Merge branch 'main' into dev2

Author: CodeWithCJ

AGENTS.md

@@ -29,18 +29,18 @@ For `shared/`, `docs/`, `SparkyFitnessMCP/`, and `SparkyFitnessGarmin/`, there i
 - `SparkyFitnessMobile/` - Expo SDK 54 / React Native 0.81 app.
 - `shared/` - source-first TypeScript workspace package for `@workspace/shared` schemas, constants, and timezone/day helpers.
 - `docs/` - Nuxt / Docus docs site.
-- `SparkyFitnessMCP/` - TypeScript MCP server integrated into the `pnpm` workspace.
+- `SparkyFitnessMCP/` - TypeScript MCP server in the `pnpm` workspace. **Deprecated** in favor of the in-process `/mcp` route on `SparkyFitnessServer`; the `codewithcj/sparkyfitness_mcp:latest` image is still published during a deprecation window, so the package stays for now.
 - `SparkyFitnessGarmin/` - standalone Python integration service outside the current `pnpm` workspace.
 - `docker/`, `helm/`, `.github/` - infra and deployment assets.
 - `db_schema_backup.sql` - repo-root schema snapshot that should stay aligned with server migrations.
 - `docker/.env.example` - tracked env template commonly copied to repo-root `.env`.
 
 ## Workspace Notes
 
-- `pnpm-workspace.yaml` currently lists `frontend`, `SparkyFitnessFrontend`, `shared`, `SparkyFitnessMobile`, `SparkyFitnessServer`, and `docs`.
+- `pnpm-workspace.yaml` currently lists `frontend`, `SparkyFitnessFrontend`, `shared`, `SparkyFitnessMobile`, `SparkyFitnessServer`, `docs`, and `SparkyFitnessMCP`.
 - Only `SparkyFitnessFrontend/` exists on disk right now; treat `frontend` as a legacy workspace entry unless the task is specifically about workspace cleanup.
 - `shared/` is a library package, not an app. Validate shared changes from the consuming package(s), not in isolation.
-- `SparkyFitnessMCP/` and `SparkyFitnessGarmin/` are outside the current workspace, so inspect their own manifests and scripts before working there.
+- `SparkyFitnessMCP/` is still listed in `pnpm-workspace.yaml` (it is deprecated; Phase 3b will remove the entry). `SparkyFitnessGarmin/` is outside the current workspace. Inspect their own manifests and scripts before working there.
 
 ## Cross-Package Rules
 

SparkyFitnessFrontend/vite.config.ts

@@ -23,6 +23,10 @@ export default defineConfig(({ mode }) => {
           target: target,
           changeOrigin: true,
         },
+        '/mcp': {
+          target: target,
+          changeOrigin: true,
+        },
         '/uploads': {
           target: target,
           changeOrigin: true,

SparkyFitnessMCP/README.md

@@ -0,0 +1,44 @@
+# SparkyFitness MCP Server (DEPRECATED)
+
+> **DEPRECATED:** This standalone MCP server is superseded by the in-process
+> `/mcp` route on the main `SparkyFitnessServer`. New integrations should point
+> at the main server's `/mcp` endpoint. This package and its Dockerfiles remain
+> only during a deprecation window and will be removed in a scheduled follow-up.
+
+## What changed
+
+MCP is now served in-process by the main `SparkyFitnessServer` at `POST /mcp`.
+That route reuses the chatbot tool registry, so the server and the assistant
+expose a single, shared tool surface instead of two separate implementations.
+
+This standalone package previously ran MCP as its own service (HTTP and stdio).
+It is no longer the recommended way to run MCP.
+
+## Where to point MCP clients
+
+Use the main server's `/mcp` endpoint:
+
+- Production: `https://<your-host>/mcp`
+- Local dev: `http://localhost:8080/mcp` (the frontend Vite dev proxy forwards
+  `/mcp` to the server; `http://localhost:3010/mcp` hits the server directly)
+
+stdio-only MCP clients (that cannot speak Streamable HTTP) can bridge to the
+HTTP endpoint with [`mcp-remote`](https://www.npmjs.com/package/mcp-remote):
+
+```bash
+npx mcp-remote https://<your-host>/mcp
+```
+
+## Why this package still exists
+
+The Docker image `codewithcj/sparkyfitness_mcp:latest` is still published during
+the deprecation window, so this package and its Dockerfiles
+(`docker/Dockerfile.mcp`, `docker/Dockerfile.mcp.dev`) remain in the repo for
+now. Existing deployments that depend on the standalone image keep working until
+the window closes.
+
+## Removal
+
+Removal of this package, its Dockerfiles, and the CI build/publish steps is
+tracked as a scheduled follow-up (Phase 3b), at the upstream maintainer's
+discretion.

