fix: MCP build and deploy on AWS env (#691)

Author: mkleszcz

packages/backend/infra/stacks/api/stack.ts

@@ -77,9 +77,6 @@ export class ApiStack extends Stack {
       );
 
       const healthCheckPath = '/lbcheck';
-      
-      // AI Assistant configuration
-      const aiEnabled = envSettings.aiConfig?.enabled ?? false;
       const mcpServerUrl = envSettings.aiConfig?.mcpServerUrl;
 
       return new ApplicationMultipleTargetGroupsFargateService(
@@ -112,10 +109,7 @@ export class ApiStack extends Stack {
               csrfTrustedOrigins,
               mcpServerUrl,
             }),
-            secrets: getBackendSecrets(this, { 
-              envSettings, 
-              includeAiSecrets: aiEnabled,
-            }),
+            secrets: getBackendSecrets(this, { envSettings }),
           },
           {
             containerName: 'xray-daemon',

packages/backend/infra/stacks/lib/names.ts

@@ -3,3 +3,7 @@ import { EnvironmentSettings } from '@sb/infra-core';
 export function getBackendChamberServiceName(envSettings: EnvironmentSettings) {
   return `env-${envSettings.projectEnvName}-backend`;
 }
+
+export function getMcpServerChamberServiceName(envSettings: EnvironmentSettings) {
+  return `env-${envSettings.projectEnvName}-mcp-server`;
+}

packages/backend/infra/stacks/lib/secrets.ts

@@ -3,36 +3,21 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 import * as sm from 'aws-cdk-lib/aws-secretsmanager';
 import { EnvComponentsStack, MainDatabase } from '@sb/infra-shared';
 import { Fn } from 'aws-cdk-lib';
-import { EnvironmentSettings } from '@sb/infra-core';
-
-/**
- * Get the name for the AI secrets stored in AWS Secrets Manager.
- * Follows the project naming convention: env-{projectName}-{envStage}-ai-secrets
- *
- * To enable AI Assistant, create a secret in AWS Secrets Manager with this name
- * containing a JSON object with the following structure:
- * {
- *   "OPENAI_API_KEY": "sk-..."
- * }
- */
-export function getAiSecretsName(envSettings: EnvironmentSettings): string {
-  return `env-${envSettings.projectName}-${envSettings.envStage}-ai-secrets`;
-}
+import type { EnvironmentSettings } from '@sb/infra-core';
 
 interface GetBackendSecretsOptions {
   envSettings: EnvironmentSettings;
-  includeAiSecrets?: boolean;
 }
 
 export function getBackendSecrets(
   scope: Construct,
-  { envSettings, includeAiSecrets = false }: GetBackendSecretsOptions,
+  { envSettings }: GetBackendSecretsOptions,
 ) {
   const dbSecretArn = Fn.importValue(
     MainDatabase.getDatabaseSecretArnOutputExportName(envSettings),
   );
 
-  const baseSecrets = {
+  return {
     DB_CONNECTION: ecs.Secret.fromSecretsManager(
       sm.Secret.fromSecretCompleteArn(scope, 'DbSecret', dbSecretArn),
     ),
@@ -44,22 +29,4 @@ export function getBackendSecrets(
       ),
     ),
   };
-
-  // AI secrets are opt-in to avoid deployment failures when not configured
-  if (includeAiSecrets) {
-    const aiSecretsManager = sm.Secret.fromSecretNameV2(
-      scope,
-      'AiSecrets',
-      getAiSecretsName(envSettings),
-    );
-    return {
-      ...baseSecrets,
-      OPENAI_API_KEY: ecs.Secret.fromSecretsManager(
-        aiSecretsManager,
-        'OPENAI_API_KEY',
-      ),
-    };
-  }
-
-  return baseSecrets;
 }

packages/backend/infra/stacks/mcpServer/stack.ts

@@ -7,8 +7,9 @@ import {
   EnvConstructProps,
   getHostedZone,
 } from '@sb/infra-core';
-import { FargateServiceResources, MainECSCluster } from '@sb/infra-shared';
+import { FargateServiceResources, MainECSCluster, MainKmsKey } from '@sb/infra-shared';
 
