@anton.andrusenko/shopify-mcp-admin 2.2.1 → 2.4.0

package/dist/index.js

@@ -1,8 +1,13 @@
 #!/usr/bin/env node
 import {
+  captureError,
   clearFallbackContext,
+  correlationMiddleware,
+  createLogger,
   createMultiTenantContext,
   createShopifyClient,
+  flushLogs,
+  generateCorrelationId,
   getRequestContext,
   getShopifyClient,
   getStoreAlerts,
@@ -14,28 +19,33 @@ import {
   getStorePolicies,
   getStoreShipping,
   getStoreTaxes,
+  getToolExecutionLogger,
+  initSentry,
   isMultiTenantContext,
   registerAllTools,
   requestContextStorage,
   sanitizeErrorMessage,
+  sentryErrorHandler,
+  sentryRequestMiddleware,
   setCurrentContextKey,
   setFallbackContext,
   validateShopifyToken
-} from "./chunk-LMFNHULG.js";
+} from "./chunk-UMNIRP6T.js";
 import {
   disconnectPrisma,
   getPrismaClient,
   prisma,
-  sessionStore
-} from "./chunk-JU5IFCVJ.js";
+  sessionStore,
+  warmupDatabase
+} from "./chunk-CJXPHNYT.js";
 import {
   createJsonRpcError
-} from "./chunk-PQKNBYJN.js";
+} from "./chunk-H36XQ6QK.js";
 import {
   getConfig,
   log,
   sanitizeLogMessage
-} from "./chunk-5QMYOO4B.js";
+} from "./chunk-CZJ7LSEO.js";
 import {
   getShutdownDrainMs,
   isLazyLoadingEnabled,
@@ -49,172 +59,6 @@ import { readFileSync as readFileSync2 } from "fs";
 import { dirname as dirname2, join as join2 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
-// src/monitoring/sentry.ts
-import * as Sentry from "@sentry/node";
-function initSentry(options) {
-  const { dsn, environment = "production", release } = options;
-  if (!dsn) {
-    return;
-  }
-  Sentry.init({
-    dsn,
-    environment,
-    // Sample 10% of transactions for performance monitoring (AC-13.7.4)
-    tracesSampleRate: 0.1,
-    // Release tracking for deployment correlation
-    release: release || "unknown",
-    // Sanitize sensitive data before sending to Sentry
-    beforeSend(event) {
-      if (event.request?.headers) {
-        const sensitiveHeaders = [
-          "authorization",
-          "x-api-key",
-          "cookie",
-          "x-shopify-access-token",
-          "x-shopify-hmac-sha256"
-        ];
-        for (const header of sensitiveHeaders) {
-          delete event.request.headers[header];
-        }
-      }
-      if (event.request?.data) {
-        const data = event.request.data;
-        const sensitiveKeys = ["token", "password", "secret", "key", "access_token"];
-        for (const key of Object.keys(data)) {
-          if (sensitiveKeys.some((sensitive) => key.toLowerCase().includes(sensitive))) {
-            data[key] = "[REDACTED]";
-          }
-        }
-      }
-      if (event.message) {
-        event.message = sanitizeErrorMessage2(event.message);
-      }
-      if (event.exception?.values) {
-        for (const exception of event.exception.values) {
-          if (exception.value) {
-            exception.value = sanitizeErrorMessage2(exception.value);
-          }
-        }
-      }
-      return event;
-    },
-    // Integrations
-    integrations: [
-      // Capture uncaught exceptions and unhandled rejections
-      Sentry.onUncaughtExceptionIntegration(),
-      Sentry.onUnhandledRejectionIntegration(),
-      // Capture HTTP request data
-      Sentry.requestDataIntegration(),
-      // Deduplicate similar errors
-      Sentry.dedupeIntegration()
-    ]
-  });
-}
-function sanitizeErrorMessage2(message) {
-  const patterns = [
-    /shpat_[a-zA-Z0-9]+/g,
-    /shpua_[a-zA-Z0-9]+/g,
-    /Bearer\s+[a-zA-Z0-9_-]+/g,
-    /access_token[=:]\s*[a-zA-Z0-9_-]+/gi,
-    /client_secret[=:]\s*[a-zA-Z0-9_-]+/gi,
-    /sk_live_[a-zA-Z0-9_-]+/g
-  ];
-  let sanitized = message;
-  for (const pattern of patterns) {
-    sanitized = sanitized.replace(pattern, "[REDACTED]");
-  }
-  return sanitized;
-}
-function sentryRequestMiddleware(req, res, next) {
-  const context = getRequestContext();
-  if (context) {
-    if (context.correlationId) {
-      Sentry.setTag("correlationId", context.correlationId);
-      Sentry.setContext("request", {