SparkyFitnessMCP/src/index.ts

@@ -1,3 +1,12 @@
+// ─── DEPRECATED ───────────────────────────────────────────────────────────────
+// This standalone MCP server is superseded by the in-process `/mcp` route on the
+// main SparkyFitnessServer, which reuses the chatbot tool registry (one shared
+// tool surface). Point new MCP clients at the main server's `/mcp` endpoint
+// instead. The Docker image `codewithcj/sparkyfitness_mcp:latest` is still
+// published during a deprecation window, so this package remains for now;
+// removal is tracked as a scheduled follow-up (Phase 3b). See README.md.
+// ──────────────────────────────────────────────────────────────────────────────
+
 import path from "path";
 import dotenv from "dotenv";
 

SparkyFitnessServer/ai/mcp/mcpAdapter.ts

@@ -1,6 +1,7 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { ToolCallOptions } from 'ai';
 import { buildChatbotTools } from '../tools/index.js';
+import { buildDevTools } from '../tools/devTools.js';
 
 // Registry handlers read only rawArgs (no abortSignal/messages), so a stub
 // satisfies the execute() signature.
@@ -16,18 +17,13 @@ interface RegistryTool {
   execute?: (args: unknown, options: ToolCallOptions) => Promise<any> | any;
 }
 
-// Re-publishes the in-process chatbot tool registry as MCP tools, reusing each
-// tool's zod-4 schema and execute() so MCP clients and the chatbot share one
-// surface with identical output text.
-export function registerRegistryTools(
+// Registers a name->tool map onto an McpServer, reusing each tool's zod-4 schema
+// and execute(). Shared by the registry and dev-tool registration so both wrap
+// the plain-string return into MCP { content: [...] } identically.
+function registerToolMap(
   mcpServer: McpServer,
-  userId: string,
-  tz: string
+  tools: Record<string, RegistryTool>
 ): void {
-  const tools = buildChatbotTools(userId, tz) as unknown as Record<
-    string,
-    RegistryTool
-  >;
   for (const [name, t] of Object.entries(tools)) {
     mcpServer.registerTool(
       name,
@@ -43,3 +39,29 @@ export function registerRegistryTools(
     );
   }
 }
+
+// Re-publishes the in-process chatbot tool registry as MCP tools, reusing each
+// tool's zod-4 schema and execute() so MCP clients and the chatbot share one
+// surface with identical output text.
+export function registerRegistryTools(
+  mcpServer: McpServer,
+  userId: string,
+  tz: string
+): void {
+  const tools = buildChatbotTools(userId, tz) as unknown as Record<
+    string,
+    RegistryTool
+  >;
+  registerToolMap(mcpServer, tools);
+}
+
+// Registers the admin-only dev tools (kept out of buildChatbotTools so the
+// chatbot never sees them). The route gates this on DEV_TOOLS_ENABLED + an admin
+// caller, so non-admins never get these in tools/list.
+export function registerDevTools(mcpServer: McpServer, userId: string): void {
+  const tools = buildDevTools(userId) as unknown as Record<
+    string,
+    RegistryTool
+  >;
+  registerToolMap(mcpServer, tools);
+}

