Skip to content

Comments

feat(studio-mcp): add workflow CRUD tools with task-based runs#311

Merged
betterclever merged 2 commits intomainfrom
codex/mcp-workflow-tools
Feb 21, 2026
Merged

feat(studio-mcp): add workflow CRUD tools with task-based runs#311
betterclever merged 2 commits intomainfrom
codex/mcp-workflow-tools

Conversation

@betterclever
Copy link
Contributor

@betterclever betterclever commented Feb 21, 2026

Summary

  • add create_workflow, update_workflow, update_workflow_metadata, and delete_workflow to Studio MCP
  • keep the existing task-based run_workflow flow (Task API + monitor loop)
  • extend API-key permission gating for workflow mutation MCP tools
  • expand Studio MCP unit tests for tool registration, auth-context wiring, and permission behavior

Validation

  • bun --cwd backend test src/studio-mcp/__tests__/studio-mcp.service.spec.ts
  • repository push hooks also passed (tsc --build and full test suite)

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9c5d3f847f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

edges: z.infer<typeof WorkflowEdgeSchema>[];
viewport?: z.infer<typeof WorkflowViewportSchema>;
}) => {
const gate = this.checkPermission(auth, 'workflows.create');

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Expose workflow mutation permissions to API-key auth

This new gate checks workflows.create (and similarly workflows.update/workflows.delete below), but API-key auth currently only carries workflows.run/list/read (see backend/src/auth/auth.guard.ts normalization and backend/src/api-keys/dto/api-key.dto.ts), so these flags are always undefined and checkPermission always denies API-key callers. In practice, all new workflow mutation MCP tools become unusable for API-key clients regardless of key configuration until the permission model is wired end-to-end.

Useful? React with 👍 / 👎.

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
@betterclever
Copy link
Contributor Author

Addressed the API-key permission wiring feedback in .

Changes made:

  • Added , , and to API-key permission schema/types.
  • Extended API-key auth normalization in to carry those flags into .

Validated with:

  • bun test v1.3.6 (d530ed99)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=org-123)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-456)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-789, Org: org-999, Roles: [ADMIN], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=org-internal)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=local-dev)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=org-from-x-org-id)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-api-key)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-extract)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: clerk-user-123, Org: clerk-org-456, Roles: [ADMIN, MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: local
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: local-user, Org: local-org, Roles: [ADMIN], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=local-dev)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-api)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-1)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true

@betterclever
Copy link
Contributor Author

Follow-up: addressed the API-key permission wiring feedback in commit abd21c3.

Implemented:

  • Added workflow create/update/delete permission fields to API key schema/types.
  • Extended AuthGuard API-key permission normalization to propagate those fields into auth context.

Validation:

  • bun --cwd backend test src/auth/tests/auth.guard.spec.ts src/studio-mcp/tests/studio-mcp.service.spec.ts

@betterclever betterclever merged commit b66be74 into main Feb 21, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant