open-edison 0.1.44__py3-none-any.whl → 0.1.72rc1__py3-none-any.whl

src/permissions.py

@@ -7,6 +7,7 @@ Reads tool, resource, and prompt permission files and provides a singleton inter
 
 import json
 from dataclasses import dataclass
+from functools import cache
 from pathlib import Path
 from typing import Any
 
@@ -52,6 +53,9 @@ class ResourcePermission:
     write_operation: bool = False
     read_private_data: bool = False
     read_untrusted_public_data: bool = False
+    acl: str = "PUBLIC"
+    # Optional metadata fields (ignored by enforcement but accepted from JSON)
+    description: str | None = None
 
 
 @dataclass
@@ -158,6 +162,12 @@ class Permissions:
             )
 
     @classmethod
+    def clear_permissions_file_cache(cls) -> None:
+        """Clear the cache for the JSON permissions files"""
+        cls._load_permission_file.cache_clear()
+
+    @classmethod
+    @cache
     def _load_permission_file(
         cls,
         file_path: Path,
@@ -171,7 +181,23 @@ class Permissions:
         metadata: PermissionsMetadata | None = None
 
         if not file_path.exists():
-            raise PermissionsError(f"Permissions file not found at {file_path}")
+            # Bootstrap missing permissions files on first run.
+            # Prefer copying repo/package defaults (next to src/), else create minimal stub.
+            file_path.parent.mkdir(parents=True, exist_ok=True)
+
+            repo_candidate = Path(__file__).parent.parent / file_path.name
+            if repo_candidate.exists():
+                file_path.write_text(repo_candidate.read_text(encoding="utf-8"), encoding="utf-8")
+                log.info(f"Bootstrapped permissions file from defaults: {file_path}")
+            if not file_path.exists():
+                # Create minimal empty structure
+                try:
+                    file_path.write_text(json.dumps({"_metadata": {}}), encoding="utf-8")
+                    log.info(f"Created empty permissions file: {file_path}")
+                except Exception as e:
+                    raise PermissionsError(
+                        f"Unable to create permissions file at {file_path}: {e}", file_path
+                    ) from e
 
         with open(file_path) as f:
             data: dict[str, Any] = json.load(f)
@@ -203,43 +229,117 @@ class Permissions:
     def get_tool_permission(self, tool_name: str) -> ToolPermission:
         """Get permission for a specific tool"""
         if tool_name not in self.tool_permissions:
-            raise PermissionsError(f"Tool '{tool_name}' not found in permissions")
+            if tool_name.startswith("builtin_"):
+                log.info(
+                    f"Tool '{tool_name}' not found; returning builtin safe default (enabled, 0 risk)"
+                )
+                return ToolPermission(
+                    enabled=True,
+                    write_operation=False,
+                    read_private_data=False,
+                    read_untrusted_public_data=False,
+                    acl="PUBLIC",
+                )
+            log.warning(
+                f"Tool '{tool_name}' not found in permissions; returning enabled full-trifecta default"
+            )
+            return ToolPermission(
+                enabled=True,
+                write_operation=True,
+                read_private_data=True,
+                read_untrusted_public_data=True,
+                acl="SECRET",
+            )
         return self.tool_permissions[tool_name]
 
     def get_resource_permission(self, resource_name: str) -> ResourcePermission:
         """Get permission for a specific resource"""
         if resource_name not in self.resource_permissions:
-            raise PermissionsError(f"Resource '{resource_name}' not found in permissions")
+            if resource_name.startswith("builtin_"):
+                log.info(
+                    f"Resource '{resource_name}' not found; returning builtin safe default (enabled, 0 risk)"
+                )
+                return ResourcePermission(
+                    enabled=True,
+                    write_operation=False,
+                    read_private_data=False,
+                    read_untrusted_public_data=False,
+                )
+            log.warning(
+                f"Resource '{resource_name}' not found in permissions; returning enabled full-trifecta default"
+            )
+            return ResourcePermission(
+                enabled=True,
+                write_operation=True,
+                read_private_data=True,
+                read_untrusted_public_data=True,
+            )
         return self.resource_permissions[resource_name]
 
