update reviewer authentication and API calls

Author: aadesh18

apps/backend/src/app/api/latest/internal/mcp-review/add-manual/route.ts

@@ -1,4 +1,4 @@
-import { callReducerStrict } from "@/lib/ai/spacetimedb-client";
+import { callReducerStrict, opt } from "@/lib/ai/spacetimedb-client";
 import { assertIsAiChatReviewer } from "@/lib/ai/qa/reviewer-auth";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { adaptSchema, yupBoolean, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
@@ -16,6 +16,7 @@ export const POST = createSmartRouteHandler({
       question: yupString().defined(),
       answer: yupString().defined(),
       publish: yupBoolean().defined(),
+      requestId: yupString(),
     }).defined(),
     method: yupString().oneOf(["POST"]).defined(),
   }),
@@ -27,8 +28,8 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
+    assertIsAiChatReviewer(auth);
     const user = auth.user;
-    assertIsAiChatReviewer(user);
 
     const token = getEnvVariable("STACK_MCP_LOG_TOKEN");
     await callReducerStrict("add_manual_qa", [
@@ -37,6 +38,7 @@ export const POST = createSmartRouteHandler({
       body.answer,
       body.publish,
       user.display_name ?? user.primary_email ?? user.id,
+      body.requestId
     ]);
 
     return {

apps/backend/src/app/api/latest/internal/mcp-review/delete/route.ts

@@ -25,7 +25,7 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
-    assertIsAiChatReviewer(auth.user);
+    assertIsAiChatReviewer(auth);
 
     const token = getEnvVariable("STACK_MCP_LOG_TOKEN");
     await callReducerStrict("delete_qa_entry", [

apps/backend/src/app/api/latest/internal/mcp-review/mark-reviewed/route.ts

@@ -25,8 +25,8 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
+    assertIsAiChatReviewer(auth);
     const user = auth.user;
-    assertIsAiChatReviewer(user);
 
     const token = getEnvVariable("STACK_MCP_LOG_TOKEN");
     await callReducerStrict("mark_human_reviewed", [

apps/backend/src/app/api/latest/internal/mcp-review/unmark-reviewed/route.ts

@@ -25,7 +25,7 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
-    assertIsAiChatReviewer(auth.user);
+    assertIsAiChatReviewer(auth);
 
     const token = getEnvVariable("STACK_MCP_LOG_TOKEN");
     await callReducerStrict("unmark_human_reviewed", [

apps/backend/src/app/api/latest/internal/mcp-review/update-correction/route.ts

@@ -28,8 +28,8 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
+    assertIsAiChatReviewer(auth);
     const user = auth.user;
-    assertIsAiChatReviewer(user);
 
     const token = getEnvVariable("STACK_MCP_LOG_TOKEN");
     const reviewer = user.display_name ?? user.primary_email ?? user.id;

apps/backend/src/app/api/latest/internal/mcp-review/update-qa-entry/route.ts

@@ -28,8 +28,8 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
+    assertIsAiChatReviewer(auth);
     const user = auth.user;
-    assertIsAiChatReviewer(user);
 
     const token = getEnvVariable("STACK_MCP_LOG_TOKEN");
     const editor = user.display_name ?? user.primary_email ?? user.id;

apps/backend/src/app/api/latest/internal/spacetimedb-enroll-reviewer/route.ts

@@ -26,8 +26,8 @@ export const POST = createSmartRouteHandler({
     }).defined(),
   }),
   handler: async ({ auth, body }) => {
+    assertIsAiChatReviewer(auth);
     const user = auth.user;
-    assertIsAiChatReviewer(user);
     if (!/^[0-9a-fA-F]{64}$/.test(body.identity)) {
       throw new StatusError(StatusError.BadRequest, "Invalid identity.");
     }

apps/backend/src/lib/ai/qa/reviewer-auth.ts

@@ -1,6 +1,19 @@
+import { KnownErrors } from "@stackframe/stack-shared";
 import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 
-export function assertIsAiChatReviewer(user: { client_read_only_metadata?: unknown }): void {
+export function assertIsAiChatReviewer(auth: {
+  project: { id: string },
+  user?: { client_read_only_metadata?: unknown } | null,
+}): void {
+  if (auth.project.id !== "internal") {
+    throw new KnownErrors.ExpectedInternalProject();
+  }
+
+  const user = auth.user;
+  if (!user) {
+    throw new StatusError(StatusError.Unauthorized, "You must be signed in to perform MCP review operations.");
+  }
+
   const metadata = user.client_read_only_metadata;
   if (!(metadata && typeof metadata === "object" && "isAiChatReviewer" in metadata && metadata.isAiChatReviewer === true)) {
     throw new StatusError(StatusError.Forbidden, "You are not approved to perform MCP review operations.");

apps/backend/src/lib/ai/spacetimedb-client.ts

@@ -67,27 +67,34 @@ function spacetimeDbError(label: string, status: number, preview: string): Error
   return new StackAssertionError(detail);
 }
 
