_service_key: Optional[str] = None,
+        issuer_url: str = "http://localhost:8000",
+    ):
+        self.supabase_url = supabase_url.rstrip("/")
+        self.supabase_anon_key = supabase_anon_key
+        self.supabase_service_key = supabase_service_key or supabase_anon_key
+        self.issuer_url = issuer_url
+
+        # HTTP client for Supabase API calls
+        self.http_client = httpx.AsyncClient()
+
+        # Temporary storage for auth flows (in production, use Supabase DB)
+        self.pending_auth_codes: Dict[str, SupabaseAuthorizationCode] = {}
+        self.mcp_to_supabase_tokens: Dict[str, Dict[str, Any]] = {}
+
+    async def get_client(self, client_id: str) -> Optional[OAuthClientInformationFull]:
+        """Get a client from Supabase.
+
+        In production, this would query a clients table in Supabase.
+        """
+        # For now, we'll validate against a configured list of allowed clients
+        # In production, query Supabase DB for client info
+        allowed_clients = os.getenv("SUPABASE_ALLOWED_CLIENTS", "").split(",")
+
+        if client_id in allowed_clients:
+            return OAuthClientInformationFull(
+                client_id=client_id,
+                client_secret="",  # Supabase handles secrets
+                redirect_uris=[],  # Supabase handles redirect URIs
+            )
+
+        return None
+
+    async def register_client(self, client_info: OAuthClientInformationFull) -> None:
+        """Register a new OAuth client in Supabase.
+
+        In production, this would insert into a clients table.
+        """
+        # For development, we just log the registration
+        logger.info(f"Would register client {client_info.client_id} in Supabase")
+
+        # In production:
+        # await self.supabase.table('oauth_clients').insert({
+        #     'client_id': client_info.client_id,
+        #     'client_secret': client_info.client_secret,
+        #     'metadata': client_info.client_metadata,
+        # }).execute()
+
+    async def authorize(
+        self, client: OAuthClientInformationFull, params: AuthorizationParams
+    ) -> str:
+        """Create authorization URL redirecting to Supabase Auth.
+
+        This initiates the OAuth flow with Supabase as the identity provider.
+        """
+        # Generate state for this auth request
+        state = secrets.token_urlsafe(32)
+
+        # Store the authorization request
+        self.pending_auth_codes[state] = SupabaseAuthorizationCode(
+            code=state,
+            scopes=params.scopes or [],
+            expires_at=(datetime.utcnow() + timedelta(minutes=10)).timestamp(),
+            client_id=client.client_id,
+            code_challenge=params.code_challenge,
+            redirect_uri=params.redirect_uri,
+            redirect_uri_provided_explicitly=params.redirect_uri_provided_explicitly,
+        )
+
+        # Build Supabase auth URL
+        auth_params = {
+            "redirect_to": f"{self.issuer_url}/auth/callback",
+            "scopes": " ".join(params.scopes or ["openid", "email"]),
+            "state": state,
+        }
+
+        # Use Supabase's OAuth endpoint
+        auth_url = f"{self.supabase_url}/auth/v1/authorize"
+        query_string = "&".join(f"{k}={v}" for k, v in auth_params.items())
+
+        return f"{auth_url}?{query_string}"
+
+    async def handle_supabase_callback(self, code: str, state: str) -> str:
+        """Handle callback from Supabase after user authentication."""
+        # Get the original auth request
+        auth_request = self.pending_auth_codes.get(state)
+        if not auth_request:
+            raise AuthorizeError(
+                error="invalid_request",
+                error_description="Invalid state parameter",
+            )
+
+        # Exchange code with Supabase for tokens
+        token_response = await self.http_client.post(
+            f"{self.supabase_url}/auth/v1/token",
+            json={
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": f"{self.issuer_url}/auth/callback",
+            },
+            headers={
+                "apikey": self.supabase_anon_key,
+                "Authorization": f"Bearer {self.supabase_anon_key}",
+            },
+        )
+
+        if not token_response.is_success:
+            raise AuthorizeError(
+                error="server_error",
+                error_description="Failed to exchange code with Supabase",
+            )
+
+        supabase_tokens = token_response.json()
+
+        # Get user info from Supabase
+        user_response = await self.http_client.get(
+            f"{self.supabase_url}/auth/v1/user",
+            headers={
+                "apikey": self.supabase_anon_key,
+                "Authorization": f"Bearer {supabase_tokens['access_token']}",
+            },
+        )
+
+        user_data = user_response.json() if user_response.is_success else {}
+
+        # Generate MCP authorization code
+        mcp_code = secrets.token_urlsafe(32)
+
+        # Update auth request with user info
+        auth_request.code = mcp_code