+import { getMcpServerChamberServiceName } from '../lib/names';
 import { getMcpServerServiceName } from './names';
 
 export interface McpServerStackProps extends StackProps, EnvConstructProps {}
@@ -37,7 +38,6 @@ export class McpServerStack extends Stack {
     const resources = new FargateServiceResources(this, 'McpServerResources', props);
     this.fargateService = this.createFargateService(resources, props);
 
-    // Basic auto-scaling
     const scaling = this.fargateService.service.autoScaleTaskCount({
       maxCapacity: 3,
     });
@@ -52,14 +52,36 @@ export class McpServerStack extends Stack {
     props: McpServerStackProps,
   ) {
     const { envSettings } = props;
+    const stack = Stack.of(this);
 
-    // Create a basic task role for MCP server
     const taskRole = new iam.Role(this, 'McpServerTaskRole', {
       assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
     });
 
-    // The MCP server needs to communicate with the backend API
-    // The GraphQL endpoint is internal to the VPC
+    const chamberServiceName = getMcpServerChamberServiceName(envSettings);
+    taskRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['kms:Get*', 'kms:Describe*', 'kms:List*', 'kms:Decrypt'],
+        resources: [
+          Fn.importValue(MainKmsKey.getMainKmsOutputExportName(envSettings)),
+        ],
+      }),
+    );
+    taskRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['ssm:DescribeParameters'],
+        resources: ['*'],
+      }),
+    );
+    taskRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['ssm:GetParameters*'],
+        resources: [
+          `arn:aws:ssm:${stack.region}:${stack.account}:parameter/${chamberServiceName}/*`,
+        ],
+      }),
+    );
+
     const graphqlEndpoint = `https://${envSettings.domains.api}/api/graphql/`;
 
     const httpsListener =
@@ -78,7 +100,6 @@ export class McpServerStack extends Stack {
 
     const domainZone = getHostedZone(this, envSettings);
 
-    // MCP Server domain from environment configuration
     const mcpDomain = envSettings.domains.mcp;
 
     return new ApplicationMultipleTargetGroupsFargateService(
@@ -89,7 +110,7 @@ export class McpServerStack extends Stack {
         serviceName: getMcpServerServiceName(props.envSettings),
         healthCheckGracePeriod: Duration.minutes(2),
         cluster: resources.mainCluster,
-        cpu: 256, // MCP server is lightweight
+        cpu: 256,
         memoryLimitMiB: 512,
         desiredCount: 1,
         taskRole,
@@ -103,7 +124,9 @@ export class McpServerStack extends Stack {
             environment: {
               GRAPHQL_ENDPOINT: graphqlEndpoint,
               MCP_LOG_LEVEL: 'info',
-              MUTATION_MODE: 'explicit', // Only allow pre-defined mutations
+              MUTATION_MODE: 'explicit',
+              CHAMBER_SERVICE_NAME: chamberServiceName,
+              CHAMBER_KMS_KEY_ALIAS: MainKmsKey.getKeyAlias(envSettings),
             },
           },
         ],
@@ -118,10 +141,11 @@ export class McpServerStack extends Stack {
         targetGroups: [
           {
             protocol: ecs.Protocol.TCP,
-            containerPort: 4000, // MCP server default port
-            priority: 10, // Lower priority than API
+            containerPort: 4000,
+            targetProtocol: elb2.ApplicationProtocol.HTTP,
+            priority: 10,
             hostHeader: mcpDomain,
-            healthCheckPath: '/', // Basic health check - MCP server responds on root
+            healthCheckPath: '/health',
           },
         ],
       },

packages/infra/infra-core/src/lib/env-config.ts

@@ -67,7 +67,7 @@ interface CertificatesConfig {
  * To enable the AI Assistant feature:
  * 1. Set SB_AI_ENABLED=true
  * 2. Set SB_MCP_SERVER_URL to your MCP server URL
- * 3. Create AWS Secrets Manager secret with OPENAI_API_KEY
+ * 3. Add OPENAI_API_KEY via `pnpm saas backend secrets`
  */
 export interface AiConfig {
   enabled: boolean;

packages/infra/infra-core/src/lib/patterns/applicationMultipleTargetGroupsFargateServiceBase.ts

