fix(mcp,cli): close release-blocking auth and publish gaps

Author: PaulJPhilp

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [Unreleased]
+
+### 🔒 Security
+- **MCP Streamable Auth**: Enforced strict API key validation in streamable transport (presence-only bypass removed) with constant-time comparison.
+- **OAuth/PKCE Hardening**: Fixed PKCE verification flow and required verifier validation for OAuth code exchange.
+- **OAuth Client Auth**: Enforced configured `client_id`/`client_secret` validation for token exchange and aligned discovery metadata with supported token auth mode.
+
+### 🛡️ Admin Protection
+- **DB Mutation Routes**: Locked down destructive migration/reset/import endpoints behind admin authentication.
+
+### ✅ Release Readiness
+- **Regression Coverage**: Added auth and admin-route regression tests for transport auth, PKCE/client auth, and DB mutation authorization.
+- **EP CLI Publishability**: Enabled npm release path by removing package `private` flag from `@effect-patterns/ep-cli`.
+
 ## [0.10.0-patterns] - 2026-01-12
 
 ### 🚀 Features

packages/ep-cli/package.json

@@ -2,7 +2,7 @@
   "name": "@effect-patterns/ep-cli",
   "version": "0.2.0",
   "description": "End-user CLI for Effect Patterns Hub",
-  "private": true,
+  "private": false,
   "type": "module",
   "bin": {
     "ep": "./dist/index.js"
@@ -39,4 +39,4 @@
     "tsx": "^4.21.0",
     "typescript": "5.9.3"
   }
-}
+}

packages/mcp-server/app/api/bulk-import/route.ts

@@ -4,42 +4,43 @@
 
 import { createDatabase } from "@effect-patterns/toolkit";
 import { sql } from "drizzle-orm";
-import { NextResponse } from "next/server";
+import { Effect } from "effect";
+import { type NextRequest } from "next/server";
+import { ValidationError } from "../../../src/errors";
+import { createSimpleHandler } from "../../../src/server/routeHandler";
 
-export async function POST(request: Request) {
-    try {
-        const body = await request.json() as Record<string, unknown>;
-        const { patterns } = body;
-
-        if (!Array.isArray(patterns)) {
-            return NextResponse.json(
-                {
-                    success: false,
-                    error: "patterns must be an array",
-                },
-                { status: 400 },
-            );
-        }
-
-        const dbUrl = process.env.DATABASE_URL;
-        if (!dbUrl) {
-            return NextResponse.json(
-                {
-                    success: false,
-                    error: "DATABASE_URL not set",
-                },
-                { status: 500 },
-            );
-        }
+const handleBulkImport = (request: NextRequest) => Effect.gen(function* () {
+  const body = (yield* Effect.tryPromise({
+    try: () => request.json(),
+    catch: () =>
+      new ValidationError({
+        field: "body",
+        message: "Invalid JSON request body",
+      }),
+  })) as Record<string, unknown>;
+  const { patterns } = body;
 
-        const { db, close } = createDatabase(dbUrl);
+  if (!Array.isArray(patterns)) {
+    return yield* Effect.fail(
+      new ValidationError({
+        field: "patterns",
+        message: "patterns must be an array",
+        value: patterns,
+      })
+    );
+  }
 
-        try {
-            console.log(`Importing ${patterns.length} patterns...`);
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) {
+    return yield* Effect.fail(new Error("DATABASE_URL not set"));
+  }
 
-            let imported = 0;
-            for (const pattern of patterns) {
-                await db.execute(sql`
+  const imported = yield* Effect.tryPromise(async () => {
+    const { db, close } = createDatabase(dbUrl);
+    try {
+      let importedCount = 0;
+      for (const pattern of patterns as Array<Record<string, unknown>>) {
+        await db.execute(sql`
           INSERT INTO effect_patterns (
             id, slug, title, summary, skill_level, category, difficulty,
             tags, examples, use_cases, rule, content, author, lesson_order,
@@ -57,28 +58,22 @@ export async function POST(request: Request) {
           )
           ON CONFLICT (id) DO NOTHING
         `);
-                imported++;
-            }
+        importedCount++;
+      }
+      return importedCount;
+    } finally {
+      await close();
+    }
+  });
 
-            console.log(`✅ Successfully imported ${imported} patterns`);
+  return {
+    success: true,
+    message: `Imported ${imported} patterns`,
+    imported,
+  };
+});
 
-            return NextResponse.json({
-                success: true,
-                message: `Imported ${imported} patterns`,
-                imported,
-            });
-        } finally {
-            await close();
-        }
-    } catch (error) {
-        console.error("Import error:", error);
-        return NextResponse.json(
-            {
-                success: false,
-                error: "Import failed",
-                details: error instanceof Error ? error.message : String(error),
-            },
-            { status: 500 },
-        );
-    }
-}
+export const POST = createSimpleHandler(handleBulkImport, {
+  requireAuth: false,
+  requireAdmin: true,
+});

packages/mcp-server/app/api/final-reset/route.ts

@@ -4,79 +4,73 @@
 
 import { createDatabase } from "@effect-patterns/toolkit"
 import { sql } from "drizzle-orm"
-import { NextResponse } from "next/server"
+import { Effect } from "effect"
+import { type NextRequest } from "next/server"
+import { createSimpleHandler } from "../../../src/server/routeHandler"
 
