feat: 添加 MCP Server 全生命周期管理、沙箱托管与第三方导入

himarket-bootstrap/src/main/java/com/alibaba/himarket/config/SecurityConfig.java

@@ -80,6 +80,9 @@ public class SecurityConfig {
     // System endpoints
     private static final String[] SYSTEM_WHITELIST = {"/favicon.ico", "/error"};
 
+    // Open API endpoints (API Key auth handled in controller)
+    private static final String[] OPEN_API_WHITELIST = {"/open-api/**"};
+
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         List<PublicAccessEndpoint> publicEndpoints =
@@ -108,6 +111,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                                     .permitAll()
                                     // Permit system endpoints
                                     .requestMatchers(SYSTEM_WHITELIST)
+                                    .permitAll()
+                                    // Permit open API endpoints
+                                    .requestMatchers(OPEN_API_WHITELIST)
                                     .permitAll();
                             // Permit @PublicAccess annotated endpoints with HTTP method precision
                             for (PublicAccessEndpoint endpoint : publicEndpoints) {

himarket-bootstrap/src/main/resources/application.yml

@@ -85,6 +85,9 @@ acp:
       supports-mcp: true
       supports-skill: true
 
+open-api:
+  api-key: ${OPEN_API_KEY:}
+
 observability:
   log-source: ${OBSERVABILITY_LOG_SOURCE:SLS}
 

himarket-bootstrap/src/main/resources/db/migration/V16__Add_sandbox_instance.sql

@@ -0,0 +1,23 @@
+CREATE TABLE IF NOT EXISTS `sandbox_instance` (
+    `id` bigint NOT NULL AUTO_INCREMENT,
+    `sandbox_id` varchar(64) NOT NULL,
+    `admin_id` varchar(64) NOT NULL,
+    `sandbox_name` varchar(64) NOT NULL,
+    `sandbox_type` varchar(32) NOT NULL COMMENT 'AGENT_RUNTIME / SELF_HOSTED',
+    `cluster_attribute` json DEFAULT NULL COMMENT '集群属性JSON: clusterId, clusterName, slbType, vpcId, mappingIP, mappingPort等',
+    `api_server` varchar(256) DEFAULT NULL,
+    `kube_config` text DEFAULT NULL,
+    `description` varchar(512) DEFAULT NULL,
+    `extra_config` json DEFAULT NULL COMMENT '扩展配置，不同sandbox类型的特定参数',
+    `status` varchar(32) NOT NULL DEFAULT 'RUNNING' COMMENT 'RUNNING / STOPPED / ERROR',
+    `status_message` varchar(512) DEFAULT NULL,
+    `created_at` datetime(3) DEFAULT CURRENT_TIMESTAMP(3),
+    `updated_at` datetime(3) DEFAULT CURRENT_TIMESTAMP(3) ON UPDATE CURRENT_TIMESTAMP(3),
+    `last_checked_at` datetime(3) DEFAULT NULL,
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_sandbox_id` (`sandbox_id`),
+    UNIQUE KEY `uk_admin_sandbox_name` (`admin_id`, `sandbox_name`),
+    UNIQUE KEY `uk_api_server` (`api_server`),
+    KEY `idx_admin_id` (`admin_id`),
+    KEY `idx_sandbox_type` (`sandbox_type`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

himarket-bootstrap/src/main/resources/db/migration/V17__Add_mcp_server_tables.sql