-        correlationId: context.correlationId
-      });
-    }
-    if (isMultiTenantContext(context) && context.tenantId) {
-      Sentry.setTag("tenantId", context.tenantId);
-      Sentry.setContext("tenant", {
-        tenantId: context.tenantId
-      });
-    }
-    if (context.shopDomain) {
-      Sentry.setTag("shopDomain", context.shopDomain);
-    }
-  }
-  Sentry.setContext("http", {
-    method: req.method,
-    url: req.url,
-    path: req.path,
-    query: req.query,
-    userAgent: req.get("user-agent"),
-    ip: req.ip
-  });
-  Sentry.addBreadcrumb({
-    category: "http",
-    message: `${req.method} ${req.path}`,
-    level: "info",
-    data: {
-      method: req.method,
-      path: req.path
-      // statusCode will be updated when response finishes (see below)
-    }
-  });
-  res.on("finish", () => {
-    Sentry.addBreadcrumb({
-      category: "http",
-      message: `${req.method} ${req.path} - ${res.statusCode}`,
-      level: res.statusCode >= 400 ? "error" : "info",
-      data: {
-        method: req.method,
-        path: req.path,
-        statusCode: res.statusCode
-      }
-    });
-  });
-  next();
-}
-function sentryErrorHandler(error, req, _res, next) {
-  Sentry.captureException(error, {
-    tags: {
-      path: req.path,
-      method: req.method
-    },
-    extra: {
-      url: req.url,
-      query: req.query,
-      body: req.body
-    }
-  });
-  next(error);
-}
-function captureError(error, context) {
-  const requestContext = getRequestContext();
-  Sentry.withScope((scope) => {
-    if (requestContext?.correlationId) {
-      scope.setTag("correlationId", requestContext.correlationId);
-      scope.setContext("request", {
-        correlationId: requestContext.correlationId
-      });
-    }
-    if (requestContext && isMultiTenantContext(requestContext) && requestContext.tenantId) {
-      scope.setTag("tenantId", requestContext.tenantId);
-      scope.setContext("tenant", {
-        tenantId: requestContext.tenantId
-      });
-    }
-    if (requestContext?.shopDomain) {
-      scope.setTag("shopDomain", requestContext.shopDomain);
-    }
-    if (context) {
-      scope.setContext("additional", context);
-    }
-    Sentry.captureException(error);
-  });
-}
-
 // src/server.ts
 import { createRequire } from "module";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -790,7 +634,7 @@ function createStdioTransport() {
 }
 
 // src/transports/http.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
@@ -805,194 +649,6 @@ import { z } from "zod";
 
 // src/middleware/tenant-auth.ts
 import { TenantStatus } from "@prisma/client";
-
-// src/logging/structured-logger.ts
-import {
-  pino as createPino,
-  destination as pinoDestination,
-  transport as pinoTransport
-} from "pino";
-var SANITIZATION_PATTERNS = [
-  { pattern: /shpat_[a-zA-Z0-9]+/g, replacement: "[REDACTED]" },
-  { pattern: /shpua_[a-zA-Z0-9]+/g, replacement: "[REDACTED]" },
-  { pattern: /Bearer\s+[a-zA-Z0-9_-]+/g, replacement: "Bearer [REDACTED]" },
-  { pattern: /access_token[=:]\s*[a-zA-Z0-9_-]+/gi, replacement: "access_token=[REDACTED]" },
-  { pattern: /client_secret[=:]\s*[a-zA-Z0-9_-]+/gi, replacement: "client_secret=[REDACTED]" },
-  { pattern: /sk_live_[a-zA-Z0-9_-]+/g, replacement: "[REDACTED]" }
-];
-function sanitizeText(text) {
-  let result = text;
-  for (const { pattern, replacement } of SANITIZATION_PATTERNS) {
-    result = result.replace(pattern, replacement);
-  }
-  return result;
-}
-function sanitizeObject(obj, seen = /* @__PURE__ */ new WeakSet()) {
-  if (typeof obj === "string") {
-    return sanitizeText(obj);
-  }
-  if (obj === null || typeof obj !== "object") {
-    return obj;
-  }
-  if (seen.has(obj)) {
-    return "[Circular]";
-  }
-  seen.add(obj);
-  if (Array.isArray(obj)) {
-    return obj.map((item) => sanitizeObject(item, seen));
-  }
-  const result = {};
-  for (const [key, value] of Object.entries(obj)) {
-    result[key] = sanitizeObject(value, seen);
-  }
-  return result;
-}
-function getInstanceId() {
-  return process.env.INSTANCE_ID || process.env.HOSTNAME || "unknown";
