fix: re-work resource interface to with with api.apify.com

resources are now pulled from the api.apify.com, and large binaries
return signed resource links

Author: RobertCrupa

src/resources/AGENTS.md

@@ -8,30 +8,33 @@ Three files serving the MCP `resources/*` surface:
 - `resource_service.ts` — handles `ListResources` / `ListResourceTemplates` /
   read-resource requests. Takes an optional `apifyClient` on list/read; the server
   builds it from the per-request token (`_meta.apifyToken || options.token`).
-- `storage_resources.ts` — exposes Apify storage **data reads** as resources
-  (alongside, not replacing, the storage tools).
+- `api_resources.ts` — a thin MCP-resource proxy over the Apify API: any Apify API GET
+  endpoint is readable as a resource, identified by its real API URL.
 - `widgets.ts` — the registry of UI widgets (the metadata that maps a widget name to
   its resource); the widgets themselves are built in [`../web`](../web/AGENTS.md).
 
-## Storage resources (`storage_resources.ts`)
-
-Custom `apify://` scheme, parsed by stripping the prefix, splitting the path on `/`,
-and reading the query with `URLSearchParams` (the `recordKey` is URL-decoded). Three
-templates (`resources/templates/list`):
-
-- `apify://datasets/{datasetId}/items{?offset,limit,fields,omit,clean,desc}` — dataset items
-- `apify://key-value-stores/{keyValueStoreId}/keys{?exclusiveStartKey,limit}` — KVS key listing
-- `apify://key-value-stores/{keyValueStoreId}/records/{recordKey}` — a single KVS record
-
-`resources/list` adds concrete URIs for the user's recent datasets/stores
-(`desc: true`, bounded). Contents are `application/json` for items/keys; records keep
-their `contentType` (binary → base64 `blob`). A binary record over
-`KV_RECORD_MAX_INLINE_BYTES` (256 KB) links out instead of inlining: a JSON text block
-with the record's public URL (`resources/read` has no `resource_link` content type),
-mirroring the `get-key-value-store-record` tool. Best-effort: no token / API error →
-list omits storage; an unreadable read returns an explanatory `text` block, never an
-error. Reuses the storage tools' arg-parsing helpers and 404→soft-fail pattern; it
-does **not** share their response builders (resources need `ReadResourceResult`).
+## API resources (`api_resources.ts`)
+
+Resource URIs are real Apify API GET URLs (`https://api.apify.com/v2/...`), so URLs that
+Actors and tools return in their responses can be read back verbatim — no scheme to
+translate. `isApifyApiUri()` gates reads to the configured API origin
+(`getApifyAPIBaseUrl()`): the apify-client attaches the session token as an `Authorization`
+header to **every** outbound request, so we must never hand it a non-Apify host.
+
+`readApiResource()` is a generic proxy: `apifyClient.httpClient.call({ method: 'GET', responseType: 'arraybuffer' })`
+(do **not** set `forceBuffer` — that skips the client's Content-Type parsing). The parsed
+body is JSON → object, text/xml → string, anything else → `Buffer`, empty → `undefined`;
+we branch on that JS type, not the MIME type. Buffers over `KV_RECORD_MAX_INLINE_BYTES`
+(256 KB) link out — a JSON text block with the URL + size + type (`resources/read` has no
+`resource_link` content type) — instead of inlining base64. For a KVS record the URL is the
+store's signed `recordPublicUrl` (fetchable without a token); other endpoints fall back to the
+token-gated API URL. Errors never throw: a missing resource, bad token, or 5xx returns an
+explanatory `text` block.
+
+`resources/templates/list` advertises three common starting points (dataset items, KVS
+keys, KVS record); `resources/list` adds the user's recent datasets/stores as concrete API
+URLs (`desc: true`, bounded, dataset URI carries a default `limit`). Both are best-effort:
+no token / API error → those entries are omitted.
 