+        auth_request.user_id = user_data.get("id")
+        auth_request.email = user_data.get("email")
+
+        # Store mapping
+        self.pending_auth_codes[mcp_code] = auth_request
+        self.mcp_to_supabase_tokens[mcp_code] = {
+            "supabase_tokens": supabase_tokens,
+            "user": user_data,
+        }
+
+        # Clean up old state
+        del self.pending_auth_codes[state]
+
+        # Redirect back to client
+        redirect_uri = str(auth_request.redirect_uri)
+        separator = "&" if "?" in redirect_uri else "?"
+
+        return f"{redirect_uri}{separator}code={mcp_code}&state={state}"
+
+    async def load_authorization_code(
+        self, client: OAuthClientInformationFull, authorization_code: str
+    ) -> Optional[SupabaseAuthorizationCode]:
+        """Load an authorization code."""
+        code = self.pending_auth_codes.get(authorization_code)
+
+        if code and code.client_id == client.client_id:
+            # Check expiration
+            if datetime.utcnow().timestamp() > code.expires_at:
+                del self.pending_auth_codes[authorization_code]
+                return None
+            return code
+
+        return None
+
+    async def exchange_authorization_code(
+        self, client: OAuthClientInformationFull, authorization_code: SupabaseAuthorizationCode
+    ) -> OAuthToken:
+        """Exchange authorization code for tokens."""
+        # Get stored Supabase tokens
+        token_data = self.mcp_to_supabase_tokens.get(authorization_code.code)
+        if not token_data:
+            raise TokenError(error="invalid_grant", error_description="Invalid authorization code")
+
+        supabase_tokens = token_data["supabase_tokens"]
+        user = token_data["user"]
+
+        # Generate MCP tokens that wrap Supabase tokens
+        access_token = self._generate_mcp_token(
+            client_id=client.client_id,
+            user_id=user.get("id", ""),
+            email=user.get("email", ""),
+            scopes=authorization_code.scopes,
+            supabase_access_token=supabase_tokens["access_token"],
+        )
+
+        refresh_token = secrets.token_urlsafe(32)
+
+        # Store the token mapping
+        self.mcp_to_supabase_tokens[access_token] = {
+            "client_id": client.client_id,
+            "user_id": user.get("id"),
+            "email": user.get("email"),
+            "supabase_access_token": supabase_tokens["access_token"],
+            "supabase_refresh_token": supabase_tokens["refresh_token"],
+            "scopes": authorization_code.scopes,
+        }
+
+        # Store refresh token mapping
+        self.mcp_to_supabase_tokens[refresh_token] = {
+            "client_id": client.client_id,
+            "user_id": user.get("id"),
+            "supabase_refresh_token": supabase_tokens["refresh_token"],
+            "scopes": authorization_code.scopes,
+        }
+
+        # Clean up authorization code
+        del self.pending_auth_codes[authorization_code.code]
+        del self.mcp_to_supabase_tokens[authorization_code.code]
+
+        return OAuthToken(
+            access_token=access_token,
+            token_type="bearer",
+            expires_in=supabase_tokens.get("expires_in", 3600),
+            refresh_token=refresh_token,
+            scope=" ".join(authorization_code.scopes) if authorization_code.scopes else None,
+        )
+
+    async def load_refresh_token(
+        self, client: OAuthClientInformationFull, refresh_token: str
+    ) -> Optional[SupabaseRefreshToken]:
+        """Load a refresh token."""
+        token_data = self.mcp_to_supabase_tokens.get(refresh_token)
+
+        if token_data and token_data["client_id"] == client.client_id:
+            return SupabaseRefreshToken(
+                token=refresh_token,
+                client_id=client.client_id,
+                scopes=token_data["scopes"],
+                supabase_refresh_token=token_data["supabase_refresh_token"],
+                user_id=token_data.get("user_id"),
+            )
+
+        return None
+
+    async def exchange_refresh_token(
+        self,
+        client: OAuthClientInformationFull,
+        refresh_token: SupabaseRefreshToken,
+        scopes: list[str],
+    ) -> OAuthToken:
+        """Exchange refresh token for new tokens using Supabase."""
+        # Refresh with Supabase
+        token_response = await self.http_client.post(
+            f"{self.supabase_url}/auth/v1/token",
+            json={
+                "grant_type": "refresh_token",
+                "refresh_token": refresh_token.supabase_refresh_token,
+            },
+            headers={
+                "apikey": self.supabase_anon_key,
+                "Authorization": f"Bearer {self.supabase_anon_key}",
+            },
+        )
+
+        if not token_response.is_success:
+            raise TokenError(
+                error="invalid_grant",
+                error_description="Failed to refresh with Supabase",
+            )
+
+        supabase_tokens = token_response.json()
+
+        # Get updated user info
