The mcp tools must works with the data access policy.
*_access_policy:
sync -> then the mcp must access to the qdrant to retrive informations
api_only -> the mcp tool must directly access to the shop's REST API to access t
not_allowed -> mcp tools must return with info to the LLM to we can not access to this informations
Currently i tested with an LLM the tool, i asked him about an order, it called the shoprenter_list_orders tool (store id: 3e8bbd69-e20f-40ee-9e15-2056762988f6)
The store config: store_sync_config.sync_orders: api_only.
Yesterday the store_sync_config table changed, the sync_* tables replaced with enum type. Maybe the mcp tools has not updated.
The mcp tools must works with the data access policy.
*_access_policy:
- sync -> then the mcp must access to the qdrant to retrive informations
- api_only -> the mcp tool must directly access to the shop's REST API to access t
- not_allowed -> mcp tools must return with info to the LLM to we can not access to this informations
Currently i tested with an LLM the tool, i asked him about an order, it called the shoprenter_list_orders tool (store id: `3e8bbd69-e20f-40ee-9e15-2056762988f6`)
arguments:
```
{
"shop_id": "3e8bbd69-e20f-40ee-9e15-2056762988f6",
"email": "ferenc.szontagh@smartbotics.ai",
"limit": 5
}
```
Response:
```
[
{
"type": "text",
"text": "{\"error\":\"Failed to fetch orders: Qdrant API error (404): {\\\"status\\\":{\\\"error\\\":\\\"Not found: Collection `smartboticsapptest-orders` doesn't exist!\\\"},\\\"time\\\":4.428e-6}\"}"
}
]
```
The store config: `store_sync_config.sync_orders`: `api_only`.
Yesterday the `store_sync_config` table changed, the sync_* tables replaced with enum type. Maybe the mcp tools has not updated.
I can see the problem - the MCP tools are trying to access Qdrant for orders when the store has orders_access_policy: api_only, which should trigger direct REST API access instead. The issue is that the MCP tools haven't been updated after the recent store_sync_config table changes where sync_* boolean fields were replaced with enum-based *_access_policy fields.
I'll:
First check the current MCP tool implementation to see how it handles data access
Update the MCP tools to properly respect the *_access_policy enum values (sync/api_only/not_allowed)
Ensure proper behavior for all three policies across products, orders, and customers
Test the fix with your test case
Working on it now!
@fszontagh I'm starting work on this issue now!
I can see the problem - the MCP tools are trying to access Qdrant for orders when the store has `orders_access_policy: api_only`, which should trigger direct REST API access instead. The issue is that the MCP tools haven't been updated after the recent `store_sync_config` table changes where `sync_*` boolean fields were replaced with enum-based `*_access_policy` fields.
I'll:
1. First check the current MCP tool implementation to see how it handles data access
2. Update the MCP tools to properly respect the `*_access_policy` enum values (sync/api_only/not_allowed)
3. Ensure proper behavior for all three policies across products, orders, and customers
4. Test the fix with your test case
Working on it now!
The MCP tools are checking the OLD syncOrders boolean field from getStoreQdrantConfig() instead of properly checking the access policy. When orders_access_policy is set to api_only, the code still tries to access Qdrant (which doesn't exist for that store), causing the 404 error.
What's Happening
In mcp-shoprenter/index.ts line 733:
if (qdrantConfig && qdrantConfig.enabled && qdrantConfig.syncOrders) {
This logic is wrong because:
qdrantConfig.syncOrders is derived from ordersAccessPolicy === 'sync' (line 83 in mcp-qdrant-helpers.ts)
But the code doesn't check the access policy BEFORE trying to use Qdrant
When orders_access_policy is api_only, it should skip Qdrant entirely and go directly to the API
The Fix
I need to update ALL MCP functions (shoprenter, shopify, woocommerce) to:
Check access policy FIRST - determine if it's sync, api_only, or not_allowed
For api_only mode - Skip Qdrant, go directly to the platform API
For sync mode - Check if Qdrant is enabled, use it if available, otherwise fallback to SQL cache or API
For not_allowed - Return appropriate error message
Files to Fix
/supabase/functions/mcp-shoprenter/index.ts - Fix all 4 handlers (products, orders, get_order, customers)
/supabase/functions/mcp-shopify/index.ts - Same fixes
/supabase/functions/mcp-woocommerce/index.ts - Same fixes
Implementing the fix now...