 ## Gotcha
 

src/resources/api_resources.ts

@@ -0,0 +1,209 @@
+import type {
+    BlobResourceContents,
+    ReadResourceResult,
+    Resource,
+    ResourceTemplate,
+    TextResourceContents,
+} from '@modelcontextprotocol/sdk/types.js';
+
+import type { ApifyClient } from '../apify_client.js';
+import { getApifyAPIBaseUrl } from '../apify_client.js';
+import { KV_RECORD_MAX_INLINE_BYTES } from '../const.js';
+import { getHttpStatusCode } from '../utils/logging.js';
+
+/** Max recent datasets / stores to surface in resources/list. */
+const RECENT_LIST_LIMIT = 10;
+/** Default page size baked into the advertised dataset-items URI so a naive read doesn't pull a whole dataset. */
+const DEFAULT_DATASET_ITEMS_LIMIT = 20;
+const JSON_MIME_TYPE = 'application/json';
+const TEXT_MIME_TYPE = 'text/plain';
+
+/**
+ * Resource templates returned by resources/templates/list, expressed as real Apify API
+ * GET URLs (RFC 6570 templates). The read path is a generic proxy over any Apify API GET
+ * endpoint, so these are just the common, discoverable starting points — not an exhaustive list.
+ */
+export const API_RESOURCE_TEMPLATES: ResourceTemplate[] = [
+    {
+        uriTemplate: `${getApifyAPIBaseUrl()}/v2/datasets/{datasetId}/items{?format,clean,offset,limit,fields,omit,desc}`,
+        name: 'Dataset items',
+        description: 'Items of an Apify dataset, paginated and field-selectable.',
+        mimeType: JSON_MIME_TYPE,
+    },
+    {
+        uriTemplate: `${getApifyAPIBaseUrl()}/v2/key-value-stores/{keyValueStoreId}/keys{?exclusiveStartKey,limit}`,
+        name: 'Key-value store keys',
+        description: 'Keys in an Apify key-value store, cursor-paginated.',
+        mimeType: JSON_MIME_TYPE,
+    },
+    {
+        uriTemplate: `${getApifyAPIBaseUrl()}/v2/key-value-stores/{keyValueStoreId}/records/{recordKey}`,
+        name: 'Key-value store record',
+        description: 'A single record (text, JSON, or binary) from an Apify key-value store.',
+    },
+];
+
+/**
+ * True when the URI is an Apify API URL (same origin as the configured API base).
+ *
+ * This is the security gate for the generic read proxy: the apify-client attaches the
+ * session token as an `Authorization` header to every outbound request, so we must only
+ * hand it Apify API URLs — never an arbitrary host.
+ */
+export function isApifyApiUri(uri: string): boolean {
+    try {
+        return new URL(uri).origin === new URL(getApifyAPIBaseUrl()).origin;
+    } catch {
+        return false;
+    }
+}
+
+/**
+ * List the user's recent datasets and key-value stores as concrete Apify API URLs.
+ * Best-effort: returns `[]` when there is no client or the API errors, so the overall
+ * resources/list still serves widgets and the usage guide.
+ */
+export async function listStorageResources(apifyClient?: ApifyClient): Promise<Resource[]> {
+    if (!apifyClient) {
+        return [];
+    }
+    const base = getApifyAPIBaseUrl();
+    const resources: Resource[] = [];
+    try {
+        const datasets = await apifyClient.datasets().list({ limit: RECENT_LIST_LIMIT, desc: true });
+        for (const dataset of datasets.items) {
+            resources.push({
+                uri: `${base}/v2/datasets/${dataset.id}/items?limit=${DEFAULT_DATASET_ITEMS_LIMIT}`,
+                name: dataset.name ?? dataset.id,
+                description: `Dataset with ${dataset.itemCount} item(s).`,
+                mimeType: JSON_MIME_TYPE,
+            });
+        }
+    } catch {
+        // Ignore: best-effort listing.
+    }
+    try {
+        const stores = await apifyClient.keyValueStores().list({ limit: RECENT_LIST_LIMIT, desc: true });
+        for (const store of stores.items) {
+            resources.push({
+                uri: `${base}/v2/key-value-stores/${store.id}/keys`,
+                name: store.name ?? store.id,
+                description: 'Key-value store.',
+                mimeType: JSON_MIME_TYPE,
+            });
+        }
+    } catch {
+        // Ignore: best-effort listing.
+    }
+    return resources;
+}
+
+/** Matches an Apify key-value-store record path, capturing the store id and the record key. */
+const KV_RECORD_PATH_RE = /^\/v2\/key-value-stores\/([^/]+)\/records\/(.+)$/;
+
+/**
+ * Download URL for a binary too large to inline. For a key-value-store record URI, returns the
+ * store's signed `recordPublicUrl` — fetchable without an API token when the client can read the
+ * store's URL signing key. Falls back to the original API URL for any other endpoint, or if minting
+ * the signed URL fails (fetching that link then needs a token).
+ */
+async function getRecordDownloadUrl(uri: string, apifyClient: ApifyClient): Promise<string> {
+    let pathname: string;
+    try {
+        pathname = new URL(uri).pathname;
+    } catch {
+        return uri;
+    }
+    const match = KV_RECORD_PATH_RE.exec(pathname);
+    if (!match) return uri;
+    try {
+        const store = apifyClient.keyValueStore(decodeURIComponent(match[1]));
+        return await store.getRecordPublicUrl(decodeURIComponent(match[2]));
+    } catch {
+        return uri;
+    }
+}
+
+/** Single explanatory text-contents result for a not-found / no-token / refused read. */
+function buildTextResult(uri: string, text: string): ReadResourceResult {
+    return { contents: [{ uri, mimeType: TEXT_MIME_TYPE, text } satisfies TextResourceContents] };
+}
+
+/**
+ * Read any Apify API GET endpoint as an MCP resource.
+ *
+ * A thin proxy: the apify-client injects the session token (and MCP-origin / payment headers),
+ * performs the GET, and parses the body by Content-Type — JSON to an object, text/xml to a
+ * string, anything else to a Buffer, an empty body to `undefined`. We branch on that resulting
+ * JS type, not the MIME type. Errors (a missing resource, a bad token, a 5xx) never throw; they
+ * return an explanatory text block, matching the resources/read soft-fail contract.
+ */
+export async function readApiResource(uri: string, apifyClient?: ApifyClient): Promise<ReadResourceResult> {
+    if (!apifyClient) {
+        return buildTextResult(uri, `Cannot read ${uri}: no Apify token in this session.`);
+    }
+    if (!isApifyApiUri(uri)) {
+        return buildTextResult(
+            uri,
+            `Cannot read ${uri}: only Apify API URLs (${getApifyAPIBaseUrl()}) are readable as resources.`,
+        );
+    }
+
+    let response: { data: unknown; headers: Record<string, unknown> };
+    try {
+        // Default responseType is `arraybuffer`, which lets the client's parse interceptor decode
+        // the body by Content-Type. Do NOT set `forceBuffer` — that would keep everything as raw bytes.
+        response = await apifyClient.httpClient.call({ url: uri, method: 'GET', responseType: 'arraybuffer' });
+    } catch (err) {
+        const status = getHttpStatusCode(err);
+        const message = err instanceof Error ? err.message : String(err);
+        return buildTextResult(uri, `Failed to read ${uri}: ${status ? `HTTP ${status}: ` : ''}${message}`);
+    }
+
+    const contentTypeHeader = response.headers['content-type'];
+    const contentType = typeof contentTypeHeader === 'string' ? contentTypeHeader : undefined;
+    const { data } = response;
+
+    // An empty body (e.g. an Actor that wrote an empty OUTPUT) is legitimate; emit empty text.
+    if (data === undefined || data === null) {
+        return buildTextResult(uri, '');
+    }
+
+    if (Buffer.isBuffer(data)) {
+        const mimeType = contentType?.split(';')[0].trim().toLowerCase();
+        // Inlining a large binary as base64 would blow up the client's context, so above the inline
+        // limit link out instead: a JSON text block with the URL, size, and type (resources/read has
+        // no resource_link content type). For a key-value-store record the link is the signed public
+        // URL, fetchable without a token; other endpoints fall back to the (token-gated) API URL.
+        if (data.length > KV_RECORD_MAX_INLINE_BYTES) {
+            const downloadUrl = await getRecordDownloadUrl(uri, apifyClient);
+            return {
+                contents: [
+                    {
+                        uri,
+                        mimeType: JSON_MIME_TYPE,
+                        text: JSON.stringify({ uri: downloadUrl, size: data.length, ...(mimeType && { mimeType }) }),
+                    } satisfies TextResourceContents,
+                ],
+            };
+        }
+        return {
+            contents: [
+                { uri, ...(mimeType && { mimeType }), blob: data.toString('base64') } satisfies BlobResourceContents,
+            ],
+        };
+    }
+
+    // JSON (already parsed to an object/array) or text/xml (a string). A string is emitted verbatim
+    // with its declared Content-Type; anything else is lossless-serialized as JSON.
+    const text = typeof data === 'string' ? data : JSON.stringify(data);
+    return {
+        contents: [
+            {
+                uri,
+                mimeType: contentType ?? (typeof data === 'string' ? TEXT_MIME_TYPE : JSON_MIME_TYPE),
+                text,
+            } satisfies TextResourceContents,
+        ],
+    };
+}