     def get_prompt_permission(self, prompt_name: str) -> PromptPermission:
         """Get permission for a specific prompt"""
         if prompt_name not in self.prompt_permissions:
-            raise PermissionsError(f"Prompt '{prompt_name}' not found in permissions")
+            if prompt_name.startswith("builtin_"):
+                log.info(
+                    f"Prompt '{prompt_name}' not found; returning builtin safe default (enabled, 0 risk)"
+                )
+                return PromptPermission(
+                    enabled=True,
+                    write_operation=False,
+                    read_private_data=False,
+                    read_untrusted_public_data=False,
+                    acl="PUBLIC",
+                )
+            log.warning(
+                f"Prompt '{prompt_name}' not found in permissions; returning enabled full-trifecta default"
+            )
+            return PromptPermission(
+                enabled=True,
+                write_operation=True,
+                read_private_data=True,
+                read_untrusted_public_data=True,
+                acl="SECRET",
+            )
         return self.prompt_permissions[prompt_name]
 
     def is_tool_enabled(self, tool_name: str) -> bool:
         """Check if a tool is enabled
         Also checks if the server is enabled"""
         permission = self.get_tool_permission(tool_name)
-        server_name = self.server_name_from_tool_name(tool_name)
-        server_enabled = self.is_server_enabled(server_name)
+        try:
+            server_name = self.server_name_from_tool_name(tool_name)
+            server_enabled = self.is_server_enabled(server_name)
+        except PermissionsError:
+            log.warning(f"Server resolution failed for tool '{tool_name}'; treating as disabled")
+            server_enabled = False
         return permission.enabled and server_enabled
 
     def is_resource_enabled(self, resource_name: str) -> bool:
         """Check if a resource is enabled
         Also checks if the server is enabled"""
         permission = self.get_resource_permission(resource_name)
-        server_name = self.server_name_from_tool_name(resource_name)
-        server_enabled = self.is_server_enabled(server_name)
+        try:
+            server_name = self.server_name_from_tool_name(resource_name)
+            server_enabled = self.is_server_enabled(server_name)
+        except PermissionsError:
+            log.warning(
+                f"Server resolution failed for resource '{resource_name}'; treating as disabled"
+            )
+            server_enabled = False
         return permission.enabled and server_enabled
 
     def is_prompt_enabled(self, prompt_name: str) -> bool:
         """Check if a prompt is enabled
         Also checks if the server is enabled"""
         permission = self.get_prompt_permission(prompt_name)
-        server_name = self.server_name_from_tool_name(prompt_name)
-        server_enabled = self.is_server_enabled(server_name)
+        try:
+            server_name = self.server_name_from_tool_name(prompt_name)
+            server_enabled = self.is_server_enabled(server_name)
+        except PermissionsError:
+            log.warning(
+                f"Server resolution failed for prompt '{prompt_name}'; treating as disabled"
+            )
+            server_enabled = False
         return permission.enabled and server_enabled
 
     @staticmethod

src/server.py

@@ -1,12 +1,12 @@
 """
-Open Edison Server
-
-Simple FastAPI + FastMCP server for single-user MCP proxy.
-No multi-user support, no complex routing - just a straightforward proxy.
+Open Edison MCP Proxy Server
+Main server entrypoint for FastAPI and FastMCP integration.
+See README for usage and configuration details.
 """
 
 import asyncio
 import json
+import signal
 import traceback
 from collections.abc import Awaitable, Callable, Coroutine
 from contextlib import suppress
@@ -25,18 +25,24 @@ from fastapi.responses import (
 )
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from fastapi.staticfiles import StaticFiles
+from fastmcp import Client as FastMCPClient
 from fastmcp import FastMCP
 from loguru import logger as log
 from pydantic import BaseModel, Field
 