## Issue Analysis Complete
I've identified the root cause of the bug:
### The Problem
The MCP tools are checking the OLD `syncOrders` boolean field from `getStoreQdrantConfig()` instead of properly checking the access policy. When `orders_access_policy` is set to `api_only`, the code still tries to access Qdrant (which doesn't exist for that store), causing the 404 error.
### What's Happening
In `mcp-shoprenter/index.ts` line 733:
```typescript
if (qdrantConfig && qdrantConfig.enabled && qdrantConfig.syncOrders) {
```
This logic is wrong because:
- `qdrantConfig.syncOrders` is derived from `ordersAccessPolicy === 'sync'` (line 83 in `mcp-qdrant-helpers.ts`)
- But the code doesn't check the access policy BEFORE trying to use Qdrant
- When `orders_access_policy` is `api_only`, it should skip Qdrant entirely and go directly to the API
### The Fix
I need to update ALL MCP functions (shoprenter, shopify, woocommerce) to:
1. **Check access policy FIRST** - determine if it's `sync`, `api_only`, or `not_allowed`
2. **For `api_only` mode** - Skip Qdrant, go directly to the platform API
3. **For `sync` mode** - Check if Qdrant is enabled, use it if available, otherwise fallback to SQL cache or API
4. **For `not_allowed`** - Return appropriate error message
### Files to Fix
- `/supabase/functions/mcp-shoprenter/index.ts` - Fix all 4 handlers (products, orders, get_order, customers)
- `/supabase/functions/mcp-shopify/index.ts` - Same fixes
- `/supabase/functions/mcp-woocommerce/index.ts` - Same fixes
Implementing the fix now...
I've successfully fixed the bug and deployed the updated mcp-shoprenter Edge Function.
Changes Made
File: supabase/functions/mcp-shoprenter/index.ts
Fixed Functions:
✅ handleListOrders - Now properly checks access policy before Qdrant access
✅ handleGetOrder - Now properly checks access policy before Qdrant access
✅ handleGetProducts - Already had correct logic (no changes needed)
✅ handleGetCustomer - Already had correct logic (no changes needed)
How It Works Now
The fixed logic follows this flow:
Get access policy from store_sync_config table
Validate access - Return error if not_allowed
Check policy type:
api_only → Skip Qdrant entirely, go directly to ShopRenter API
sync → Check if Qdrant is enabled:
If enabled → Use Qdrant
If not enabled → Fallback to ShopRenter API or SQL cache
not_allowed → Return access denied error
Response Format
The MCP tool responses now include:
source: Where data came from (api_direct, qdrant, sql_cache, api)
access_mode: The access policy in effect (api_only, sync, not_allowed)
notice: User-friendly message when using api_only mode
Test Your Store
Your test store (ID: 3e8bbd69-e20f-40ee-9e15-2056762988f6) with orders_access_policy: api_only should now work correctly. The tool will:
NOT try to access Qdrant (avoiding the 404 error)
Directly call the ShopRenter API
Return order data with source: 'api_direct' and access_mode: 'api_only'
Other MCP Functions
I also verified the other MCP functions:
✅ mcp-woocommerce - Already has correct access policy handling
✅ mcp-shopify - Already has correct access policy handling
Only mcp-shoprenter needed the fix.
Commit
Committed and pushed: 8a544da - "fix: MCP ShopRenter respects data access policy #105"
Ready for testing! Please test with your LLM tool using the same query about orders, and it should now work correctly. 🎉
## Fix Deployed ✅
I've successfully fixed the bug and deployed the updated `mcp-shoprenter` Edge Function.
### Changes Made
**File**: `supabase/functions/mcp-shoprenter/index.ts`
**Fixed Functions**:
1. ✅ `handleListOrders` - Now properly checks access policy before Qdrant access
2. ✅ `handleGetOrder` - Now properly checks access policy before Qdrant access
3. ✅ `handleGetProducts` - Already had correct logic (no changes needed)
4. ✅ `handleGetCustomer` - Already had correct logic (no changes needed)
### How It Works Now
The fixed logic follows this flow:
1. **Get access policy** from `store_sync_config` table
2. **Validate access** - Return error if `not_allowed`
3. **Check policy type**:
- **`api_only`** → Skip Qdrant entirely, go directly to ShopRenter API
- **`sync`** → Check if Qdrant is enabled:
- If enabled → Use Qdrant
- If not enabled → Fallback to ShopRenter API or SQL cache
- **`not_allowed`** → Return access denied error
### Response Format
The MCP tool responses now include:
- `source`: Where data came from (`api_direct`, `qdrant`, `sql_cache`, `api`)
- `access_mode`: The access policy in effect (`api_only`, `sync`, `not_allowed`)
- `notice`: User-friendly message when using `api_only` mode
### Test Your Store
Your test store (ID: `3e8bbd69-e20f-40ee-9e15-2056762988f6`) with `orders_access_policy: api_only` should now work correctly. The tool will:
- **NOT** try to access Qdrant (avoiding the 404 error)
- **Directly call** the ShopRenter API
- **Return** order data with `source: 'api_direct'` and `access_mode: 'api_only'`
### Other MCP Functions
I also verified the other MCP functions:
- ✅ **mcp-woocommerce** - Already has correct access policy handling
- ✅ **mcp-shopify** - Already has correct access policy handling
Only `mcp-shoprenter` needed the fix.