@@ -0,0 +1,51 @@
+-- ========================================
+-- MCP Server Meta (冷数据 — 元信息)
+-- ========================================
+CREATE TABLE IF NOT EXISTS `mcp_server_meta` (
+    `id` bigint NOT NULL AUTO_INCREMENT,
+    `mcp_server_id` varchar(64) NOT NULL,
+    `product_id` varchar(64) NOT NULL,
+    `mcp_name` varchar(128) NOT NULL,
+    `repo_url` varchar(512) DEFAULT NULL,
+    `source_type` varchar(32) DEFAULT NULL COMMENT 'npm / docker / git / config',
+    `origin` varchar(32) NOT NULL DEFAULT 'ADMIN' COMMENT 'ADMIN / GATEWAY / USER / THIRD_PARTY',
+    `tags` json DEFAULT NULL,
+    `protocol_type` varchar(32) NOT NULL COMMENT 'stdio / sse / http',
+    `connection_config` json NOT NULL,
+    `extra_params` json DEFAULT NULL,
+    `tools_config` json DEFAULT NULL,
+    `created_by` varchar(64) DEFAULT NULL,
+    `sandbox_required` tinyint(1) DEFAULT NULL,
+    `created_at` datetime(3) DEFAULT CURRENT_TIMESTAMP(3),
+    `updated_at` datetime(3) DEFAULT CURRENT_TIMESTAMP(3) ON UPDATE CURRENT_TIMESTAMP(3),
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_mcp_server_id` (`mcp_server_id`),
+    UNIQUE KEY `uk_product_mcp_name` (`product_id`, `mcp_name`),
+    KEY `idx_product_id` (`product_id`),
+    KEY `idx_mcp_name` (`mcp_name`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+
+-- ========================================
+-- MCP Server Endpoint (热数据 — 运行时连接)
+-- ========================================
+CREATE TABLE IF NOT EXISTS `mcp_server_endpoint` (
+    `id` bigint NOT NULL AUTO_INCREMENT,
+    `endpoint_id` varchar(64) NOT NULL,
+    `mcp_server_id` varchar(64) NOT NULL,
+    `mcp_name` varchar(128) NOT NULL,
+    `endpoint_url` varchar(512) NOT NULL,
+    `hosting_type` varchar(32) NOT NULL COMMENT 'NACOS / GATEWAY / SANDBOX',
+    `protocol` varchar(32) NOT NULL COMMENT 'stdio / sse / http',
+    `user_id` varchar(64) NOT NULL DEFAULT '*' COMMENT '* = all users',
+    `hosting_instance_id` varchar(64) DEFAULT NULL,
+    `hosting_identifier` varchar(128) DEFAULT NULL,
+    `subscribe_params` json DEFAULT NULL COMMENT '用户订阅时提交的参数 JSON',
+    `status` varchar(32) NOT NULL DEFAULT 'ACTIVE' COMMENT 'ACTIVE / INACTIVE',
+    `created_at` datetime(3) DEFAULT CURRENT_TIMESTAMP(3),
+    `updated_at` datetime(3) DEFAULT CURRENT_TIMESTAMP(3) ON UPDATE CURRENT_TIMESTAMP(3),
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `uk_endpoint_id` (`endpoint_id`),
+    KEY `idx_mcp_server_id` (`mcp_server_id`),
+    KEY `idx_user_hosting` (`user_id`, `hosting_type`),
+    UNIQUE KEY `uk_server_user_hosting` (`mcp_server_id`, `user_id`, `hosting_instance_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

himarket-dal/src/main/java/com/alibaba/himarket/converter/EncryptedStringConverter.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.alibaba.himarket.converter;
+
+import com.alibaba.himarket.support.common.Encryptor;
+import jakarta.persistence.AttributeConverter;
+import jakarta.persistence.Converter;
+
+@Converter
+public class EncryptedStringConverter implements AttributeConverter<String, String> {
+
+    @Override
+    public String convertToDatabaseColumn(String attribute) {
+        return Encryptor.encrypt(attribute);
+    }
+
+    @Override
+    public String convertToEntityAttribute(String dbData) {
+        return Encryptor.decrypt(dbData);
+    }
+}

