Skip to content

feat(studio-mcp): add workflow CRUD tools with task-based runs#311

Merged
betterclever merged 2 commits into
mainfrom
codex/mcp-workflow-tools
Feb 21, 2026
Merged

feat(studio-mcp): add workflow CRUD tools with task-based runs#311
betterclever merged 2 commits into
mainfrom
codex/mcp-workflow-tools

Conversation

@betterclever
Copy link
Copy Markdown
Contributor

@betterclever betterclever commented Feb 21, 2026
edited
Loading

Summary

  • add create_workflow, update_workflow, update_workflow_metadata, and delete_workflow to Studio MCP
  • keep the existing task-based run_workflow flow (Task API + monitor loop)
  • extend API-key permission gating for workflow mutation MCP tools
  • expand Studio MCP unit tests for tool registration, auth-context wiring, and permission behavior

Validation

  • bun --cwd backend test src/studio-mcp/__tests__/studio-mcp.service.spec.ts
  • repository push hooks also passed (tsc --build and full test suite)
@betterclever
feat(studio-mcp): add workflow CRUD tools alongside task runs
9c5d3f8 
Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Feb 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9c5d3f847f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment thread backend/src/studio-mcp/studio-mcp.service.ts
edges: z.infer<typeof WorkflowEdgeSchema>[];
viewport?: z.infer<typeof WorkflowViewportSchema>;
}) => {
const gate = this.checkPermission(auth, 'workflows.create');
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Expose workflow mutation permissions to API-key auth

This new gate checks workflows.create (and similarly workflows.update/workflows.delete below), but API-key auth currently only carries workflows.run/list/read (see backend/src/auth/auth.guard.ts normalization and backend/src/api-keys/dto/api-key.dto.ts), so these flags are always undefined and checkPermission always denies API-key callers. In practice, all new workflow mutation MCP tools become unusable for API-key clients regardless of key configuration until the permission model is wired end-to-end.

Useful? React with 👍 / 👎.
@betterclever
fix(auth): wire workflow mutation permissions for API keys
abd21c3 
Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
@betterclever
Copy link
Copy Markdown
Contributor Author

betterclever commented Feb 21, 2026

Addressed the API-key permission wiring feedback in .

Changes made:

  • Added , , and to API-key permission schema/types.
  • Extended API-key auth normalization in to carry those flags into .

Validated with:

  • bun test v1.3.6 (d530ed99)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=org-123)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-456)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-789, Org: org-999, Roles: [ADMIN], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=org-internal)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=local-dev)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=org-from-x-org-id)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-api-key)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-extract)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: clerk-user-123, Org: clerk-org-456, Roles: [ADMIN, MEMBER], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: local
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: local-user, Org: local-org, Roles: [ADMIN], Authenticated: true
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Internal token accepted for GET /api/v1/test (org=local-dev)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-api)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] API key accepted for GET /api/v1/test (org=org-1)
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard activating for GET /api/v1/test - Provider: clerk
    [Nest] 3218 - 02/21/2026, 7:51:14 PM LOG [AuthGuard] [AUTH] Guard result - User: user-1, Org: org-1, Roles: [MEMBER], Authenticated: true
@betterclever
Copy link
Copy Markdown
Contributor Author

betterclever commented Feb 21, 2026

Follow-up: addressed the API-key permission wiring feedback in commit abd21c3.

Implemented:

  • Added workflow create/update/delete permission fields to API key schema/types.
  • Extended AuthGuard API-key permission normalization to propagate those fields into auth context.

Validation:

  • bun --cwd backend test src/auth/tests/auth.guard.spec.ts src/studio-mcp/tests/studio-mcp.service.spec.ts
@betterclever betterclever merged commit b66be74 into main Feb 21, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@betterclever