@@ -212,6 +212,14 @@ export interface ApplicationTargetProps {
    */
   readonly protocol?: Protocol;
 
+  /**
+   * The protocol for connections from the load balancer to the target (HTTP or HTTPS).
+   * Only needed for ports not in the default list (80, 443, 8080, 8000, 8008, 8443).
+   *
+   * @default - Inferred from port for known ports; HTTP for custom ports
+   */
+  readonly targetProtocol?: ApplicationProtocol;
+
   /**
    * Name of the listener the target group attached to.
    *
@@ -444,19 +452,24 @@ export abstract class ApplicationMultipleTargetGroupsServiceBase extends Constru
     targets: ApplicationTargetProps[]
   ): ApplicationTargetGroup {
     interface GroupedTarget {
-      target: { protocol?: Protocol; containerPort: number };
+      target: {
+        protocol?: Protocol;
+        containerPort: number;
+        targetProtocol?: ApplicationProtocol;
+      };
       hosts: ApplicationTargetProps[];
       healthCheckPath: string;
     }
 
     const groupedTargets: { [id: string]: GroupedTarget } = {};
     targets?.forEach((targetProps) => {
-      const key = `${targetProps.protocol}, ${targetProps.containerPort}`;
+      const key = `${targetProps.protocol}, ${targetProps.containerPort}, ${targetProps.targetProtocol ?? 'default'}`;
       if (!(key in groupedTargets)) {
         groupedTargets[key] = {
           target: {
             protocol: targetProps.protocol,
             containerPort: targetProps.containerPort,
+            targetProtocol: targetProps.targetProtocol,
           },
           hosts: [],
           healthCheckPath: targetProps.healthCheckPath,
@@ -471,6 +484,7 @@ export abstract class ApplicationMultipleTargetGroupsServiceBase extends Constru
         {
           vpc: service.cluster.vpc,
           port: groupedTarget.target.containerPort,
+          protocol: groupedTarget.target.targetProtocol,
           healthCheck: {
             path: groupedTarget.healthCheckPath,
             protocol: ELBProtocol.HTTP,

packages/infra/infra-core/src/lib/patterns/serviceCiConfig.ts

@@ -12,6 +12,7 @@ export interface IServiceCiConfig {
 
 export enum PnpmWorkspaceFilters {
   BACKEND = 'backend...',
+  MCP_SERVER = 'mcp-server...',
   INFRA_SHARED = 'infra-shared...',
   DOCS = 'docs...',
   WEBAPP_EMAILS = 'webapp-emails...',

packages/infra/infra-shared/src/stacks/ci/ciMcpServer.ts

@@ -73,7 +73,7 @@ export class McpServerCiConfig extends ServiceCiConfig {
 
   private createBuildProject(props: McpServerCiConfigProps) {
     const preBuildCommands = [
-      ...this.getWorkspaceSetupCommands(PnpmWorkspaceFilters.INFRA_SHARED),
+      ...this.getWorkspaceSetupCommands(PnpmWorkspaceFilters.MCP_SERVER),
     ];
 
     const project = new codebuild.Project(this, 'McpServerBuildProject', {
@@ -86,7 +86,7 @@ export class McpServerCiConfig extends ServiceCiConfig {
             commands: preBuildCommands,
           },
           build: {
-            commands: ['pnpm nx run mcp-server:build'],
+            commands: ['pnpm saas mcp-server build'],
           },
         },
       }),
@@ -159,10 +159,10 @@ export class McpServerCiConfig extends ServiceCiConfig {
           install: this.getNodeInstallPhase(),
           pre_build: {
             commands: this.getWorkspaceSetupCommands(
-              PnpmWorkspaceFilters.INFRA_SHARED,
+              PnpmWorkspaceFilters.BACKEND,
             ),
           },
-          build: { commands: ['pnpm nx run mcp-server:deploy'] },
+          build: { commands: ['pnpm saas mcp-server deploy'] },
         },
         cache: {
           paths: [...this.defaultCachePaths],