-}
-function getLogLevel() {
-  const level = process.env.LOG_LEVEL?.toLowerCase();
-  if (level === "debug" || level === "info" || level === "warn" || level === "error") {
-    return level;
-  }
-  return "info";
-}
-function isDevelopment() {
-  return process.env.NODE_ENV === "development";
-}
-function createTransport() {
-  if (isDevelopment()) {
-    try {
-      return {
-        target: "pino-pretty",
-        options: {
-          destination: 2,
-          // stderr (fd 2)
-          colorize: true,
-          translateTime: "HH:MM:ss.l",
-          ignore: "pid,hostname"
-        }
-      };
-    } catch {
-      return void 0;
-    }
-  }
-  return void 0;
-}
-function createBasePinoLogger() {
-  const level = getLogLevel();
-  const transport = createTransport();
-  const instanceId = getInstanceId();
-  const options = {
-    level,
-    // ISO 8601 timestamp format (AC-13.1.3)
-    timestamp: () => `,"time":"${(/* @__PURE__ */ new Date()).toISOString()}"`,
-    // Format level as string instead of number
-    formatters: {
-      level: (label) => ({ level: label })
-    },
-    // Base bindings (can be overridden by child loggers)
-    // Story 13.5: Add instance ID for multi-instance deployment identification
-    base: {
-      instanceId
-      // AC-13.5.1: Instance ID for load balancer distribution verification
-    }
-  };
-  if (transport) {
-    return createPino(options, pinoTransport(transport));
-  }
-  return createPino(options, pinoDestination({ dest: 2, sync: false }));
-}
-var basePinoLogger = createBasePinoLogger();
-function createLogger(module) {
-  function getContextFields() {
-    const context = getRequestContext();
-    const fields = { module };
-    if (context) {
-      if (context.correlationId) {
-        fields.correlationId = context.correlationId;
-      }
-      if (context.shopDomain) {
-        fields.shopDomain = context.shopDomain;
-      }
-      if (isMultiTenantContext(context)) {
-        fields.tenantId = context.tenantId;
-      }
-    }
-    return fields;
-  }
-  function mergeData(data) {
-    const contextFields = getContextFields();
-    if (data) {
-      const sanitizedData = sanitizeObject(data);
-      return { ...contextFields, ...sanitizedData };
-    }
-    return contextFields;
-  }
-  function formatError(error) {
-    return {
-      error: {
-        name: error.name,
-        message: sanitizeText(error.message),
-        stack: error.stack ? sanitizeText(error.stack) : void 0
-      }
-    };
-  }
-  const logger3 = {
-    debug: (msg, data) => {
-      basePinoLogger.debug(mergeData(data), sanitizeText(msg));
-    },
-    info: (msg, data) => {
-      basePinoLogger.info(mergeData(data), sanitizeText(msg));
-    },
-    warn: (msg, data) => {
-      basePinoLogger.warn(mergeData(data), sanitizeText(msg));
-    },
-    error: (msg, error, data) => {
-      const merged = mergeData(data);
-      if (error) {
-        Object.assign(merged, formatError(error));
-        captureError(error, data);
-      }
-      basePinoLogger.error(merged, sanitizeText(msg));
-    },
-    child: (bindings) => {
-      const childModule = bindings.module || module;
-      const childLogger = createLogger(childModule);
-      const originalMergeData = mergeData;
-      const enhancedMergeData = (data) => {
-        const base = originalMergeData(data);
-        const sanitizedBindings = sanitizeObject(bindings);
-        return { ...base, ...sanitizedBindings };
-      };
-      return {
-        debug: (msg, data) => {
-          basePinoLogger.debug(enhancedMergeData(data), sanitizeText(msg));
-        },
-        info: (msg, data) => {
-          basePinoLogger.info(enhancedMergeData(data), sanitizeText(msg));
-        },
-        warn: (msg, data) => {
-          basePinoLogger.warn(enhancedMergeData(data), sanitizeText(msg));
-        },
-        error: (msg, error, data) => {
-          const merged = enhancedMergeData(data);
-          if (error) {
-            Object.assign(merged, formatError(error));