 from src import events
-from src.config import Config, MCPServerConfig, clear_json_file_cache
+from src.config import Config, MCPServerConfig, clear_json_file_cache, get_config_json_path
 from src.config import get_config_dir as _get_cfg_dir  # type: ignore[attr-defined]
+from src.mcp_stdio_capture import (
+    install_stdio_client_stderr_capture as _install_stdio_capture,
+)
 from src.middleware.session_tracking import (
     MCPSessionModel,
     create_db_session,
 )
 from src.oauth_manager import OAuthStatus, get_oauth_manager
+from src.oauth_override import OpenEdisonOAuth
+from src.permissions import Permissions
 from src.single_user_mcp import SingleUserMCP
 from src.telemetry import initialize_telemetry, set_servers_installed
 
@@ -45,6 +51,9 @@ _security = HTTPBearer()
 _auth_dependency = Depends(_security)
 
 
+_install_stdio_capture()
+
+
 class OpenEdisonProxy:
     """
     Open Edison Single-User MCP Proxy Server
@@ -276,6 +285,12 @@ class OpenEdisonProxy:
                 # Clear cache for the config file, if it was config.json
                 if name == "config.json":
                     clear_json_file_cache()
+                elif name in (
+                    "tool_permissions.json",
+                    "resource_permissions.json",
+                    "prompt_permissions.json",
+                ):
+                    Permissions.clear_permissions_file_cache()
 
                 return {"status": "ok"}
             except Exception as e:  # noqa: BLE001
@@ -363,6 +378,9 @@ class OpenEdisonProxy:
         log.info(f"FastAPI management API on {self.host}:{self.port + 1}")
         log.info(f"FastMCP protocol server on {self.host}:{self.port}")
 
+        # Print location of config
+        log.info(f"Config file location: {get_config_json_path()}")
+
         initialize_telemetry()
 
         # Ensure the sessions database exists and has the required schema
@@ -397,6 +415,7 @@ class OpenEdisonProxy:
             host=self.host,
             port=self.port + 1,
             log_level=Config().logging.level.lower(),
+            timeout_graceful_shutdown=0,
         )
         fastapi_server = uvicorn.Server(fastapi_config)
         servers_to_run.append(fastapi_server.serve())
@@ -408,13 +427,27 @@ class OpenEdisonProxy:
             host=self.host,
             port=self.port,
             log_level=Config().logging.level.lower(),
+            timeout_graceful_shutdown=0,
         )
         fastmcp_server = uvicorn.Server(fastmcp_config)
         servers_to_run.append(fastmcp_server.serve())
 
         # Run both servers concurrently
         log.info("🚀 Starting both FastAPI and FastMCP servers...")
-        _ = await asyncio.gather(*servers_to_run)
+        loop = asyncio.get_running_loop()
+
+        def _trigger_shutdown(signame: str) -> None:
+            log.info(f"Received {signame}. Forcing shutdown of all servers...")
+            for srv in (fastapi_server, fastmcp_server):
+                with suppress(Exception):
+                    srv.force_exit = True  # type: ignore[attr-defined] # noqa
+                    srv.should_exit = True  # type: ignore[attr-defined] # noqa
+
+        for sig in (signal.SIGINT, signal.SIGTERM):
+            with suppress(Exception):
+                loop.add_signal_handler(sig, _trigger_shutdown, sig.name)
+
+        await asyncio.gather(*servers_to_run, return_exceptions=False)
 
     def _register_routes(self, app: FastAPI) -> None:
         """Register all routes for the FastAPI app"""
@@ -519,11 +552,8 @@ class OpenEdisonProxy:
         warms the lists to ensure subsequent list calls reflect current state.
         """
         try:
-            mcp = self.single_user_mcp
-            # Warm managers so any internal caches are refreshed
-            await mcp._tool_manager.list_tools()  # type: ignore[attr-defined]
-            await mcp._resource_manager.list_resources()  # type: ignore[attr-defined]
-            await mcp._prompt_manager.list_prompts()  # type: ignore[attr-defined]
+            clear_json_file_cache()
+            Permissions.clear_permissions_file_cache()
             return {"status": "ok"}
         except Exception as e:  # noqa: BLE001
             log.error(f"Failed to process permissions-changed: {e}")
@@ -638,14 +668,29 @@ class OpenEdisonProxy:
                 )
 