-export async function POST() {
-	try {
-		const dbUrl = process.env.DATABASE_URL
-		if (!dbUrl) {
-			return NextResponse.json({
-				success: false,
-				error: "DATABASE_URL not set"
-			}, { status: 500 })
-		}
+const handleFinalReset = (_request: NextRequest) => Effect.gen(function* () {
+	const dbUrl = process.env.DATABASE_URL
+	if (!dbUrl) {
+		return yield* Effect.fail(new Error("DATABASE_URL not set"))
+	}
 
+	yield* Effect.tryPromise(async () => {
 		const { db, close } = createDatabase(dbUrl)
+		try {
+			// Drop existing tables
+			await db.execute(sql`DROP TABLE IF EXISTS effect_patterns CASCADE`)
+			await db.execute(sql`DROP TABLE IF EXISTS application_patterns CASCADE`)
 
-		// Drop existing tables
-		await db.execute(sql`DROP TABLE IF EXISTS effect_patterns CASCADE`)
-		await db.execute(sql`DROP TABLE IF EXISTS application_patterns CASCADE`)
-
-		// Create effect_patterns table with individual statements
-		await db.execute(sql`CREATE TABLE effect_patterns (
-			id UUID PRIMARY KEY,
-			slug VARCHAR(255) NOT NULL UNIQUE,
-			title VARCHAR(500) NOT NULL,
-			summary TEXT NOT NULL,
-			skill_level VARCHAR(50) NOT NULL,
-			category VARCHAR(100),
-			difficulty VARCHAR(50),
-			tags JSONB DEFAULT '[]',
-			examples JSONB DEFAULT '[]',
-			use_cases JSONB DEFAULT '[]',
-			rule JSONB,
-			content TEXT,
-			author VARCHAR(255),
-			lesson_order INTEGER,
-			application_pattern_id UUID REFERENCES application_patterns(id) ON DELETE SET NULL,
-			validated BOOLEAN DEFAULT false NOT NULL,
-			validated_at TIMESTAMP,
-			created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-			updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
-		)`)
+			// Create effect_patterns table with individual statements
+			await db.execute(sql`CREATE TABLE effect_patterns (
+				id UUID PRIMARY KEY,
+				slug VARCHAR(255) NOT NULL UNIQUE,
+				title VARCHAR(500) NOT NULL,
+				summary TEXT NOT NULL,
+				skill_level VARCHAR(50) NOT NULL,
+				category VARCHAR(100),
+				difficulty VARCHAR(50),
+				tags JSONB DEFAULT '[]',
+				examples JSONB DEFAULT '[]',
+				use_cases JSONB DEFAULT '[]',
+				rule JSONB,
+				content TEXT,
+				author VARCHAR(255),
+				lesson_order INTEGER,
+				application_pattern_id UUID REFERENCES application_patterns(id) ON DELETE SET NULL,
+				validated BOOLEAN DEFAULT false NOT NULL,
+				validated_at TIMESTAMP,
+				created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+				updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+			)`)
 
-		// Create application_patterns table with individual statements
-		await db.execute(sql`CREATE TABLE application_patterns (
-			id UUID PRIMARY KEY,
-			slug VARCHAR(255) NOT NULL UNIQUE,
-			name VARCHAR(255) NOT NULL,
-			description TEXT NOT NULL,
-			learning_order INTEGER NOT NULL,
-			effect_module VARCHAR(100),
-			sub_patterns JSONB DEFAULT '[]',
-			validated BOOLEAN DEFAULT false NOT NULL,
-			validated_at TIMESTAMP,
-			created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-			updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
-		)`)
-
-		await close()
+			// Create application_patterns table with individual statements
+			await db.execute(sql`CREATE TABLE application_patterns (
+				id UUID PRIMARY KEY,
+				slug VARCHAR(255) NOT NULL UNIQUE,
+				name VARCHAR(255) NOT NULL,
+				description TEXT NOT NULL,
+				learning_order INTEGER NOT NULL,
+				effect_module VARCHAR(100),
+				sub_patterns JSONB DEFAULT '[]',
+				validated BOOLEAN DEFAULT false NOT NULL,
+				validated_at TIMESTAMP,
+				created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+				updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+			)`)
+		} finally {
+			await close()
+		}
+	})
 
-		return NextResponse.json({
-			success: true,
-			message: "Database reset completed with full schema",
-			tablesRecreated: 2
-		})
-	} catch (error) {
-		console.error("Reset error:", error)
-		const errorMessage = error instanceof Error ? error.message : String(error)
-		return NextResponse.json(
-			{
-				success: false,
-				error: "Database reset failed",
-				details: errorMessage
-			},
-			{ status: 500 }
-		)
+	return {
+		success: true,
+		message: "Database reset completed with full schema",
+		tablesRecreated: 2
 	}
-}
+})
+
+export const POST = createSimpleHandler(handleFinalReset, {
+	requireAuth: false,
+	requireAdmin: true,
+})