+        user_response = await self.http_client.get(
+            f"{self.supabase_url}/auth/v1/user",
+            headers={
+                "apikey": self.supabase_anon_key,
+                "Authorization": f"Bearer {supabase_tokens['access_token']}",
+            },
+        )
+
+        user_data = user_response.json() if user_response.is_success else {}
+
+        # Generate new MCP tokens
+        new_access_token = self._generate_mcp_token(
+            client_id=client.client_id,
+            user_id=user_data.get("id", ""),
+            email=user_data.get("email", ""),
+            scopes=scopes or refresh_token.scopes,
+            supabase_access_token=supabase_tokens["access_token"],
+        )
+
+        new_refresh_token = secrets.token_urlsafe(32)
+
+        # Update token mappings
+        self.mcp_to_supabase_tokens[new_access_token] = {
+            "client_id": client.client_id,
+            "user_id": user_data.get("id"),
+            "email": user_data.get("email"),
+            "supabase_access_token": supabase_tokens["access_token"],
+            "supabase_refresh_token": supabase_tokens["refresh_token"],
+            "scopes": scopes or refresh_token.scopes,
+        }
+
+        self.mcp_to_supabase_tokens[new_refresh_token] = {
+            "client_id": client.client_id,
+            "user_id": user_data.get("id"),
+            "supabase_refresh_token": supabase_tokens["refresh_token"],
+            "scopes": scopes or refresh_token.scopes,
+        }
+
+        # Clean up old tokens
+        del self.mcp_to_supabase_tokens[refresh_token.token]
+
+        return OAuthToken(
+            access_token=new_access_token,
+            token_type="bearer",
+            expires_in=supabase_tokens.get("expires_in", 3600),
+            refresh_token=new_refresh_token,
+            scope=" ".join(scopes or refresh_token.scopes),
+        )
+
+    async def load_access_token(self, token: str) -> Optional[SupabaseAccessToken]:
+        """Load and validate an access token."""
+        # First check our mapping
+        token_data = self.mcp_to_supabase_tokens.get(token)
+        if token_data:
+            return SupabaseAccessToken(
+                token=token,
+                client_id=token_data["client_id"],
+                scopes=token_data["scopes"],
+                supabase_access_token=token_data.get("supabase_access_token"),
+                user_id=token_data.get("user_id"),
+                email=token_data.get("email"),
+            )
+
+        # Try to decode as JWT
+        try:
+            # Verify with Supabase's JWT secret
+            payload = jwt.decode(
+                token,
+                os.getenv("SUPABASE_JWT_SECRET", ""),
+                algorithms=["HS256"],
+                audience="authenticated",
+            )
+
+            return SupabaseAccessToken(
+                token=token,
+                client_id=payload.get("client_id", ""),
+                scopes=payload.get("scopes", []),
+                user_id=payload.get("sub"),
+                email=payload.get("email"),
+            )
+        except jwt.InvalidTokenError:
+            pass
+
+        # Validate with Supabase
+        user_response = await self.http_client.get(
+            f"{self.supabase_url}/auth/v1/user",
+            headers={
+                "apikey": self.supabase_anon_key,
+                "Authorization": f"Bearer {token}",
+            },
+        )
+
+        if user_response.is_success:
+            user_data = user_response.json()
+            return SupabaseAccessToken(
+                token=token,
+                client_id="",  # Unknown client for direct Supabase tokens
+                scopes=[],
+                supabase_access_token=token,
+                user_id=user_data.get("id"),
+                email=user_data.get("email"),
+            )
+
+        return None
+
+    async def revoke_token(self, token: SupabaseAccessToken | SupabaseRefreshToken) -> None:
+        """Revoke a token."""
+        # Remove from our mapping
+        self.mcp_to_supabase_tokens.pop(token.token, None)
+
+        # In production, also revoke in Supabase:
+        # await self.supabase.auth.admin.sign_out(token.user_id)
+
+    def _generate_mcp_token(
+        self,
+        client_id: str,
+        user_id: str,
+        email: str,
+        scopes: list[str],
+        supabase_access_token: str,
+    ) -> str:
+        """Generate an MCP token that wraps Supabase authentication."""
+        payload = {
+            "iss": self.issuer_url,
+            "sub": user_id,
+            "client_id": client_id,
+            "email": email,
+            "scopes": scopes,
+            "supabase_token": supabase_access_token[:10] + "...",  # Reference only
+            "exp": datetime.utcnow() + timedelta(hours=1),
+            "iat": datetime.utcnow(),
+        }
+
+        # Use Supabase JWT secret if available
+        secret = os.getenv("SUPABASE_JWT_SECRET", secrets.token_urlsafe(32))
+
+        return jwt.encode(payload, secret, algorithm="HS256")