src/resources/resource_service.ts

@@ -11,12 +11,7 @@ import log from '@apify/log';
 import type { ApifyClient } from '../apify_client.js';
 import type { PaymentProvider } from '../payments/types.js';
 import { ServerMode } from '../types.js';
-import {
-    isStorageUri,
-    listStorageResources,
-    readStorageResource,
-    STORAGE_RESOURCE_TEMPLATES,
-} from './storage_resources.js';
+import { API_RESOURCE_TEMPLATES, isApifyApiUri, listStorageResources, readApiResource } from './api_resources.js';
 import type { AvailableWidget } from './widgets.js';
 import { RESOURCE_MIME_TYPE } from './widgets.js';
 
@@ -86,9 +81,9 @@ export function createResourceService(options: ResourceServiceOptions): Resource
     };
 
     const readResource = async (uri: string, apifyClient?: ApifyClient): Promise<ExtendedReadResourceResult> => {
-        if (isStorageUri(uri)) {
-            // Storage contents carry no widget `_meta`/`html`; the extended shape only adds optional fields.
-            return (await readStorageResource(uri, apifyClient)) as ExtendedReadResourceResult;
+        if (isApifyApiUri(uri)) {
+            // API contents carry no widget `_meta`/`html`; the extended shape only adds optional fields.
+            return (await readApiResource(uri, apifyClient)) as ExtendedReadResourceResult;
         }
 
         const usageGuide = paymentProvider?.getUsageGuide?.();
@@ -173,7 +168,7 @@ export function createResourceService(options: ResourceServiceOptions): Resource
     };
 
     const listResourceTemplates = async (): Promise<ListResourceTemplatesResult> => ({
-        resourceTemplates: STORAGE_RESOURCE_TEMPLATES,
+        resourceTemplates: API_RESOURCE_TEMPLATES,
     });
 
     return {