                 sessions: list[dict[str, Any]] = []
+                has_warned_about_missing_created_at = False
                 for row_model in results:
                     row = cast(Any, row_model)
                     tool_calls_val = row.tool_calls
                     data_access_summary_val = row.data_access_summary
+                    created_at_val = None
+                    if isinstance(data_access_summary_val, dict):
+                        created_at_val = data_access_summary_val.get("created_at")  # type: ignore[assignment]
+                    if (
+                        created_at_val is None
+                        and isinstance(tool_calls_val, list)
+                        and tool_calls_val
+                        and not has_warned_about_missing_created_at
+                    ):
+                        has_warned_about_missing_created_at = True
+                        log.warning(
+                            "created_at is missing, will have sessions with unknown timestamps"
+                        )
                     sessions.append(
                         {
                             "session_id": row.session_id,
                             "correlation_id": row.correlation_id,
+                            "created_at": created_at_val,
                             "tool_calls": tool_calls_val
                             if isinstance(tool_calls_val, list)
                             else [],
@@ -953,12 +998,8 @@ class OpenEdisonProxy:
 
             log.info(f"🔗 Testing connection to {server_name} at {remote_url}")
 
-            # Import FastMCP client for testing
-            from fastmcp import Client as FastMCPClient
-            from fastmcp.client.auth import OAuth
-
             # Create OAuth auth object
-            oauth = OAuth(
+            oauth = OpenEdisonOAuth(
                 mcp_url=remote_url,
                 scopes=scopes,
                 client_name=client_name or "OpenEdison MCP Gateway",

src/setup_tui/main.py

@@ -1,15 +1,26 @@
 import argparse
+import asyncio
+import contextlib
+import sys
+from collections.abc import Generator
 
 import questionary
+from loguru import logger as log
 
-from src.config import MCPServerConfig
+import src.oauth_manager as oauth_mod
+from src.config import MCPServerConfig, get_config_dir
 from src.mcp_importer.api import (
     CLIENT,
+    authorize_server_oauth,
     detect_clients,
     export_edison_to,
+    has_oauth_tokens,
     import_from,
+    save_imported_servers,
     verify_mcp_server,
 )
+from src.mcp_importer.parsers import deduplicate_by_name
+from src.oauth_manager import OAuthStatus, get_oauth_manager
 
 
 def show_welcome_screen(*, dry_run: bool = False) -> None:
@@ -31,7 +42,9 @@ def show_welcome_screen(*, dry_run: bool = False) -> None:
     questionary.confirm("Ready to begin the setup process?", default=True).ask()
 
 
-def handle_mcp_source(source: CLIENT, *, dry_run: bool = False) -> list[MCPServerConfig]:
+def handle_mcp_source(  # noqa: C901
+    source: CLIENT, *, dry_run: bool = False, skip_oauth: bool = False
+) -> list[MCPServerConfig]:
     """Handle the MCP source."""
     if not questionary.confirm(
         f"We have found {source.name} installed. Would you like to import its MCP servers to open-edison?",
@@ -41,18 +54,65 @@ def handle_mcp_source(source: CLIENT, *, dry_run: bool = False) -> list[MCPServe
 
     configs = import_from(source)
 
+    # Filter out any "open-edison" configs
+    if "open-edison" in [config.name for config in configs]:
+        print(
+            "Found an 'open-edison' config. This is not allowed, so it will be excluded from the import."
+        )
+
+    configs = [config for config in configs if config.name != "open-edison"]
+
     print(f"Loaded {len(configs)} MCP server configuration from {source.name}!")
 
