feat(kbdb,mcp): KBDB 資料層薄殼 + self-hosted MCP 認證 + cypher KBDB proxy
三件一條鏈(HANDOFF §2/§3b,kbdb-base Phase 9):
A. KBDB MCP 薄殼(9.1):mcp/src/tools/kbdb_data.ts 6 工具
template/record/query/search,調基本盤 API。鐵律:不給建表/SQL,只 template+slot。
B. MCP self-hosted 認證 401(mcp-account-source §5.5):
- partner-auth.ts:MULTI_TENANT=false 時 Bearer 明碼直接當 org_namespace,
繞 KBDB partner 驗證(對齊 cypher 的 opaque-key 模型)。官方 SaaS 行為不變、共用同碼。
- mcp-setup.ts:把 namespace/api_key 寫進 .mcp.json headers.Authorization。
- 新增 self-hosted vs SaaS 分支單測(9 tests 綠)。
C. cypher KBDB proxy(9.5)+ CLI 薄殼(9.2):
- routes/kbdb-proxy.ts 純轉發 /kbdb/* → KBDB 基本盤(KBDB_BASE_URL HTTP fetch,
不新增 service binding)。讓 CLI(只認證到 cypher)能達獨立 KBDB worker。
- 租戶隔離:X-Arcrun-API-Key 自動當 owner_id 注入 records/entries(強制覆寫防跨租戶);
templates 全域共享(虛擬表定義是 schema 非資料)。
- cli/src/commands/kbdb.ts:acr kbdb template/record/query/search,與 MCP kbdb_* 同能力。
- kbdb base:entries 加 page_name 過濾(9.3)。
cypher + cli + mcp tsc exit 0。未驗收:端到端需 deploy + KBDB_BASE_URL 可達後實測。
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
uncle6me-web
@@ -40,3 +40,41 @@ describe("partner-auth: KBDB response validation", () => {
|
||||
expect(info.org_namespace).toBe("org-a");
|
||||
});
|
||||
});
|
||||
|
||||
// HANDOFF §3b / mcp-account-source.md §5.5:self-hosted(MULTI_TENANT=false)下
|
||||
// Bearer 帶的是 namespace 明碼,不打 KBDB partner 驗證,直接當 org_namespace。
|
||||
// 與 cypher-executor 的 opaque-key 模型對齊(X-Arcrun-API-Key 不驗證直接當分區 key)。
|
||||
function resolveNamespace(
|
||||
multiTenant: string | undefined,
|
||||
token: string,
|
||||
validatePartner: (t: string) => { valid: boolean; org_namespace: string },
|
||||
): { ok: boolean; org_namespace?: string } {
|
||||
if (multiTenant === "false") {
|
||||
// self-hosted:Bearer 明碼即 namespace,繞 partner 驗證
|
||||
return { ok: true, org_namespace: token };
|
||||
}
|
||||
// SaaS:維持 partner-key 驗證(行為不變)
|
||||
const info = validatePartner(token);
|
||||
return info.valid ? { ok: true, org_namespace: info.org_namespace } : { ok: false };
|
||||
}
|
||||
|
||||
describe("partner-auth: self-hosted (MULTI_TENANT=false) bypasses partner validation", () => {
|
||||
const partnerValidatorThatAlwaysRejects = () => ({ valid: false, org_namespace: "" });
|
||||
|
||||
it("self-hosted: namespace 明碼直接當 org_namespace,不打 partner 驗證", () => {
|
||||
const r = resolveNamespace("false", "leo", partnerValidatorThatAlwaysRejects);
|
||||
expect(r.ok).toBe(true);
|
||||
expect(r.org_namespace).toBe("leo");
|
||||
});
|
||||
|
||||
it("SaaS (未設 MULTI_TENANT):仍走 partner 驗證,明碼被擋", () => {
|
||||
const r = resolveNamespace(undefined, "leo", partnerValidatorThatAlwaysRejects);
|
||||
expect(r.ok).toBe(false);
|
||||
});
|
||||
|
||||
it("SaaS:合法 partner key 通過並取 org_namespace", () => {
|
||||
const r = resolveNamespace("true", "pk_live_x", () => ({ valid: true, org_namespace: "org-a" }));
|
||||
expect(r.ok).toBe(true);
|
||||
expect(r.org_namespace).toBe("org-a");
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user