ccproxy-api 0.1.1__py3-none-any.whl → 0.1.3__py3-none-any.whl

ccproxy/api/routes/mcp.py

@@ -0,0 +1,171 @@
+"""MCP (Model Context Protocol) server for CCProxy API Server.
+
+Provides MCP server functionality including permission checking tools.
+"""
+
+from typing import Annotated
+
+from fastapi import FastAPI
+from fastapi_mcp import FastApiMCP  # type: ignore[import-untyped]
+from pydantic import BaseModel, ConfigDict, Field
+from structlog import get_logger
+
+from ccproxy.api.dependencies import SettingsDep
+from ccproxy.api.services.permission_service import get_permission_service
+from ccproxy.models.permissions import PermissionStatus
+from ccproxy.models.responses import (
+    PermissionToolAllowResponse,
+    PermissionToolDenyResponse,
+    PermissionToolPendingResponse,
+)
+
+
+logger = get_logger(__name__)
+
+
+class PermissionCheckRequest(BaseModel):
+    """Request model for permission checking."""
+
+    tool_name: Annotated[
+        str, Field(description="Name of the tool to check permissions for")
+    ]
+    input: Annotated[dict[str, str], Field(description="Input parameters for the tool")]
+    tool_use_id: Annotated[
+        str | None,
+        Field(
+            description="Id of the tool execution",
+        ),
+    ] = None
+    permission_id: Annotated[
+        str | None,
+        Field(
+            description="ID of a previous permission request for retry",
+            alias="permissionId",
+        ),
+    ] = None
+
+    model_config = ConfigDict(populate_by_name=True)
+
+
+async def check_permission(
+    request: PermissionCheckRequest,
+    settings: SettingsDep,
+) -> (
+    PermissionToolAllowResponse
+    | PermissionToolDenyResponse
+    | PermissionToolPendingResponse
+):
+    """Check permissions for a tool call.
+
+    This implements the same security logic as the CLI permission tool,
+    checking for dangerous patterns and restricted tools.
+    """
+    logger.info(
+        "permission_check",
+        tool_name=request.tool_name,
+        retry=request.permission_id is not None,
+    )
+
+    permission_service = get_permission_service()
+
+    if request.permission_id:
+        status = await permission_service.get_status(request.permission_id)
+
+        if status == PermissionStatus.ALLOWED:
+            return PermissionToolAllowResponse(updated_input=request.input)
+
+        elif status == PermissionStatus.DENIED:
+            return PermissionToolDenyResponse(message="User denied the operation")
+
+        elif status == PermissionStatus.EXPIRED:
+            return PermissionToolDenyResponse(message="Permission request expired")
+
+    logger.info(
+        "permission_requires_authorization",
+        tool_name=request.tool_name,
+    )
+
+    permission_id = await permission_service.request_permission(
+        tool_name=request.tool_name,
+        input=request.input,
+    )
+
+    # Wait for permission to be resolved
+    try:
+        final_status = await permission_service.wait_for_permission(
+            permission_id,
+            timeout_seconds=settings.security.confirmation_timeout_seconds,
+        )
+
+        if final_status == PermissionStatus.ALLOWED:
+            logger.info(
+                "permission_allowed_after_authorization",
+                tool_name=request.tool_name,
+                permission_id=permission_id,
+            )
+            return PermissionToolAllowResponse(updated_input=request.input)
+        else:
+            logger.info(
+                "permission_denied_after_authorization",
+                tool_name=request.tool_name,
+                permission_id=permission_id,
+                status=final_status.value,
+            )
+            return PermissionToolDenyResponse(
+                message=f"User denied the operation (status: {final_status.value})"
+            )
+
+    except TimeoutError:
+        logger.warning(
+            "permission_authorization_timeout",
+            tool_name=request.tool_name,
+            permission_id=permission_id,
+            timeout_seconds=settings.security.confirmation_timeout_seconds,
+        )
+        return PermissionToolDenyResponse(message="Permission request timed out")
+
+
+def setup_mcp(app: FastAPI) -> None:
+    """Set up MCP server on the given FastAPI app.
+
+    Args:
+        app: The FastAPI application to mount MCP on
+    """
+    # Minimal MCP sub-app without middleware or docs
+    mcp_app = FastAPI(
+        title="CCProxy MCP Server",
+        description="MCP server for Claude Code permission checking",
+        openapi_url=None,
+        docs_url=None,
+        redoc_url=None,
+    )
+
+    @mcp_app.post(
+        "/permission/check",
+        operation_id="check_permission",
+        summary="Check permissions for a tool call",
+        description="Validates whether a tool call should be allowed based on security rules",
+        response_model=PermissionToolAllowResponse
+        | PermissionToolDenyResponse
+        | PermissionToolPendingResponse,
+        tags=["mcp-tools"],
+    )
+    async def permission_endpoint(
+        request: PermissionCheckRequest,
+        settings: SettingsDep,
+    ) -> (
+        PermissionToolAllowResponse
+        | PermissionToolDenyResponse
+        | PermissionToolPendingResponse
+    ):
+        """Check permissions for a tool call."""
+        return await check_permission(request, settings)
+
+    mcp = FastApiMCP(
+        mcp_app,
+        name="CCProxy MCP Server",
+        description="MCP server for Claude Code permission checking",
+        include_operations=["check_permission"],
+    )
+
+    mcp.mount(app, mount_path="/mcp")