     verified_configs: list[MCPServerConfig] = []
 
     for config in configs:
-        print(f"Verifying the configuration for {config.name}... (TODO)")
+        print(f"Verifying the configuration for {config.name}... ")
         result = verify_mcp_server(config)
         if result:
+            # For remote servers, only prompt if OAuth is actually required
+            if config.is_remote_server():
+                # Heuristic: if inline headers are present (e.g., API key), treat as not requiring OAuth
+                has_inline_headers: bool = any(
+                    (a == "--header" or a.startswith("--header")) for a in config.args
+                )
+                if not has_inline_headers:
+                    # Prefer cached result from verification; only check if missing
+                    oauth_mgr = get_oauth_manager()
+                    info = oauth_mgr.get_server_info(config.name)
+                    if info is None:
+                        info = asyncio.run(
+                            oauth_mgr.check_oauth_requirement(config.name, config.get_remote_url())
+                        )
+
+                    if info.status == OAuthStatus.NEEDS_AUTH:
+                        tokens_present: bool = has_oauth_tokens(config)
+                        if not tokens_present:
+                            if skip_oauth:
+                                print(
+                                    f"Skipping OAuth for {config.name} due to --skip-oauth (OAuth required, no tokens). This server will not be imported."
+                                )
+                                continue
+
+                            if questionary.confirm(
+                                f"{config.name} requires OAuth and no credentials were found. Obtain credentials now?",
+                                default=True,
+                            ).ask():
+                                success = authorize_server_oauth(config)
+                                if not success:
+                                    print(
+                                        f"Failed to obtain OAuth credentials for {config.name}. Skipping this server."
+                                    )
+                                    continue
+                            else:
+                                print(f"Skipping {config.name} per user choice.")
+                                continue
+
+            print(f"Verification successful for {config.name}.")
             verified_configs.append(config)
         else:
             print(
-                f"The configuration for {config.name} is not valid. Please check the configuration and try again."
+                f"Verification failed for the configuration of {config.name}. Please check the configuration and try again."
             )
 
     return verified_configs
@@ -72,16 +132,18 @@ def confirm_configs(configs: list[MCPServerConfig], *, dry_run: bool = False) ->
 
 def confirm_apply_configs(client: CLIENT, *, dry_run: bool = False) -> None:
     if not questionary.confirm(
-        f"We have detected that you have {client.name} installed. Would you like to connect it to open-edison?",
+        f"Would you like to set up Open Edison for {client.name}? (This will modify your MCP configuration. We will make a back up of your current one if you would like to revert.)",
         default=True,
     ).ask():
         return
 
-    export_edison_to(client, dry_run=dry_run)
+    result = export_edison_to(client, dry_run=dry_run)
     if dry_run:
         print(f"[dry-run] Export prepared for {client.name}; no changes written.")
     else:
-        print(f"Successfully set up Open Edison for {client.name}!")
+        print(
+            f"Successfully set up Open Edison for {client.name}! Your previous MCP configuration has been backed up at {result.backup_path}"
+        )
 
 
 def show_manual_setup_screen() -> None:
@@ -95,8 +157,10 @@ def show_manual_setup_screen() -> None:
 
     To set up open-edison manually in other clients, find your client's MCP config
     JSON file and add the following configuration:
+    """
 
-    "mcpServers": {
+    json_snippet = """\t{
+      "mcpServers": {
         "open-edison": {
           "command": "npx",
           "args": [
@@ -108,48 +172,123 @@ def show_manual_setup_screen() -> None:
             "Authorization: Bearer dev-api-key-change-me"
           ]
         }
-      },
+      }
+    }"""
 
