mcp

Author: tannerlinsley

docs/mcp/overview.md

@@ -32,13 +32,26 @@ See [Connecting](./connecting) for client-specific setup instructions.
 
 ## Available Tools
 
-The MCP server exposes three tools:
-
-| Tool             | Description                                                  |
-| ---------------- | ------------------------------------------------------------ |
-| `list_libraries` | List all TanStack libraries with their versions and metadata |
-| `get_doc`        | Fetch a specific documentation page by library and path      |
-| `search_docs`    | Full-text search across all TanStack documentation           |
+The MCP server exposes tools for documentation and showcase management:
+
+### Documentation Tools
+
+| Tool             | Description                                                  | Auth Required |
+| ---------------- | ------------------------------------------------------------ | ------------- |
+| `list_libraries` | List all TanStack libraries with their versions and metadata | No            |
+| `get_doc`        | Fetch a specific documentation page by library and path      | No            |
+| `search_docs`    | Full-text search across all TanStack documentation           | No            |
+
+### Showcase Tools
+
+| Tool                | Description                                | Auth Required |
+| ------------------- | ------------------------------------------ | ------------- |
+| `search_showcases`  | Search approved TanStack showcase projects | No            |
+| `get_showcase`      | Get details of a specific showcase project | No            |
+| `submit_showcase`   | Submit a new project to the showcase       | Yes           |
+| `update_showcase`   | Update your existing showcase submission   | Yes           |
+| `delete_showcase`   | Delete your showcase submission            | Yes           |
+| `list_my_showcases` | List your own showcase submissions         | Yes           |
 
 See [Available Tools](./tools) for detailed parameter documentation.
 

docs/mcp/tools.md

@@ -3,7 +3,9 @@ id: tools
 title: Available Tools
 ---
 
-The TanStack MCP Server exposes three tools for accessing documentation. Each tool is designed for a specific use case.
+The TanStack MCP Server exposes tools for accessing documentation and managing showcase submissions.
+
+## Documentation Tools
 
 ## list_libraries
 
@@ -141,3 +143,201 @@ Search results include URLs that reveal the documentation path structure. For ex
 
