ealmeida/mcp-outline-postgresql
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0329a1179a95e1236f64d393932b04264f1054b2
mcp-outline-postgresql/CLAUDE.md
Emanuel Almeida 0329a1179a fix: corrigir bugs críticos de segurança e memory leaks (v1.2.4) 
- fix(pagination): SQL injection em cursor pagination - validação de nomes de campos
- fix(transaction): substituir Math.random() por crypto.randomBytes() para jitter
- fix(monitoring): memory leak - adicionar .unref() ao setInterval
- docs: adicionar relatório completo de bugs (BUG-REPORT-2026-01-31.md)
- chore: actualizar versão para 1.2.4
2026-01-31 16:09:25 +00:00

253 lines
9.0 KiB
Markdown
Raw Blame History

# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Project Overview
MCP server for direct PostgreSQL access to Outline Wiki database. Follows patterns established by `mcp-desk-crm-sql-v3`.
**Architecture:** Claude Code -> MCP Outline (stdio) -> PostgreSQL (Outline DB)
**Total Tools:** 164 tools across 33 modules
## Commands
```bash
# Build TypeScript to dist/
npm run build
# Run production server
npm start
# Development with ts-node
npm run dev
# Run tests
npm test
```
## Project Structure
```
src/
├── index.ts # MCP entry point
├── pg-client.ts # PostgreSQL client wrapper
├── config/
│ └── database.ts # DB configuration
├── types/
│ ├── index.ts
│ ├── tools.ts # Base tool types
│ └── db.ts # Database table types
├── tools/
│ ├── index.ts # Export all tools
│ ├── documents.ts # 19 tools - Core document management
│ ├── collections.ts # 14 tools - Collection management
│ ├── users.ts # 9 tools - User management
│ ├── groups.ts # 8 tools - Group management
│ ├── comments.ts # 6 tools - Comment system
│ ├── shares.ts # 5 tools - Document sharing
│ ├── revisions.ts # 3 tools - Version history
│ ├── events.ts # 3 tools - Audit log
│ ├── attachments.ts # 5 tools - File attachments
│ ├── file-operations.ts # 4 tools - Import/export jobs
│ ├── oauth.ts # 8 tools - OAuth management
│ ├── auth.ts # 2 tools - Authentication
│ ├── stars.ts # 3 tools - Bookmarks
│ ├── pins.ts # 3 tools - Pinned documents
│ ├── views.ts # 2 tools - View tracking
│ ├── reactions.ts # 3 tools - Emoji reactions
│ ├── api-keys.ts # 4 tools - API keys
│ ├── webhooks.ts # 4 tools - Webhooks
│ ├── backlinks.ts # 1 tool - Link references
│ ├── search-queries.ts # 2 tools - Search analytics
│ ├── teams.ts # 5 tools - Team/workspace
│ ├── integrations.ts # 6 tools - External integrations
│ ├── notifications.ts # 4 tools - Notifications
│ ├── subscriptions.ts # 4 tools - Subscriptions
│ ├── templates.ts # 5 tools - Templates
│ ├── imports-tools.ts # 4 tools - Import jobs
│ ├── emojis.ts # 3 tools - Custom emojis
│ ├── user-permissions.ts # 3 tools - Permissions
│ ├── bulk-operations.ts # 6 tools - Batch operations
│ ├── advanced-search.ts # 6 tools - Advanced search
│ ├── analytics.ts # 6 tools - Analytics
│ ├── export-import.ts # 2 tools - Markdown export/import
│ └── desk-sync.ts # 2 tools - Desk CRM integration
└── utils/
├── index.ts # Export all utilities
├── logger.ts # Logging utility
├── security.ts # Security utilities (validation, rate limiting)
├── transaction.ts # Transaction helpers with retry logic
├── query-builder.ts # Safe parameterized query builder
├── validation.ts # Zod-based input validation
├── audit.ts # Audit logging for write operations
├── monitoring.ts # Connection pool health monitoring
└── pagination.ts # Cursor-based pagination helpers
```
## Tools Summary (164 total)
| Module | Tools | Description |
|--------|-------|-------------|
| documents | 19 | CRUD, search, archive, move, templates, memberships |
| collections | 14 | CRUD, memberships, groups, export |
| users | 9 | CRUD, suspend, activate, promote, demote |
| groups | 8 | CRUD, memberships |
| comments | 6 | CRUD, resolve |
| shares | 5 | CRUD, revoke |
| revisions | 3 | list, info, compare |
| events | 3 | list, info, stats |
| attachments | 5 | CRUD, stats |
| file-operations | 4 | import/export jobs |
| oauth | 8 | OAuth clients, authentications |
| auth | 2 | auth info, config |
| stars | 3 | list, create, delete (bookmarks) |
| pins | 3 | list, create, delete (highlighted docs) |
| views | 2 | list, create (view tracking) |
| reactions | 3 | list, create, delete (emoji on comments) |
| api-keys | 4 | CRUD (programmatic access) |
| webhooks | 4 | CRUD (event subscriptions) |
| backlinks | 1 | list (document links - read-only view) |
| search-queries | 2 | list, stats (search analytics) |