basic_memory/mcp/tools/__init__.py

@@ -11,17 +11,41 @@ from basic_memory.mcp.tools.read_content import read_content
 from basic_memory.mcp.tools.build_context import build_context
 from basic_memory.mcp.tools.recent_activity import recent_activity
 from basic_memory.mcp.tools.read_note import read_note
+from basic_memory.mcp.tools.view_note import view_note
 from basic_memory.mcp.tools.write_note import write_note
 from basic_memory.mcp.tools.search import search_notes
 from basic_memory.mcp.tools.canvas import canvas
+from basic_memory.mcp.tools.list_directory import list_directory
+from basic_memory.mcp.tools.edit_note import edit_note
+from basic_memory.mcp.tools.move_note import move_note
+from basic_memory.mcp.tools.sync_status import sync_status
+from basic_memory.mcp.tools.project_management import (
+    list_projects,
+    switch_project,
+    get_current_project,
+    set_default_project,
+    create_project,
+    delete_project,
+)
 
 __all__ = [
     "build_context",
     "canvas",
+    "create_project",
     "delete_note",
+    "delete_project",
+    "edit_note",
+    "get_current_project",
+    "list_directory",
+    "list_projects",
+    "move_note",
     "read_content",
     "read_note",
     "recent_activity",
     "search_notes",
+    "set_default_project",
+    "switch_project",
+    "sync_status",
+    "view_note",
     "write_note",
 ]

basic_memory/mcp/tools/build_context.py

@@ -7,12 +7,12 @@ from loguru import logger
 from basic_memory.mcp.async_client import client
 from basic_memory.mcp.server import mcp
 from basic_memory.mcp.tools.utils import call_get
+from basic_memory.mcp.project_session import get_active_project
 from basic_memory.schemas.base import TimeFrame
 from basic_memory.schemas.memory import (
     GraphContext,
     MemoryUrl,
     memory_url_path,
-    normalize_memory_url,
 )
 
 
@@ -20,12 +20,17 @@ from basic_memory.schemas.memory import (
     description="""Build context from a memory:// URI to continue conversations naturally.
     
     Use this to follow up on previous discussions or explore related topics.
+    
+    Memory URL Format:
+    - Use paths like "folder/note" or "memory://folder/note" 
+    - Pattern matching: "folder/*" matches all notes in folder
+    - Valid characters: letters, numbers, hyphens, underscores, forward slashes
+    - Avoid: double slashes (//), angle brackets (<>), quotes, pipes (|)
+    - Examples: "specs/search", "projects/basic-memory", "notes/*"
+    
     Timeframes support natural language like:
-    - "2 days ago"
-    - "last week" 
-    - "today"
-    - "3 months ago"
-    Or standard formats like "7d", "24h"
+    - "2 days ago", "last week", "today", "3 months ago"
+    - Or standard formats like "7d", "24h"
     """,
 )
 async def build_context(
@@ -35,6 +40,7 @@ async def build_context(
     page: int = 1,
     page_size: int = 10,
     max_related: int = 10,
+    project: Optional[str] = None,
 ) -> GraphContext:
     """Get context needed to continue a discussion.
 