+    after_text = """
     Make sure to replace 'dev-api-key-change-me' with your actual API key.
     """
 
     print(manual_setup_text)
+    # Use questionary's print with style for color
+    questionary.print(json_snippet, style="bold fg:ansigreen")
+    print(after_text)
+
+
+class _TuiLogger:
+    def _fmt(self, msg: object, *args: object) -> str:
+        try:
+            if isinstance(msg, str) and args:
+                return msg.format(*args)
+        except Exception:
+            pass
+        return str(msg)
+
+    def info(self, msg: object, *args: object, **kwargs: object) -> None:
+        questionary.print(self._fmt(msg, *args), style="fg:ansiblue")
+
+    def debug(self, msg: object, *args: object, **kwargs: object) -> None:
+        questionary.print(self._fmt(msg, *args), style="fg:ansiblack")
+
+    def warning(self, msg: object, *args: object, **kwargs: object) -> None:
+        questionary.print(self._fmt(msg, *args), style="bold fg:ansiyellow")
+
+    def error(self, msg: object, *args: object, **kwargs: object) -> None:
+        questionary.print(self._fmt(msg, *args), style="bold fg:ansired")
+
+
+@contextlib.contextmanager
+def suppress_loguru_output() -> Generator[None, None, None]:
+    """Suppress loguru output."""
+    with contextlib.suppress(Exception):
+        log.remove()
 
+    old_logger = oauth_mod.log
+    # Route oauth_manager's log calls to questionary for TUI output
+    oauth_mod.log = _TuiLogger()  # type: ignore[attr-defined]
+    yield
+    oauth_mod.log = old_logger
+    log.add(sys.stdout, level="INFO")
 
-def run(*, dry_run: bool = False) -> None:
-    """Run the complete setup process."""
+
+@suppress_loguru_output()
+def run(*, dry_run: bool = False, skip_oauth: bool = False) -> bool:  # noqa: C901
+    """Run the complete setup process.
+    Returns whether the setup was successful."""
     show_welcome_screen(dry_run=dry_run)
     # Additional setup steps will be added here
 
-    mcp_sources = detect_clients()
-    mcp_clients = detect_clients()
+    mcp_clients = sorted(detect_clients(), key=lambda x: x.value)
 
     configs: list[MCPServerConfig] = []
 
-    for source in mcp_sources:
-        configs.extend(handle_mcp_source(source, dry_run=dry_run))
+    for client in mcp_clients:
+        configs.extend(handle_mcp_source(client, dry_run=dry_run, skip_oauth=skip_oauth))
 
     if len(configs) == 0:
-        print(
-            "No MCP servers found. Please set up an MCP client with some servers and run this setup again."
-        )
-        return
+        if not questionary.confirm(
+            "No MCP servers found. Would you like to continue without them?", default=True
+        ).ask():
+            print("Setup aborted. Please configure an MCP client and try again.")
+            return False
+        return True
+
+    # Deduplicate configs
+    configs = deduplicate_by_name(configs)
 
     if not confirm_configs(configs, dry_run=dry_run):
-        return
+        return False
 
     for client in mcp_clients:
         confirm_apply_configs(client, dry_run=dry_run)
 
+    # Persist imported servers into config.json
+    if len(configs) > 0:
+        save_imported_servers(configs, dry_run=dry_run)
+
     show_manual_setup_screen()
 
+    return True
+
+
+# Triggered from cli.py
+def run_import_tui(args: argparse.Namespace, force: bool = False) -> bool:
+    """Run the import TUI, if necessary."""
+    # Find config dir, check if ".setup_tui_ran" exists
+    config_dir = get_config_dir()
+    config_dir.mkdir(parents=True, exist_ok=True)
+
+    setup_tui_ran_file = config_dir / ".setup_tui_ran"
+    success = True
+    if not setup_tui_ran_file.exists() or force:
+        success = run(dry_run=args.wizard_dry_run, skip_oauth=args.wizard_skip_oauth)
+
+    setup_tui_ran_file.touch()
+
+    return success
+
 
 def main(argv: list[str] | None = None) -> int:
     parser = argparse.ArgumentParser(description="Open Edison Setup TUI")
     parser.add_argument("--dry-run", action="store_true", help="Preview actions without writing")
+    parser.add_argument(
+        "--skip-oauth",
+        action="store_true",
+        help="Skip OAuth for remote servers (they will be omitted from import)",
+    )
     args = parser.parse_args(argv)
 
-    run(dry_run=args.dry_run)
+    run(dry_run=args.dry_run, skip_oauth=args.skip_oauth)
     return 0