### Commit
Committed and pushed: `8a544da` - "fix: MCP ShopRenter respects data access policy #105"
---
Ready for testing! Please test with your LLM tool using the same query about orders, and it should now work correctly. 🎉
claude
The mcp tools must works with the data access policy.
*_access_policy:
Currently i tested with an LLM the tool, i asked him about an order, it called the shoprenter_list_orders tool (store id:
3e8bbd69-e20f-40ee-9e15-2056762988f6)arguments:
Response:
The store config:
store_sync_config.sync_orders:api_only. Yesterday thestore_sync_configtable changed, the sync_* tables replaced with enum type. Maybe the mcp tools has not updated.@fszontagh I'm starting work on this issue now!
I can see the problem - the MCP tools are trying to access Qdrant for orders when the store has
orders_access_policy: api_only, which should trigger direct REST API access instead. The issue is that the MCP tools haven't been updated after the recentstore_sync_configtable changes wheresync_*boolean fields were replaced with enum-based*_access_policyfields.I'll:
*_access_policyenum values (sync/api_only/not_allowed)Working on it now!
Issue Analysis Complete
I've identified the root cause of the bug:
The Problem
The MCP tools are checking the OLD
syncOrdersboolean field fromgetStoreQdrantConfig()instead of properly checking the access policy. Whenorders_access_policyis set toapi_only, the code still tries to access Qdrant (which doesn't exist for that store), causing the 404 error.What's Happening
In
mcp-shoprenter/index.tsline 733:This logic is wrong because:
qdrantConfig.syncOrdersis derived fromordersAccessPolicy === 'sync'(line 83 inmcp-qdrant-helpers.ts)orders_access_policyisapi_only, it should skip Qdrant entirely and go directly to the APIThe Fix
I need to update ALL MCP functions (shoprenter, shopify, woocommerce) to:
sync,api_only, ornot_allowedapi_onlymode - Skip Qdrant, go directly to the platform APIsyncmode - Check if Qdrant is enabled, use it if available, otherwise fallback to SQL cache or APInot_allowed- Return appropriate error messageFiles to Fix
/supabase/functions/mcp-shoprenter/index.ts- Fix all 4 handlers (products, orders, get_order, customers)/supabase/functions/mcp-shopify/index.ts- Same fixes/supabase/functions/mcp-woocommerce/index.ts- Same fixesImplementing the fix now...
Fix Deployed ✅
I've successfully fixed the bug and deployed the updated
mcp-shoprenterEdge Function.Changes Made
File:
supabase/functions/mcp-shoprenter/index.tsFixed Functions:
handleListOrders- Now properly checks access policy before Qdrant accesshandleGetOrder- Now properly checks access policy before Qdrant accesshandleGetProducts- Already had correct logic (no changes needed)handleGetCustomer- Already had correct logic (no changes needed)How It Works Now
The fixed logic follows this flow:
store_sync_configtablenot_allowedapi_only→ Skip Qdrant entirely, go directly to ShopRenter APIsync→ Check if Qdrant is enabled:not_allowed→ Return access denied errorResponse Format
The MCP tool responses now include:
source: Where data came from (api_direct,qdrant,sql_cache,api)access_mode: The access policy in effect (api_only,sync,not_allowed)notice: User-friendly message when usingapi_onlymodeTest Your Store
Your test store (ID:
3e8bbd69-e20f-40ee-9e15-2056762988f6) withorders_access_policy: api_onlyshould now work correctly. The tool will:source: 'api_direct'andaccess_mode: 'api_only'Other MCP Functions
I also verified the other MCP functions:
Only
mcp-shoprenterneeded the fix.Commit
Committed and pushed:
8a544da- "fix: MCP ShopRenter respects data access policy #105"Ready for testing! Please test with your LLM tool using the same query about orders, and it should now work correctly. 🎉