 - Library: `query`
 - Path: `framework/react/guides/queries`
+
+---
+
+## Showcase Tools
+
+These tools allow you to interact with the TanStack showcase, a gallery of projects built with TanStack libraries.
+
+### search_showcases
+
+Search approved showcase projects. No authentication required.
+
+#### Parameters
+
+| Parameter       | Type     | Required | Description                                                  |
+| --------------- | -------- | -------- | ------------------------------------------------------------ |
+| `query`         | string   | No       | Text search across name, tagline, description, and URL       |
+| `libraryIds`    | string[] | No       | Filter by TanStack library IDs (e.g., `["query", "router"]`) |
+| `useCases`      | string[] | No       | Filter by use cases (e.g., `["saas", "dashboard"]`)          |
+| `hasSourceCode` | boolean  | No       | Filter to only open source projects                          |
+| `featured`      | boolean  | No       | Filter to only featured projects                             |
+| `limit`         | number   | No       | Max results (default: 20, max: 100)                          |
+| `offset`        | number   | No       | Pagination offset (default: 0)                               |
+
+#### Valid Library IDs
+
+`query`, `router`, `start`, `table`, `form`, `virtual`, `ranger`, `store`, `pacer`, `db`, `ai`, `config`, `devtools`
+
+#### Valid Use Cases
+
+`blog`, `e-commerce`, `saas`, `dashboard`, `documentation`, `portfolio`, `social`, `developer-tool`, `marketing`, `media`
+
+#### Example
+
+```json
+{
+  "name": "search_showcases",
+  "arguments": {
+    "libraryIds": ["query", "router"],
+    "useCases": ["saas"],
+    "limit": 10
+  }
+}
+```
+
+---
+
+### get_showcase
+
+Get details of a specific showcase project by ID.
+
+#### Parameters
+
+| Parameter | Type   | Required | Description   |
+| --------- | ------ | -------- | ------------- |
+| `id`      | string | Yes      | Showcase UUID |
+
+#### Example
+
+```json
+{
+  "name": "get_showcase",
+  "arguments": {
+    "id": "550e8400-e29b-41d4-a716-446655440000"
+  }
+}
+```
+
+---
+
+### submit_showcase
+
+Submit a new project to the TanStack showcase. **Requires authentication.** Submissions are reviewed by moderators before appearing publicly.
+
+#### Parameters
+
+| Parameter       | Type     | Required | Description                            |
+| --------------- | -------- | -------- | -------------------------------------- |
+| `name`          | string   | Yes      | Project name (max 255 characters)      |
+| `tagline`       | string   | Yes      | Short description (max 500 characters) |
+| `description`   | string   | No       | Full description                       |
+| `url`           | string   | Yes      | Project URL                            |
+| `screenshotUrl` | string   | Yes      | Screenshot URL                         |
+| `sourceUrl`     | string   | No       | Source code URL (GitHub, etc.)         |
+| `logoUrl`       | string   | No       | Logo URL                               |
+| `libraries`     | string[] | Yes      | TanStack library IDs used              |
+| `useCases`      | string[] | Yes      | Use case categories                    |
+
+#### Example
+
+```json
+{
+  "name": "submit_showcase",
+  "arguments": {
+    "name": "My Awesome App",
+    "tagline": "A dashboard built with TanStack Query and Router",
+    "url": "https://myapp.com",
+    "screenshotUrl": "https://myapp.com/screenshot.png",
+    "sourceUrl": "https://github.com/user/myapp",
+    "libraries": ["query", "router"],
+    "useCases": ["dashboard", "saas"]
+  }
+}
+```
+
+---
+
+### update_showcase
+
+Update an existing showcase submission. **Requires authentication and ownership.** Updates reset the showcase to pending review.
+
+#### Parameters
+
+| Parameter       | Type     | Required | Description                      |
+| --------------- | -------- | -------- | -------------------------------- |
+| `id`            | string   | Yes      | Showcase UUID to update          |
+| `name`          | string   | Yes      | Project name                     |
+| `tagline`       | string   | Yes      | Short description                |
+| `description`   | string   | No       | Full description                 |
+| `url`           | string   | Yes      | Project URL                      |
+| `screenshotUrl` | string   | Yes      | Screenshot URL                   |
+| `sourceUrl`     | string   | No       | Source code URL (null to remove) |
+| `logoUrl`       | string   | No       | Logo URL (null to remove)        |
+| `libraries`     | string[] | Yes      | TanStack library IDs             |
+| `useCases`      | string[] | Yes      | Use case categories              |
+
+#### Example
+
+```json
+{
+  "name": "update_showcase",
+  "arguments": {
+    "id": "550e8400-e29b-41d4-a716-446655440000",
+    "name": "My Updated App",
+    "tagline": "Now with TanStack Form!",
+    "url": "https://myapp.com",
+    "screenshotUrl": "https://myapp.com/new-screenshot.png",
+    "libraries": ["query", "router", "form"],
+    "useCases": ["dashboard", "saas"]
+  }
+}
+```
+
+---
+
+### delete_showcase
+
+Delete a showcase submission. **Requires authentication and ownership.**
+
+#### Parameters
+
+| Parameter | Type   | Required | Description             |
+| --------- | ------ | -------- | ----------------------- |
+| `id`      | string | Yes      | Showcase UUID to delete |
+
+#### Example
+
+```json
+{
+  "name": "delete_showcase",
+  "arguments": {
+    "id": "550e8400-e29b-41d4-a716-446655440000"
+  }
+}
+```
+
+---
+
+### list_my_showcases
+
+List your own showcase submissions. **Requires authentication.** Returns all your submissions including pending and denied ones.
+
+#### Parameters
+
+| Parameter | Type   | Required | Description                                       |
+| --------- | ------ | -------- | ------------------------------------------------- |
+| `status`  | string | No       | Filter by status: `pending`, `approved`, `denied` |
+| `limit`   | number | No       | Max results (default: 20, max: 100)               |
+| `offset`  | number | No       | Pagination offset (default: 0)                    |
+
+#### Example
+
+```json
+{
+  "name": "list_my_showcases",
+  "arguments": {
+    "status": "pending",
+    "limit": 10
+  }
+}
+```
+
+---
+
+## Rate Limits
+
+- **Read operations** (documentation, search): 60 requests per minute
+- **Write operations** (submit, update, delete): 10 requests per hour
+- **Pending submission limit**: Maximum 5 pending submissions per user