packages/internal/cli/src/commands/mcp-server/secrets.ts

@@ -0,0 +1,32 @@
+import { color } from '@oclif/color';
+
+import { initConfig } from '../../config/init';
+import { assertDockerIsRunning, dockerHubLogin } from '../../lib/docker';
+import { runSecretsEditor } from '../../lib/secretsEditor';
+import { BaseCommand } from '../../baseCommand';
+
+export default class McpServerSecrets extends BaseCommand<typeof McpServerSecrets> {
+  static description =
+    'Runs an ssm-editor helper tool to set runtime environment variables of the MCP server container. ' +
+    'Uses Chamber to fetch and set variables in AWS SSM Parameter Store (e.g. OPENAI_API_KEY).';
+
+  static examples = [`$ <%= config.bin %> <%= command.id %>`];
+
+  async run(): Promise<void> {
+    const { envStage, awsAccountId, awsRegion, rootPath } = await initConfig(
+      this,
+      { requireAws: true },
+    );
+    await assertDockerIsRunning();
+    await dockerHubLogin();
+
+    this.log(`Setting secrets in AWS SSM Parameter Store for:
+  service: ${color.green('mcp-server')}
+  envStage: ${color.green(envStage)}
+  AWS account: ${color.green(awsAccountId)}
+  AWS region: ${color.green(awsRegion)}
+`);
+
+    await runSecretsEditor({ serviceName: 'mcp-server', rootPath });
+  }
+}