-          }
-          basePinoLogger.error(merged, sanitizeText(msg));
-        },
-        child: childLogger.child
-      };
-    }
-  };
-  return logger3;
-}
-function flushLogs() {
-  basePinoLogger.flush();
-}
-
-// src/middleware/tenant-auth.ts
 var logger = createLogger("middleware/tenant-auth");
 async function requireTenantAuth(req, res, next) {
   try {
@@ -1538,6 +1194,7 @@ var ApiKeyService = class {
 };
 
 // src/api/tenants.ts
+var logger2 = createLogger("api/tenants");
 var BCRYPT_COST_FACTOR = 12;
 var INITIAL_API_KEY_NAME = "Initial API Key";
 var registerSchema = z.object({
@@ -1654,7 +1311,7 @@ function createTenantsRouter(options) {
       };
       return res.status(201).json(response);
     } catch (error) {
-      console.error("[TENANT API] Registration error:", error);
+      logger2.error("Tenant registration failed", error instanceof Error ? error : void 0);
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during registration"
@@ -1694,7 +1351,9 @@ function createTenantsRouter(options) {
         createdAt: tenant.createdAt.toISOString()
       });
     } catch (error) {
-      console.error("[TENANT API] Get tenant error:", error);
+      logger2.error("Get tenant failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -1758,7 +1417,9 @@ function createTenantsRouter(options) {
         updatedAt: updatedTenant.updatedAt.toISOString()
       });
     } catch (error) {
-      console.error("[TENANT API] Update tenant error:", error);
+      logger2.error("Update tenant failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -1807,7 +1468,7 @@ function createTenantsRouter(options) {
         where: { id: tenantId },
         data: { passwordHash: newPasswordHash }
       });
-      const { sessionStore: sessionStore2 } = await import("./store-JK2ZU6DR.js");
+      const { sessionStore: sessionStore2 } = await import("./store-5NJBYK45.js");
       await sessionStore2.deleteByTenantId(tenantId);
       await auditLogger2.log(tenantId, {
         action: "tenant.password_change",
@@ -1816,7 +1477,9 @@ function createTenantsRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[TENANT API] Password change error:", error);
+      logger2.error("Password change failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -1988,9 +1651,67 @@ var CredentialEncryptionService = class _CredentialEncryptionService {
     }
     return rotatedCount;
   }
+  /**
+   * Validate encryption key on startup by testing decryption of existing tokens
+   *
+   * This should be called during server initialization to catch ENCRYPTION_KEY
+   * mismatches early, before users encounter "Request context not available" errors.
+   *
+   * @param prisma - Prisma client instance
+   * @returns Validation result with counts of successful/failed decryptions
+   *
+   * @example
+   * ```typescript
+   * const result = await cryptoService.validateEncryptionKeyOnStartup(prisma);
+   * if (result.failedCount > 0) {
+   *   log.error(`CRITICAL: ${result.failedCount} tokens cannot be decrypted!`);
+   *   // Alert Sentry, mark affected shops, etc.
+   * }
+   * ```
+   */
+  async validateEncryptionKeyOnStartup(prisma2) {
+    const result = {
+      totalCount: 0,
+      successCount: 0,
+      failedCount: 0,
+      failedShopIds: []
+    };
+    const tenantShops = await prisma2.tenantShop.findMany({
+      where: { uninstalledAt: null },
+      select: { id: true, shopDomain: true, encryptedAccessToken: true }
+    });
+    result.totalCount = tenantShops.length;
+    for (const shop of tenantShops) {
+      try {
+        this.decrypt(shop.encryptedAccessToken);
+        result.successCount++;
+      } catch {
+        result.failedCount++;
+        result.failedShopIds.push(shop.id);
+      }
+    }
+    return result;
+  }
+  /**
+   * Mark shops with decryption failures as needing re-authentication
+   *
+   * Called when validateEncryptionKeyOnStartup finds shops that can't be decrypted.
+   * Updates their tokenStatus to 'needs_reauth' so users get clear feedback.
