cocalc-api: improve api key type discovery

Author: haraldschilly

src/packages/conat/hub/api/system.ts

@@ -32,8 +32,8 @@ export interface System {
   getCustomize: (fields?: string[]) => Promise<Customize>;
   // ping server and get back the current time
   ping: () => { now: number };
-  // test API key and return scope information (account_id or project_id) and server time
-  test: () => Promise<{ account_id?: string; project_id?: string; server_time: number }>;
+  // test API key and return scope information (account_id) and server time
+  test: () => Promise<{ account_id: string; server_time: number }>;
   // terminate a service:
   //   - only admin can do this.
   //   - useful for development

src/packages/next/pages/api/conat/project.ts

@@ -58,11 +58,6 @@ export default async function handle(req, res) {
       args,
       timeout,
     });
-    // For project-scoped API keys, include the project_id in the response
-    // so the client can discover it
-    if (project_id0 && !resp.project_id) {
-      resp.project_id = project_id0;
-    }
     res.json(resp);
   } catch (err) {
     res.json({ error: err.message });

src/packages/server/api/project-bridge.ts

@@ -4,6 +4,7 @@ import { projectSubject } from "@cocalc/conat/names";
 import { conat } from "@cocalc/backend/conat";
 import { type Client as ConatClient } from "@cocalc/conat/core/client";
 import { getProject } from "@cocalc/server/projects/control";
+
 const DEFAULT_TIMEOUT = 15000;
 
 let client: ConatClient | null = null;
@@ -58,10 +59,17 @@ async function callProject({
       await project.start();
     }
 
-    // For system.test(), inject project_id into args[0] if not already present
+    // For discovery-style calls, inject identifiers so the project can report scope
     let finalArgs = args;
-    if (name === "system.test" && (!args || args.length === 0)) {
-      finalArgs = [{ project_id }];
+    if (name === "system.test") {
+      if (!args || args.length === 0 || typeof args[0] !== "object") {
+        finalArgs = [{}];
+      }
+      if (finalArgs[0] == null || typeof finalArgs[0] !== "object") {
+        finalArgs = [{ project_id }];
+      } else {
+        finalArgs = [{ ...finalArgs[0], project_id }];
+      }
     }
     const data = { name, args: finalArgs };
     // we use waitForInterest because often the project hasn't

src/packages/server/conat/api/system.ts

@@ -20,21 +20,13 @@ export function ping() {
 
 export async function test({
   account_id,
-  project_id,
-}: { account_id?: string; project_id?: string } = {}) {
+}: { account_id?: string } = {}) {
   // Return API key scope information and server time
-  // The authFirst decorator determines the scope from the API key and injects
-  // either account_id (for account-scoped keys) or project_id (for project-scoped keys)
-  // into this parameter object.
-  const response: { account_id?: string; project_id?: string; server_time: number } = {
+  // The authFirst decorator determines the scope from the API key and injects account_id.
+  const response: { account_id: string; server_time: number } = {
+    account_id: account_id ?? "",
     server_time: Date.now(),
   };
-  if (account_id) {
-    response.account_id = account_id;
-  }
-  if (project_id) {
-    response.project_id = project_id;
-  }
   return response;
 }
 

src/packages/server/projects/control/single-user.ts

@@ -156,7 +156,9 @@ class Project extends BaseProject {
 
       // First attempt: graceful shutdown with SIGTERM
       // This allows the process to clean up child processes (e.g., Jupyter kernels)
-      let usedSigterm = false;
+      const stopStartedAt = Date.now();
+      const SIGKILL_GRACE_MS = 5000;
+      let sigkillSent = false;
       const killProject = (signal: NodeJS.Signals = "SIGTERM") => {
         try {
           logger.debug(`stop: sending kill -${pid} with ${signal}`);
@@ -169,16 +171,15 @@ class Project extends BaseProject {
 
       // Try SIGTERM first for graceful shutdown
       killProject("SIGTERM");
-      usedSigterm = true;
 
       await this.wait({
         until: async () => {
           if (await isProjectRunning(this.HOME)) {
-            // After 5 seconds, escalate to SIGKILL
-            if (usedSigterm) {
+            // After a grace period, escalate to SIGKILL
+            if (!sigkillSent && Date.now() - stopStartedAt >= SIGKILL_GRACE_MS) {
               logger.debug("stop: escalating to SIGKILL");
               killProject("SIGKILL");
-              usedSigterm = false;
+              sigkillSent = true;
             }
             return false;
           } else {

src/python/cocalc-api/src/cocalc_api/mcp/mcp_server.py

@@ -107,29 +107,28 @@ def check_api_key_scope(api_key: str, host: str) -> dict[str, str]:
     Raises:
         RuntimeError: If the API key is invalid or scope cannot be determined
     """
+    # First, try hub.system.test (account-scoped keys will succeed here)
     try:
         hub = Hub(api_key=api_key, host=host)
-
-        # Try the hub.system.test() method (only works for account-scoped keys)
         result = hub.system.test()
-
-        # Check which scope is returned
-        if "account_id" in result and result["account_id"]:
+        if result.get("account_id"):
             return {"account_id": result["account_id"]}
-        elif "project_id" in result and result["project_id"]:
+        if result.get("project_id"):
             return {"project_id": result["project_id"]}
-        else:
-            raise RuntimeError("API key test returned neither account_id nor project_id")
+    except Exception:
+        # Fall back to project-side system.test for project-scoped keys
+        pass
 
+    try:
+        project = Project(api_key=api_key, host=host)
+        result = project.system.test()
+        if result.get("project_id"):
+            return {"project_id": result["project_id"]}
     except Exception as e:
-        # Check if this looks like a project-scoped key error
-        error_msg = str(e)
-        if "must be signed in and MUST provide an api key" in error_msg:
-            raise RuntimeError("API key appears to be project-scoped. "
-                               "Project-scoped keys require the project_id to be specified at the OS level. "
-                               "Please set the COCALC_PROJECT_ID environment variable and try again.") from e
         raise RuntimeError(f"API key validation failed: {e}") from e
 
+    raise RuntimeError("API key test returned neither account_id nor project_id")
+
 
 # Initialize FastMCP server with instructions and documentation
 mcp = FastMCP(