SparkyFitnessServer/ai/tools/devTools.ts

@@ -0,0 +1,161 @@
+import { tool } from 'ai';
+import { z } from 'zod';
+import { log } from '../../config/logging.js';
+import { getSystemClient, getPoolStats } from '../../db/poolManager.js';
+import { resolveIsAdmin } from '../../utils/adminCheck.js';
+import { ERRORS, formatZodError } from './errors.js';
+import { formatSuccess } from './formatting.js';
+
+const inspectSchemaInput = z.object({
+  table: z.string().min(1).describe('Name of the database table to inspect'),
+});
+
+const emptyInput = z.object({});
+
+// Defense-in-depth gate re-checked on every call (the route already gates
+// registration). Re-verifies the env flag and admin role via the DB lookup,
+// since the handler closes over only a userId. Returns an ERRORS.* string when
+// denied, null when allowed.
+async function assertDevAccess(userId: string): Promise<string | null> {
+  if (process.env.DEV_TOOLS_ENABLED !== 'true') {
+    return ERRORS.FORBIDDEN('Dev tools are disabled');
+  }
+  if (!(await resolveIsAdmin(undefined, userId))) {
+    return ERRORS.FORBIDDEN('Admin access required');
+  }
+  return null;
+}
+
+// The 4 admin/debug tools, kept out of buildChatbotTools so the chatbot never
+// sees them; registered only for an admin when DEV_TOOLS_ENABLED=true. Each
+// execute() returns a plain string — registerToolMap does the MCP wrapping.
+export function buildDevTools(userId: string) {
+  return {
+    sparky_inspect_schema: tool({
+      description:
+        'Inspect the database schema to understand available tables and columns. Requires admin access and DEV_TOOLS_ENABLED=true.',
+      inputSchema: inspectSchemaInput,
+      execute: async (rawArgs) => {
+        const denied = await assertDevAccess(userId);
+        if (denied) return denied;
+
+        const parsed = inspectSchemaInput.safeParse(rawArgs);
+        if (!parsed.success) {
+          return formatZodError(parsed.error);
+        }
+        const { table } = parsed.data;
+
+        const client = await getSystemClient();
+        try {
+          let schema = 'public';
+          let tableName = table;
+          if (table.includes('.')) {
+            const parts = table.split('.');
+            schema = parts[0];
+            tableName = parts[1];
+          }
+
+          const result = await client.query(
+            `SELECT column_name, data_type, is_nullable, column_default, table_schema
+             FROM information_schema.columns
+             WHERE table_name = $1 AND table_schema = $2
+             ORDER BY ordinal_position`,
+            [tableName, schema]
+          );
+
+          if (result.rows.length === 0) {
+            return ERRORS.NOT_FOUND('Table', table);
+          }
+
+          const columns = result.rows.map((row: any) => ({
+            column: row.column_name,
+            type: row.data_type,
+            nullable: row.is_nullable === 'YES',
+            default: row.column_default,
+          }));
+
+          return formatSuccess(
+            { table, columns, column_count: columns.length },
+            `Schema: ${table}`
+          );
+        } catch (error) {
+          log('error', '[Dev Tool] inspectSchema error:', error);
+          return ERRORS.DB_ERROR();
+        } finally {
+          client.release();
+        }
+      },
+    }),
+
+    sparky_get_user_info: tool({
+      description:
+        'Get information about the current authenticated user. Requires admin access and DEV_TOOLS_ENABLED=true.',
+      inputSchema: emptyInput,
+      execute: async () => {
+        const denied = await assertDevAccess(userId);
+        if (denied) return denied;
+
+        const client = await getSystemClient();
+        try {
+          const result = await client.query(
+            `SELECT id, name, email, role, created_at, updated_at
+             FROM "user"
+             WHERE id = $1`,
+            [userId]
+          );
+
+          if (result.rows.length === 0) {
+            return ERRORS.NOT_FOUND('User', userId);
+          }
+
+          const user = result.rows[0];
+          return formatSuccess(
+            { user_id: userId, ...user },
+            'Current User Info'
+          );
+        } catch (error) {
+          log('error', '[Dev Tool] getUserInfo error:', error);
+          return ERRORS.DB_ERROR();
+        } finally {
+          client.release();
+        }
+      },
+    }),
+
+    sparky_get_db_stats: tool({
+      description:
+        'Get current database connection pool statistics. Requires admin access and DEV_TOOLS_ENABLED=true.',
+      inputSchema: emptyInput,
+      execute: async () => {
+        const denied = await assertDevAccess(userId);
+        if (denied) return denied;
+
+        try {
+          return formatSuccess(getPoolStats(), 'Database Pool Stats');
+        } catch (error) {
+          log('error', '[Dev Tool] getDbStats error:', error);
+          return ERRORS.DB_ERROR();
+        }
+      },
+    }),
+
+    sparky_run_project_tests: tool({
+      description:
+        "Run the project's test suite to verify nutrition and fitness logic. Requires admin access and DEV_TOOLS_ENABLED=true.",
+      inputSchema: emptyInput,
+      execute: async () => {
+        const denied = await assertDevAccess(userId);
+        if (denied) return denied;
+
+        return formatSuccess(
+          {
+            status: 'scheduled',
+            message:
+              'Tests would be executed via child_process in a real environment.',
+          },
+          'Project Tests'
+        );
+      },
+    }),
+  };
+}