+   *
+   * @param prisma - Prisma client instance
+   * @param shopIds - Array of shop IDs to mark
+   */
+  async markShopsAsNeedingReauth(prisma2, shopIds) {
+    if (shopIds.length === 0) return;
+    await prisma2.tenantShop.updateMany({
+      where: { id: { in: shopIds } },
+      data: { tokenStatus: "needs_reauth" }
+    });
+  }
 };
 
 // src/api/shops.ts
+var logger3 = createLogger("api/shops");
 var SHOP_DOMAIN_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9-]*\.myshopify\.com$/;
 var ACCESS_TOKEN_PATTERN = /^shp(at|ua)_[a-f0-9]+$/i;
 var manualConnectSchema = z2.object({
@@ -2106,7 +1827,9 @@ function createShopsRouter(options) {
       };
       return res.status(201).json(response);
     } catch (error) {
-      console.error("[SHOPS API] Connection error:", error);
+      logger3.error("Shop connection failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during shop connection"
@@ -2165,7 +1888,9 @@ function createShopsRouter(options) {
       });
       return res.json({ shops: shopList });
     } catch (error) {
-      console.error("[SHOPS API] List error:", error);
+      logger3.error("Shop listing failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while listing shops"
@@ -2218,7 +1943,10 @@ function createShopsRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[SHOPS API] Disconnect error:", error);
+      logger3.error("Shop disconnect failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId,
+        shopId: req.params.shopId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while disconnecting shop"
@@ -2231,6 +1959,7 @@ function createShopsRouter(options) {
 // src/api/keys.ts
 import { Router as Router3 } from "express";
 import { z as z3 } from "zod";
+var logger4 = createLogger("api/keys");
 var DEFAULT_SCOPES = ["*"];
 var createKeySchema = z3.object({
   name: z3.string().min(1, "Name is required").max(100, "Name must be 100 characters or less"),
@@ -2284,7 +2013,9 @@ function createKeysRouter(options) {
       };
       return res.status(201).json(response);
     } catch (error) {
-      console.error("[KEYS API] Creation error:", error);
+      logger4.error("API key creation failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during key creation"
@@ -2322,13 +2053,247 @@ function createKeysRouter(options) {
       }));
       return res.json({ keys: keyList });
     } catch (error) {
-      console.error("[KEYS API] List error:", error);
+      logger4.error("API key listing failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred while listing keys"
       });
     }
   });
+  router.get("/metrics/batch", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const keys = await prisma2.apiKey.findMany({
+        where: {
+          tenantId,
+          revokedAt: null
+        },
+        select: { id: true }
+      });
+      if (keys.length === 0) {
+        return res.json({ metrics: {} });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const emptyMetrics = {};
+        for (const key of keys) {
+          emptyMetrics[key.id] = {
+            calls7d: 0,
+            calls30d: 0,
+            successRate: 0,
+            avgDurationMs: 0,
+            lastUsedAt: null
+          };
+        }
+        return res.json({ metrics: emptyMetrics });
+      }
+      const now = /* @__PURE__ */ new Date();
+      const sevenDaysAgo = new Date(now);
+      sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+      const thirtyDaysAgo = new Date(now);
+      thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+      const keyIds = keys.map((k) => k.id);
+      const queryStartTime = Date.now();
+      const metricsRaw = await prisma2.$queryRaw`
+        SELECT
+          api_key_id,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS calls_7d,
+          COUNT(*)::bigint AS calls_30d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo} AND status = 'SUCCESS')::bigint AS success_count_7d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS total_count_7d,
+          AVG(duration_ms) FILTER (WHERE created_at >= ${sevenDaysAgo})::numeric AS avg_duration_ms,
+          MAX(created_at) AS last_used_at
+        FROM tool_execution_logs
+        WHERE tenant_id = ${tenantId}
+          AND api_key_id = ANY(${keyIds})
+          AND created_at >= ${thirtyDaysAgo}
+        GROUP BY api_key_id
+      `;
+      const metricsMap = {};
+      for (const key of keys) {
+        metricsMap[key.id] = {
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          lastUsedAt: null
+        };
+      }
+      for (const row of metricsRaw) {
+        const totalCount = Number(row.total_count_7d);
+        const successCount = Number(row.success_count_7d);
+        const successRate = totalCount > 0 ? successCount / totalCount * 100 : 0;
+        metricsMap[row.api_key_id] = {
+          calls7d: Number(row.calls_7d),
+          calls30d: Number(row.calls_30d),