@@ -49,6 +55,7 @@ async def build_context(
         page: Page number of results to return (default: 1)
         page_size: Number of results to return per page (default: 10)
         max_related: Maximum number of related results to return (default: 10)
+        project: Optional project name to build context from. If not provided, uses current active project.
 
     Returns:
         GraphContext containing:
@@ -68,12 +75,40 @@ async def build_context(
 
         # Research the history of a feature
         build_context("memory://features/knowledge-graph", timeframe="3 months ago")
+
+        # Build context from specific project
+        build_context("memory://specs/search", project="work-project")
     """
     logger.info(f"Building context from {url}")
-    url = normalize_memory_url(url)
+    # URL is already validated and normalized by MemoryUrl type annotation
+
+    # Check migration status and wait briefly if needed
+    from basic_memory.mcp.tools.utils import wait_for_migration_or_return_status
+
+    migration_status = await wait_for_migration_or_return_status(timeout=5.0)
+    if migration_status:  # pragma: no cover
+        # Return a proper GraphContext with status message
+        from basic_memory.schemas.memory import MemoryMetadata
+        from datetime import datetime
+
+        return GraphContext(
+            results=[],
+            metadata=MemoryMetadata(
+                depth=depth or 1,
+                timeframe=timeframe,
+                generated_at=datetime.now(),
+                primary_count=0,
+                related_count=0,
+                uri=migration_status,  # Include status in metadata
+            ),
+        )
+
+    active_project = get_active_project(project)
+    project_url = active_project.project_url
+
     response = await call_get(
         client,
-        f"/memory/{memory_url_path(url)}",
+        f"{project_url}/memory/{memory_url_path(url)}",
         params={
             "depth": depth,
             "timeframe": timeframe,

basic_memory/mcp/tools/canvas.py

@@ -4,13 +4,14 @@ This tool creates Obsidian canvas files (.canvas) using the JSON Canvas 1.0 spec
 """
 
 import json
-from typing import Dict, List, Any
+from typing import Dict, List, Any, Optional
 
 from loguru import logger
 
 from basic_memory.mcp.async_client import client
 from basic_memory.mcp.server import mcp
 from basic_memory.mcp.tools.utils import call_put
+from basic_memory.mcp.project_session import get_active_project
 
 
 @mcp.tool(
@@ -21,6 +22,7 @@ async def canvas(
     edges: List[Dict[str, Any]],
     title: str,
     folder: str,
+    project: Optional[str] = None,
 ) -> str:
     """Create an Obsidian canvas file with the provided nodes and edges.
 
@@ -33,7 +35,9 @@ async def canvas(
         nodes: List of node objects following JSON Canvas 1.0 spec
         edges: List of edge objects following JSON Canvas 1.0 spec
         title: The title of the canvas (will be saved as title.canvas)
-        folder: The folder where the file should be saved
+        folder: Folder path relative to project root where the canvas should be saved.
+                Use forward slashes (/) as separators. Examples: "diagrams", "projects/2025", "visual/maps"
+        project: Optional project name to create canvas in. If not provided, uses current active project.
 
     Returns:
         A summary of the created canvas file
@@ -71,7 +75,17 @@ async def canvas(
       ]
     }
     ```
+
+    Examples:
+        # Create canvas in current project
+        canvas(nodes=[...], edges=[...], title="My Canvas", folder="diagrams")
+
+        # Create canvas in specific project
+        canvas(nodes=[...], edges=[...], title="My Canvas", folder="diagrams", project="work-project")
     """
+    active_project = get_active_project(project)
+    project_url = active_project.project_url
+
     # Ensure path has .canvas extension
     file_title = title if title.endswith(".canvas") else f"{title}.canvas"
     file_path = f"{folder}/{file_title}"
@@ -84,7 +98,7 @@ async def canvas(
 
     # Write the file using the resource API
     logger.info(f"Creating canvas file: {file_path}")
-    response = await call_put(client, f"/resource/{file_path}", json=canvas_json)
+    response = await call_put(client, f"{project_url}/resource/{file_path}", json=canvas_json)
 
     # Parse response
     result = response.json()