| teams | 5 | get, update, stats, domains, settings |
| integrations | 6 | list, get, create, update, delete, sync |
| notifications | 4 | list, mark read, mark all read, settings |
| subscriptions | 4 | list, subscribe, unsubscribe, settings |
| templates | 5 | list, get, create from, convert to/from |
| imports | 4 | list, status, create, cancel |
| emojis | 3 | list, create, delete |
| user-permissions | 3 | list, grant, revoke |
| bulk-operations | 6 | archive, delete, move, restore, add/remove users |
| advanced-search | 6 | advanced search, facets, recent, user activity, orphaned, duplicates |
| analytics | 6 | overview, user activity, content insights, collection stats, growth, search |
| export-import | 2 | export collection to markdown, import markdown folder |
| desk-sync | 2 | create desk project doc, link desk task |
## Configuration
Add to `~/.claude.json` under `mcpServers`:
```json
{
"outline": {
"command": "node",
"args": ["/home/ealmeida/mcp-servers/mcp-outline-postgresql/dist/index.js"],
"env": {
"DATABASE_URL": "postgres://outline:password@localhost:5432/outline"
}
}
}
```
## Environment
Required in `.env`:
```
DATABASE_URL=postgres://user:password@host:port/outline
```
## Key Patterns
### Tool Response Format
```typescript
return {
content: [{
type: 'text',
text: JSON.stringify(data, null, 2)
}]
};
```
### Naming Conventions
| Type | Convention | Example |
|------|------------|---------|
| Tool name | snake_case with prefix | `outline_list_documents` |
| Function | camelCase | `listDocuments` |
| Type | PascalCase | `DocumentRow` |
| File | kebab-case | `documents.ts` |
## Database
**PostgreSQL 15** - Direct SQL access (not Outline API)
Key tables: `documents`, `collections`, `users`, `groups`, `comments`, `revisions`, `shares`, `attachments`, `events`, `stars`, `pins`, `views`, `file_operations`, `oauth_clients`
Soft deletes: Most entities use `deletedAt` column, not hard deletes.
See `SPEC-MCP-OUTLINE.md` for complete database schema.
## Security Utilities
The `src/utils/security.ts` module provides essential security functions:
### Validation Functions
| Function | Description |
|----------|-------------|
| `isValidUUID(uuid)` | Validate UUID format |
| `isValidUrlId(urlId)` | Validate URL-safe ID format |
| `isValidEmail(email)` | Validate email format |
| `isValidHttpUrl(url)` | Validate URL is HTTP(S) - rejects javascript:, data:, file: protocols |
| `isValidISODate(date)` | Validate ISO date format (YYYY-MM-DD or full ISO) |
| `validateDaysInterval(days, default, max)` | Validate and clamp days interval for SQL |
| `validatePeriod(period, allowed, default)` | Validate period against allowed values |
| `validatePagination(limit, offset)` | Validate and normalize pagination params |
| `validateSortDirection(direction)` | Validate sort direction (ASC/DESC) |
| `validateSortField(field, allowed, default)` | Validate sort field against whitelist |
### Sanitization Functions
| Function | Description |
|----------|-------------|
| `sanitizeInput(input)` | Remove null bytes and trim whitespace |
| `escapeHtml(text)` | Escape HTML entities for safe display |
### Rate Limiting
| Function | Description |
|----------|-------------|
| `checkRateLimit(type, clientId)` | Check if request should be rate limited |
| `startRateLimitCleanup()` | Start background cleanup of expired entries |
| `stopRateLimitCleanup()` | Stop cleanup interval (call on shutdown) |
| `clearRateLimitStore()` | Clear all rate limit entries (testing) |
### Usage Example
```typescript
import {
isValidUUID,
isValidHttpUrl,
validateDaysInterval,
startRateLimitCleanup,
stopRateLimitCleanup
} from './utils/security.js';
// Validation before SQL
if (!isValidUUID(args.user_id)) {
throw new Error('Invalid user_id format');
}
// URL validation (prevents XSS)
if (!isValidHttpUrl(args.webhook_url)) {
throw new Error('Invalid URL. Only HTTP(S) allowed.');
}
// Safe interval for SQL
const safeDays = validateDaysInterval(args.days, 30, 365);
// Use in query: `INTERVAL '${safeDays} days'` is safe (it's a number)
// Lifecycle management
startRateLimitCleanup(); // On server start
stopRateLimitCleanup(); // On graceful shutdown
```
## Cryptographic Security
Secrets and tokens use `crypto.randomBytes()` instead of `Math.random()`:
- **OAuth secrets:** `oauth.ts` - `sk_` prefixed base64url tokens
- **API keys:** `api-keys.ts` - `ol_` prefixed keys, only hash stored in DB
- **Share URLs:** `shares.ts` - Cryptographically secure URL IDs
Reference in New Issue View Git Blame Copy Permalink