src/mcp/auth.server.ts

@@ -3,7 +3,7 @@ import { mcpApiKeys, mcpRateLimits, users } from '~/db/schema'
 import { eq, sql } from 'drizzle-orm'
 
 export type AuthResult =
-  | { success: true; keyId: string; rateLimitPerMinute: number }
+  | { success: true; keyId: string; userId: string; rateLimitPerMinute: number }
   | { success: false; error: string; status: number }
 
 /**
@@ -90,6 +90,14 @@ export async function validateApiKey(
     }
   }
 
+  if (!apiKey.userId) {
+    return {
+      success: false,
+      error: 'API key has no associated user',
+      status: 401,
+    }
+  }
+
   if (!apiKey.isActive) {
     return {
       success: false,
@@ -106,9 +114,9 @@ export async function validateApiKey(
     }
   }
 
-  // Check that user has 'mcp' capability
+  // Check that user has 'mcp' capability or is admin
   const capabilities = apiKey.userCapabilities ?? []
-  if (!capabilities.includes('mcp')) {
+  if (!capabilities.includes('mcp') && !capabilities.includes('admin')) {
     return {
       success: false,
       error: 'User does not have MCP access',
@@ -125,6 +133,7 @@ export async function validateApiKey(
   return {
     success: true,
     keyId: apiKey.id,
+    userId: apiKey.userId,
     rateLimitPerMinute: apiKey.rateLimitPerMinute,
   }
 }
@@ -200,12 +209,57 @@ export function getClientIp(request: Request): string {
 }
 
 /**
- * Clean up old rate limit records (older than 5 minutes)
+ * Check write rate limit for a user (10 writes per hour by default)
+ * Used for MCP write operations like submitting/updating showcases
+ */
+export async function checkWriteRateLimit(
+  userId: string,
+  limitPerHour: number = 10,
+): Promise<{ allowed: boolean; remaining: number; resetAt: Date }> {
+  const now = new Date()
+  // Round down to the current hour
+  const windowStart = new Date(
+    now.getFullYear(),
+    now.getMonth(),
+    now.getDate(),
+    now.getHours(),
+    0,
+    0,
+    0,
+  )
+  const resetAt = new Date(windowStart.getTime() + 60 * 60 * 1000) // 1 hour
+
+  // Try to increment existing record, or insert new one
+  const result = await db
+    .insert(mcpRateLimits)
+    .values({
+      identifier: userId,
+      identifierType: 'user_write',
+      windowStart,
+      requestCount: 1,
+    })
+    .onConflictDoUpdate({
+      target: [mcpRateLimits.identifier, mcpRateLimits.windowStart],
+      set: {
+        requestCount: sql`${mcpRateLimits.requestCount} + 1`,
+      },
+    })
+    .returning({ requestCount: mcpRateLimits.requestCount })
+
+  const currentCount = result[0]?.requestCount ?? 1
+  const remaining = Math.max(0, limitPerHour - currentCount)
+  const allowed = currentCount <= limitPerHour
+
+  return { allowed, remaining, resetAt }
+}
+
+/**
+ * Clean up old rate limit records (older than 2 hours for hourly limits)
  * Call periodically to prevent table bloat
  */
 export async function cleanupRateLimits(): Promise<void> {
-  const fiveMinutesAgo = new Date(Date.now() - 5 * 60 * 1000)
+  const twoHoursAgo = new Date(Date.now() - 2 * 60 * 60 * 1000)
   await db
     .delete(mcpRateLimits)
-    .where(sql`${mcpRateLimits.windowStart} < ${fiveMinutesAgo}`)
+    .where(sql`${mcpRateLimits.windowStart} < ${twoHoursAgo}`)
 }