himarket-dal/src/main/java/com/alibaba/himarket/entity/McpServerEndpoint.java

@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.alibaba.himarket.entity;
+
+import jakarta.persistence.*;
+import lombok.*;
+
+/**
+ * MCP Server 运行时连接信息（热数据）。
+ * 存储 MCP 的 endpoint、托管方式等运行时信息，查询频率高。
+ */
+@Entity
+@Table(
+        name = "mcp_server_endpoint",
+        uniqueConstraints = {
+            @UniqueConstraint(
+                    columnNames = {"endpoint_id"},
+                    name = "uk_endpoint_id"),
+            @UniqueConstraint(
+                    columnNames = {"mcp_server_id", "user_id", "hosting_instance_id"},
+                    name = "uk_server_user_hosting"),
+        })
+@Data
+@EqualsAndHashCode(callSuper = true)
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class McpServerEndpoint extends BaseEntity {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "endpoint_id", length = 64, nullable = false)
+    private String endpointId;
+
+    @Column(name = "mcp_server_id", length = 64, nullable = false)
+    private String mcpServerId;
+
+    @Column(name = "mcp_name", length = 128, nullable = false)
+    private String mcpName;
+
+    @Column(name = "endpoint_url", length = 512, nullable = false)
+    private String endpointUrl;
+
+    @Column(name = "hosting_type", length = 32, nullable = false)
+    private String hostingType;
+
+    @Column(name = "protocol", length = 32, nullable = false)
+    private String protocol;
+
+    @Column(name = "user_id", length = 64, nullable = false)
+    private String userId;
+
+    @Column(name = "hosting_instance_id", length = 64)
+    private String hostingInstanceId;
+
+    @Column(name = "hosting_identifier", length = 128)
+    private String hostingIdentifier;
+
+    @Column(name = "subscribe_params", columnDefinition = "json")
+    private String subscribeParams;
+
+    @Column(name = "status", length = 32, nullable = false)
+    private String status;
+}

himarket-dal/src/main/java/com/alibaba/himarket/entity/McpServerMeta.java

@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package com.alibaba.himarket.entity;
+
+import cn.hutool.core.util.StrUtil;
+import jakarta.persistence.*;
+import lombok.*;
+
+/**
+ * MCP Server 技术配置（冷数据）。
+ *
+ * <p>只存储 MCP 独有的技术字段（协议、连接、工具等）。
+ * 展示信息（名称、描述、图标、文档）统一由关联的 Product 管理。
+ */
+@Entity
+@Table(
+        name = "mcp_server_meta",
+        uniqueConstraints = {
+            @UniqueConstraint(
+                    columnNames = {"mcp_server_id"},
+                    name = "uk_mcp_server_id"),
+            @UniqueConstraint(
+                    columnNames = {"product_id", "mcp_name"},
+                    name = "uk_product_mcp_name"),
+        })
+@Data
+@EqualsAndHashCode(callSuper = true)
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class McpServerMeta extends BaseEntity {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "mcp_server_id", length = 64, nullable = false)
+    private String mcpServerId;
+
+    @Column(name = "product_id", length = 64, nullable = false)
+    private String productId;
+
+    @Column(name = "mcp_name", length = 128, nullable = false)
+    private String mcpName;
+
+    @Column(name = "repo_url", length = 512)
+    private String repoUrl;
+
+    @Column(name = "source_type", length = 32)
+    private String sourceType;
+
+    @Column(name = "origin", length = 32, nullable = false)
+    private String origin;
+
+    @Column(name = "tags", columnDefinition = "json")
+    private String tags;
+
+    @Column(name = "protocol_type", length = 32, nullable = false)
+    private String protocolType;
+
+    @Column(name = "connection_config", columnDefinition = "json", nullable = false)
+    private String connectionConfig;
+
+    @Column(name = "extra_params", columnDefinition = "json")
+    private String extraParams;
+
+    @Column(name = "tools_config", columnDefinition = "json")
+    private String toolsConfig;
+
+    @Column(name = "sandbox_required")
+    private Boolean sandboxRequired;
+
+    @Column(name = "created_by", length = 64)
+    private String createdBy;
+
+    /** 持久化前将空字符串的 JSON 列置为 null，避免 MySQL JSON 列写入非法值 */
+    @PrePersist
+    @PreUpdate
+    private void sanitizeJsonFields() {
+        if (StrUtil.isBlank(toolsConfig)) toolsConfig = null;
+        if (StrUtil.isBlank(tags)) tags = null;
+        if (StrUtil.isBlank(extraParams)) extraParams = null;
+    }
+}