ccproxy/api/routes/metrics.py

@@ -2,16 +2,15 @@
 
 import time
 from datetime import datetime as dt
-from typing import Any, Optional, cast
+from typing import Any, cast
 
-from fastapi import APIRouter, Depends, HTTPException, Query, Request, Response
+from fastapi import APIRouter, HTTPException, Query, Request, Response
 from fastapi.responses import FileResponse, HTMLResponse, StreamingResponse
 from sqlmodel import Session, col, desc, func, select
 from typing_extensions import TypedDict
 
 from ccproxy.api.dependencies import (
     DuckDBStorageDep,
-    LogStorageDep,
     ObservabilityMetricsDep,
     SettingsDep,
 )
@@ -84,12 +83,9 @@ class AnalyticsResult(TypedDict):
 
 # Create separate routers for different concerns
 prometheus_router = APIRouter(tags=["metrics"])
-logs_router = APIRouter(prefix="/logs", tags=["logs"])
+logs_router = APIRouter(tags=["logs"])
 dashboard_router = APIRouter(tags=["dashboard"])
 
-# Backward compatibility - keep the old router name pointing to logs for now
-router = logs_router
-
 
 @logs_router.get("/status")
 async def logs_status(metrics: ObservabilityMetricsDep) -> dict[str, str]:
@@ -200,7 +196,7 @@ async def get_prometheus_metrics(metrics: ObservabilityMetricsDep) -> Response:
             )
 
         # Generate prometheus format using the registry
-        from prometheus_client import REGISTRY, CollectorRegistry
+        from prometheus_client import REGISTRY
 
         # Use the global registry if metrics.registry is None (default behavior)
         registry = metrics.registry if metrics.registry is not None else REGISTRY