packages/internal/cli/tsconfig.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/basecommand.ts","./src/index.ts","./src/commands/build.ts","./src/commands/deploy.ts","./src/commands/down.ts","./src/commands/lint.ts","./src/commands/test.ts","./src/commands/up.ts","./src/commands/aws/get-env.ts","./src/commands/aws/login.ts","./src/commands/aws/set-env.ts","./src/commands/aws/set-var.ts","./src/commands/backend/black.ts","./src/commands/backend/build-docs.ts","./src/commands/backend/build.ts","./src/commands/backend/down.ts","./src/commands/backend/makemigrations.ts","./src/commands/backend/migrate.ts","./src/commands/backend/remote-shell.ts","./src/commands/backend/ruff.ts","./src/commands/backend/secrets.ts","./src/commands/backend/shell.ts","./src/commands/backend/test.ts","./src/commands/backend/up.ts","./src/commands/backend/deploy/api.ts","./src/commands/backend/deploy/celery.ts","./src/commands/backend/deploy/demo-cleanup.ts","./src/commands/backend/deploy/mcp-server.ts","./src/commands/backend/deploy/migrations.ts","./src/commands/backend/stripe/sync.ts","./src/commands/ci/get-artifacts-bucket.ts","./src/commands/db/shell.ts","./src/commands/docs/build.ts","./src/commands/docs/deploy.ts","./src/commands/docs/up.ts","./src/commands/emails/build.ts","./src/commands/emails/secrets.ts","./src/commands/emails/test.ts","./src/commands/infra/bootstrap.ts","./src/commands/infra/deploy.ts","./src/commands/mcp-server/build.ts","./src/commands/mcp-server/deploy.ts","./src/commands/render/deploy.ts","./src/commands/render/setup.ts","./src/commands/render/status.ts","./src/commands/vps/deploy.ts","./src/commands/vps/setup.ts","./src/commands/vps/ssh.ts","./src/commands/vps/status.ts","./src/commands/webapp/build.ts","./src/commands/webapp/deploy.ts","./src/commands/webapp/lint.ts","./src/commands/webapp/secrets.ts","./src/commands/webapp/storybook.ts","./src/commands/webapp/test.ts","./src/commands/webapp/type-check.ts","./src/commands/webapp/up.ts","./src/commands/webapp/graphql/download-schema.ts","./src/commands/workers/black.ts","./src/commands/workers/build.ts","./src/commands/workers/deploy.ts","./src/commands/workers/lint.ts","./src/commands/workers/secrets.ts","./src/commands/workers/shell.ts","./src/commands/workers/test.ts","./src/commands/workers/invoke/local.ts","./src/config/aws.ts","./src/config/env.ts","./src/config/init.ts","./src/config/platform.ts","./src/config/storage.ts","./src/config/telemetry.ts","./src/hooks/init/instrumentation.ts","./src/lib/awsvault.ts","./src/lib/chamber.ts","./src/lib/docker.ts","./src/lib/preflight.ts","./src/lib/prompts.ts","./src/lib/renderapi.ts","./src/lib/runcommand.ts","./src/lib/secretseditor.ts","./src/lib/ui/banner.ts","./src/lib/ui/healthdashboard.ts","./src/lib/ui/index.ts","./src/lib/ui/keyboard.ts","./src/lib/ui/renderer.ts","./src/lib/ui/spinner.ts"],"version":"5.9.3"}
+{"root":["./src/basecommand.ts","./src/index.ts","./src/commands/build.ts","./src/commands/deploy.ts","./src/commands/down.ts","./src/commands/lint.ts","./src/commands/test.ts","./src/commands/up.ts","./src/commands/aws/get-env.ts","./src/commands/aws/login.ts","./src/commands/aws/set-env.ts","./src/commands/aws/set-var.ts","./src/commands/backend/black.ts","./src/commands/backend/build-docs.ts","./src/commands/backend/build.ts","./src/commands/backend/down.ts","./src/commands/backend/makemigrations.ts","./src/commands/backend/migrate.ts","./src/commands/backend/remote-shell.ts","./src/commands/backend/ruff.ts","./src/commands/backend/secrets.ts","./src/commands/backend/shell.ts","./src/commands/backend/test.ts","./src/commands/backend/up.ts","./src/commands/backend/deploy/api.ts","./src/commands/backend/deploy/celery.ts","./src/commands/backend/deploy/demo-cleanup.ts","./src/commands/backend/deploy/mcp-server.ts","./src/commands/backend/deploy/migrations.ts","./src/commands/backend/stripe/sync.ts","./src/commands/ci/get-artifacts-bucket.ts","./src/commands/db/shell.ts","./src/commands/docs/build.ts","./src/commands/docs/deploy.ts","./src/commands/docs/up.ts","./src/commands/emails/build.ts","./src/commands/emails/secrets.ts","./src/commands/emails/test.ts","./src/commands/infra/bootstrap.ts","./src/commands/infra/deploy.ts","./src/commands/mcp-server/build.ts","./src/commands/mcp-server/deploy.ts","./src/commands/mcp-server/secrets.ts","./src/commands/render/deploy.ts","./src/commands/render/setup.ts","./src/commands/render/status.ts","./src/commands/vps/deploy.ts","./src/commands/vps/setup.ts","./src/commands/vps/ssh.ts","./src/commands/vps/status.ts","./src/commands/webapp/build.ts","./src/commands/webapp/deploy.ts","./src/commands/webapp/lint.ts","./src/commands/webapp/secrets.ts","./src/commands/webapp/storybook.ts","./src/commands/webapp/test.ts","./src/commands/webapp/type-check.ts","./src/commands/webapp/up.ts","./src/commands/webapp/graphql/download-schema.ts","./src/commands/workers/black.ts","./src/commands/workers/build.ts","./src/commands/workers/deploy.ts","./src/commands/workers/lint.ts","./src/commands/workers/secrets.ts","./src/commands/workers/shell.ts","./src/commands/workers/test.ts","./src/commands/workers/invoke/local.ts","./src/config/aws.ts","./src/config/env.ts","./src/config/init.ts","./src/config/platform.ts","./src/config/storage.ts","./src/config/telemetry.ts","./src/hooks/init/instrumentation.ts","./src/lib/awsvault.ts","./src/lib/chamber.ts","./src/lib/docker.ts","./src/lib/preflight.ts","./src/lib/prompts.ts","./src/lib/renderapi.ts","./src/lib/runcommand.ts","./src/lib/secretseditor.ts","./src/lib/ui/banner.ts","./src/lib/ui/healthdashboard.ts","./src/lib/ui/index.ts","./src/lib/ui/keyboard.ts","./src/lib/ui/renderer.ts","./src/lib/ui/spinner.ts"],"version":"5.9.3"}