-export async function callReducer(reducer: string, args: unknown[]): Promise<void> {
+async function callWithEnrollmentRetry(reducer: string, args: unknown[]): Promise<boolean> {
   const token = await getServiceToken();
-  if (!token) return;
-  await rawCallReducer(token, reducer, args);
+  if (!token) return false;
+  try {
+    await rawCallReducer(token, reducer, args);
+    return true;
+  } catch (err) {
+    if (!(err instanceof StatusError) || err.statusCode !== 401) throw err;
+    enrollmentPromise = null;
+    const fresh = await getServiceToken();
+    if (!fresh) throw err;
+    await rawCallReducer(fresh, reducer, args);
+    return true;
+  }
+}
+
+export async function callReducer(reducer: string, args: unknown[]): Promise<void> {
+  await callWithEnrollmentRetry(reducer, args);
 }
 
-/**
- * Like {@link callReducer} but throws when SpacetimeDB isn't configured, rather
- * than no-opping. Use for endpoints where the client treats a 200 as proof the
- * mutation actually ran (reviewer enrollment, human QA edits, deletions).
- * Fire-and-forget logging paths should keep using the best-effort variant.
- */
 export async function callReducerStrict(reducer: string, args: unknown[]): Promise<void> {
-  const token = await getServiceToken();
-  if (!token) {
+  const ran = await callWithEnrollmentRetry(reducer, args);
+  if (!ran) {
     throw new StackAssertionError(
       `SpacetimeDB is not configured. Reducer ${reducer} cannot run. ` +
       `Check STACK_SPACETIMEDB_URL and STACK_SPACETIMEDB_SERVICE_TOKEN.`
     );
   }
-  await rawCallReducer(token, reducer, args);
 }
 
 /**
@@ -130,4 +137,3 @@ export async function callSql<T = Record<string, unknown>>(sql: string): Promise
     return obj as T;
   });
 }
-

apps/e2e/tests/spacetimedb/helpers.ts

@@ -158,6 +158,27 @@ function coerceBigInt(raw: unknown): bigint | undefined {
   if (typeof raw === "bigint") return raw;
   return undefined;
 }
+async function collectStackUserIdsForIdentities(
+  callerToken: string,
+  identities: ReadonlySet<string>,
+): Promise<Set<string>> {
+  const out = new Set<string>();
+  if (identities.size === 0) return out;
+  const { rows } = await sqlQuery(callerToken, "SELECT * FROM operators");
+  for (const row of rows) {
+    const stackUserIdRaw = row.stack_user_id ?? row.stackUserId;
+    if (typeof stackUserIdRaw !== "string") continue;
+    if (stackUserIdRaw === "__service__") continue;
+    const rowJson = JSON.stringify(row).toLowerCase();
+    for (const identity of identities) {
+      if (rowJson.includes(identity.toLowerCase())) {
+        out.add(stackUserIdRaw);
+        break;
+      }
+    }
+  }
+  return out;
+}
 
 /**
  * Per-test collector for anything these tests drop into SpacetimeDB so
@@ -198,11 +219,12 @@ export function createCleanupScope(): CleanupScope {
       const caller = await mintIdentity().catch(() => null);
       if (caller == null) return;
 
+      const callerStackUserId = `cleanup-${caller.identity}`;
       try {
         await callReducer(caller.token, "add_operator", [
           logToken,
           [`0x${caller.identity}`],
-          `__cleanup__-${caller.identity}`,
+          callerStackUserId,
           "Cleanup Scope",
         ]).catch(() => undefined);
 
@@ -225,11 +247,15 @@ export function createCleanupScope(): CleanupScope {
           await callReducer(caller.token, "delete_ai_query_log", [logToken, correlationId]).catch(() => undefined);
         }
 
-        for (const identity of identities) {
-          await callReducer(caller.token, "remove_operator", [logToken, [`0x${identity}`]]).catch(() => undefined);
+        if (identities.size > 0) {
+          const stackUserIdsToRemove = await collectStackUserIdsForIdentities(caller.token, identities)
+            .catch(() => new Set<string>());
+          for (const stackUserId of stackUserIdsToRemove) {
+            await callReducer(caller.token, "remove_operators_for_user", [logToken, stackUserId]).catch(() => undefined);
+          }
         }
       } finally {
-        await callReducer(caller.token, "remove_operator", [logToken, [`0x${caller.identity}`]]).catch(() => undefined);
+        await callReducer(caller.token, "remove_operators_for_user", [logToken, callerStackUserId]).catch(() => undefined);
         identities.clear();
         questions.clear();
         aiQueryCorrelationIds.clear();