ccproxy/api/routes/permissions.py

@@ -0,0 +1,217 @@
+"""API routes for permission request handling via SSE and REST."""
+
+import asyncio
+import json
+from collections.abc import AsyncGenerator
+
+from fastapi import APIRouter, HTTPException, Request
+from pydantic import BaseModel
+from sse_starlette.sse import EventSourceResponse
+from structlog import get_logger
+
+from ccproxy.api.dependencies import SettingsDep
+from ccproxy.api.services.permission_service import get_permission_service
+from ccproxy.auth.conditional import ConditionalAuthDep
+from ccproxy.core.errors import (
+    PermissionAlreadyResolvedError,
+    PermissionNotFoundError,
+)
+from ccproxy.models.permissions import EventType, PermissionEvent, PermissionStatus
+
+
+logger = get_logger(__name__)
+
+
+router = APIRouter(tags=["permissions"])
+
+
+class PermissionResponse(BaseModel):
+    """Response to a permission request."""
+
+    allowed: bool
+
+
+class PermissionRequestInfo(BaseModel):
+    """Information about a permission request."""
+
+    request_id: str
+    tool_name: str
+    input: dict[str, str]
+    status: str
+    created_at: str
+    expires_at: str
+    time_remaining: int
+
+
+async def event_generator(
+    request: Request,
+) -> AsyncGenerator[dict[str, str], None]:
+    """Generate SSE events for permission requests.
+
+    Args:
+        request: The FastAPI request object
+
+    Yields:
+        Dict with event data for SSE
+    """
+    service = get_permission_service()
+    queue = await service.subscribe_to_events()
+
+    try:
+        yield {
+            "event": "ping",
+            "data": json.dumps({"message": "Connected to permission stream"}),
+        }
+
+        # Send all pending permission requests to the newly connected client
+        pending_requests = await service.get_pending_requests()
+        for pending_req in pending_requests:
+            event = PermissionEvent(
+                type=EventType.PERMISSION_REQUEST,
+                request_id=pending_req.id,
+                tool_name=pending_req.tool_name,
+                input=pending_req.input,
+                created_at=pending_req.created_at.isoformat(),
+                expires_at=pending_req.expires_at.isoformat(),
+                timeout_seconds=int(
+                    (pending_req.expires_at - pending_req.created_at).total_seconds()
+                ),
+            )
+            yield {
+                "event": EventType.PERMISSION_REQUEST.value,
+                "data": json.dumps(event.model_dump(mode="json")),
+            }
+
+        while not await request.is_disconnected():
+            try:
+                event_data = await asyncio.wait_for(queue.get(), timeout=30.0)
+
+                yield {
+                    "event": event_data.get("type", "message"),
+                    "data": json.dumps(event_data),
+                }
+
+            except TimeoutError:
+                yield {
+                    "event": "ping",
+                    "data": json.dumps({"message": "keepalive"}),
+                }
+
+    except asyncio.CancelledError:
+        pass
+    finally:
+        await service.unsubscribe_from_events(queue)
+
+
+@router.get("/stream")
+async def stream_permissions(
+    request: Request,
+    settings: SettingsDep,
+    auth: ConditionalAuthDep,
+) -> EventSourceResponse:
+    """Stream permission requests via Server-Sent Events.
+
+    This endpoint streams new permission requests as they are created,
+    allowing external tools to handle user permissions.
+
+    Returns:
+        EventSourceResponse streaming permission events
+    """
+    return EventSourceResponse(
+        event_generator(request),
+        headers={
+            "Cache-Control": "no-cache",
+            "X-Accel-Buffering": "no",  # Disable nginx buffering
+        },
+    )
+
+
+@router.get("/{permission_id}")
+async def get_permission(
+    permission_id: str,
+    settings: SettingsDep,
+    auth: ConditionalAuthDep,
+) -> PermissionRequestInfo:
+    """Get information about a specific permission request.
+
+    Args:
+        permission_id: ID of the permission request
+
+    Returns:
+        Information about the permission request
+
+    Raises:
+        HTTPException: If request not found
+    """
+    service = get_permission_service()
+    try:
+        request = await service.get_request(permission_id)
+        if not request:
+            raise PermissionNotFoundError(permission_id)
+    except PermissionNotFoundError as e:
+        raise HTTPException(
+            status_code=404, detail="Permission request not found"
+        ) from e
+
+    return PermissionRequestInfo(
+        request_id=request.id,
+        tool_name=request.tool_name,
+        input=request.input,
+        status=request.status.value,
+        created_at=request.created_at.isoformat(),
+        expires_at=request.expires_at.isoformat(),
+        time_remaining=request.time_remaining(),
+    )
+
+
+@router.post("/{permission_id}/respond")
+async def respond_to_permission(
+    permission_id: str,
+    response: PermissionResponse,
+    settings: SettingsDep,
+    auth: ConditionalAuthDep,
+) -> dict[str, str | bool]:
+    """Submit a response to a permission request.
+
+    Args:
+        permission_id: ID of the permission request
+        response: The allow/deny response
+
+    Returns:
+        Success response
+
+    Raises:
+        HTTPException: If request not found or already resolved
+    """
+    service = get_permission_service()
+    status = await service.get_status(permission_id)
+    if status is None:
+        raise HTTPException(status_code=404, detail="Permission request not found")
+
+    if status != PermissionStatus.PENDING:
+        try:
+            raise PermissionAlreadyResolvedError(permission_id, status.value)
+        except PermissionAlreadyResolvedError as e:
+            raise HTTPException(
+                status_code=e.status_code,
+                detail=e.message,
+            ) from e
+
+    success = await service.resolve(permission_id, response.allowed)
+
+    if not success:
+        raise HTTPException(
+            status_code=409, detail="Failed to resolve permission request"
+        )
+
+    logger.info(
+        "permission_resolved_via_api",
+        permission_id=permission_id,
+        allowed=response.allowed,
+    )
+
+    return {
+        "status": "success",
+        "permission_id": permission_id,
+        "allowed": response.allowed,
+    }