SparkyFitnessServer/db/poolManager.ts

@@ -82,6 +82,18 @@ async function getSystemClient() {
   const client = await _getRawOwnerPool().connect();
   return client;
 }
+// node-pg counters for the app pool, for the admin-only dev tools. Guards
+// against an uninitialized pool.
+function getPoolStats() {
+  if (!appPoolInstance) {
+    return { totalCount: 0, idleCount: 0, waitingCount: 0 };
+  }
+  return {
+    totalCount: appPoolInstance.totalCount,
+    idleCount: appPoolInstance.idleCount,
+    waitingCount: appPoolInstance.waitingCount,
+  };
+}
 async function endPool() {
   if (ownerPoolInstance) {
     log('info', 'Ending existing owner database connection pool...');
@@ -110,11 +122,13 @@ export { endPool };
 export { resetPool };
 export { getClient };
 export { getSystemClient };
+export { getPoolStats };
 export { _getRawOwnerPool as getRawOwnerPool };
 export default {
   endPool,
   resetPool,
   getClient,
   getSystemClient,
+  getPoolStats,
   getRawOwnerPool: _getRawOwnerPool,
 };

SparkyFitnessServer/middleware/authMiddleware.ts

@@ -3,6 +3,7 @@ import userRepository from '../models/userRepository.js';
 import { serializeSignedCookie } from 'better-call';
 import { auth } from '../auth.js';
 import { canAccessUserData } from '../utils/permissionUtils.js';
+import { resolveIsAdmin } from '../utils/adminCheck.js';
 import {
   getCachedSession,
   setCachedSession,
@@ -176,26 +177,12 @@ const isAdmin = async (req: any, res: any, next: any) => {
   if (!req.userId) {
     return res.status(401).json({ error: 'Authentication required.' });
   }
-  // 1. Super-admin override
-  if (
-    process.env.SPARKY_FITNESS_ADMIN_EMAIL &&
-    req.user?.email === process.env.SPARKY_FITNESS_ADMIN_EMAIL
-  ) {
+  // Admin predicate lives in utils/adminCheck.ts (checks the AUTHENTICATED user,
+  // never the context-switched one, to prevent privilege escalation).
+  if (await resolveIsAdmin(req.user, req.authenticatedUserId)) {
     return next();
   }
-  // 2. Native Better Auth Role Check
-  // We MUST check the role of the AUTHENTICATED user, not the ACTIVE user
-  // to prevent privilege escalation via context switching.
-  const userRole =
-    req.user?.role ||
-    (await userRepository.getUserRole(req.authenticatedUserId));
-  if (userRole === 'admin') {
-    return next();
-  }
-  log(
-    'warn',
-    `Admin Check: Access denied for User ${req.userId} (Role: ${userRole})`
-  );
+  log('warn', `Admin Check: Access denied for User ${req.userId}`);
   return res.status(403).json({ error: 'Admin access required.' });
 };
 export { authenticate };

SparkyFitnessServer/models/chatRepository.ts

@@ -314,7 +314,6 @@ async function clearAllChatHistory(userId: string) {
 async function saveChatHistory(
   historyData: Partial<SparkyChatHistory> & {
     messageType?: 'user' | 'assistant';
-    parts?: any[];
   }
 ) {
   const client = await getClient(historyData.user_id); // User-specific operation