ccproxy/api/routes/proxy.py

@@ -2,17 +2,14 @@
 
 import json
 from collections.abc import AsyncIterator
-from typing import Any
 
 from fastapi import APIRouter, HTTPException, Request, Response
 from fastapi.responses import StreamingResponse
-from starlette.background import BackgroundTask
 
 from ccproxy.adapters.openai.adapter import OpenAIAdapter
 from ccproxy.api.dependencies import ProxyServiceDep
 from ccproxy.api.responses import ProxyResponse
 from ccproxy.auth.conditional import ConditionalAuthDep
-from ccproxy.core.errors import ProxyHTTPException
 
 
 # Create the router for proxy endpoints
@@ -193,53 +190,3 @@ async def create_anthropic_message(
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/v1/models", response_model=None)
-async def list_models(
-    request: Request,
-    proxy_service: ProxyServiceDep,
-    auth: ConditionalAuthDep,
-) -> Response:
-    """List available models using the proxy service.
-
-    Returns a combined list of Anthropic models and recent OpenAI models.
-    """
-    try:
-        # Get headers
-        headers = dict(request.headers)
-
-        # Handle the request using proxy service
-        response = await proxy_service.handle_request(
-            method="GET",
-            path="/v1/models",
-            headers=headers,
-            body=None,
-            request=request,
-        )
-
-        # Since /v1/models never streams, we know it returns a tuple
-        if isinstance(response, tuple):
-            status_code, response_headers, response_body = response
-        else:
-            # This shouldn't happen for /v1/models, but handle it gracefully
-            raise HTTPException(
-                status_code=500,
-                detail="Unexpected streaming response for /v1/models endpoint",
-            )
-
-        # Return response with headers
-        return ProxyResponse(
-            content=response_body,
-            status_code=status_code,
-            headers=response_headers,
-            media_type=response_headers.get("content-type", "application/json"),
-        )
-
-    except HTTPException:
-        # Re-raise HTTPException as-is (including 401 auth errors)
-        raise
-    except Exception as e:
-        raise HTTPException(
-            status_code=500, detail=f"Internal server error: {str(e)}"
-        ) from e

ccproxy/api/services/__init__.py

@@ -0,0 +1,6 @@
+"""Services for CCProxy API."""
+
+from .permission_service import PermissionService, get_permission_service
+
+
+__all__ = ["PermissionService", "get_permission_service"]