+          successRate: Math.round(successRate * 10) / 10,
+          avgDurationMs: Math.round(row.avg_duration_ms ?? 0),
+          lastUsedAt: row.last_used_at?.toISOString() ?? null
+        };
+      }
+      const queryDuration = Date.now() - queryStartTime;
+      if (queryDuration > 500) {
+        logger4.warn("Batch API key metrics query exceeded 500ms", {
+          tenantId,
+          keyCount: keys.length,
+          durationMs: queryDuration
+        });
+      }
+      return res.json({ metrics: metricsMap });
+    } catch (error) {
+      logger4.error("batch metrics endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to compute API key metrics"
+      });
+    }
+  });
+  router.get("/:keyId/metrics", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const { keyId } = req.params;
+      const key = await prisma2.apiKey.findFirst({
+        where: {
+          id: keyId,
+          tenantId,
+          revokedAt: null
+        },
+        select: { id: true }
+      });
+      if (!key) {
+        return res.status(404).json({
+          error: "Not Found",
+          message: "API key not found"
+        });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        return res.json({
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          lastUsedAt: null
+        });
+      }
+      const now = /* @__PURE__ */ new Date();
+      const sevenDaysAgo = new Date(now);
+      sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+      const thirtyDaysAgo = new Date(now);
+      thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+      const baseWhere = {
+        tenantId,
+        apiKeyId: keyId
+      };
+      const queryStartTime = Date.now();
+      const [calls7d, calls30d, totalCalls, successCount, avgDuration, lastUsed] = await Promise.all([
+        // Calls in last 7 days
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo }
+          }
+        }),
+        // Calls in last 30 days
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: thirtyDaysAgo }
+          }
+        }),
+        // Total calls (for success rate calculation)
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo }
+          }
+        }),
+        // Success count (for success rate calculation)
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo },
+            status: "SUCCESS"
+          }
+        }),
+        // Average duration
+        prisma2.toolExecutionLog.aggregate({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo },
+            durationMs: { not: null }
+          },
+          _avg: { durationMs: true }
+        }),
+        // Most recent execution
+        prisma2.toolExecutionLog.findFirst({
+          where: baseWhere,
+          orderBy: { createdAt: "desc" },
+          select: { createdAt: true }
+        })
+      ]);
+      const successRate = totalCalls > 0 ? successCount / totalCalls * 100 : 0;
+      const queryDuration = Date.now() - queryStartTime;
+      if (queryDuration > 200) {
+        logger4.warn("API key metrics query exceeded 200ms", {
+          keyId,
+          tenantId,
+          durationMs: queryDuration
+        });
+      }
+      const response = {
+        calls7d,
+        calls30d,
+        successRate: Math.round(successRate * 10) / 10,
+        // Round to 1 decimal place
+        avgDurationMs: Math.round(avgDuration._avg.durationMs ?? 0),
+        lastUsedAt: lastUsed?.createdAt.toISOString() ?? null
+      };
+      return res.json(response);
+    } catch (error) {
+      logger4.error("metrics endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to compute API key metrics"
+      });
+    }
+  });
   router.delete("/:keyId", async (req, res) => {
     try {
       const tenantId = req.tenantContext?.tenantId;
@@ -2363,7 +2328,10 @@ function createKeysRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[KEYS API] Revocation error:", error);
+      logger4.error("API key revocation failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId,
+        keyId: req.params.keyId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during key revocation"
@@ -2381,6 +2349,7 @@ import bcrypt3 from "bcrypt";
 import { Router as Router4 } from "express";
 import rateLimit2 from "express-rate-limit";
 import { z as z4 } from "zod";
+var logger5 = createLogger("api/auth");
 var loginSchema = z4.object({
   email: z4.string().email("Invalid email format"),
   password: z4.string().min(1, "Password is required")
@@ -2467,13 +2436,14 @@ function createAuthRouter(_config) {
           }
         }
       }
+      const sameSiteSetting = isProduction ? "none" : "lax";
       res.cookie("session_id", sessionId, {
         httpOnly: true,
         // Prevents JavaScript access (XSS protection)
         secure: isProduction,
-        // HTTPS only in production
-        sameSite: "lax",
-        // CSRF protection
+        // HTTPS only in production (required for SameSite=None)
+        sameSite: sameSiteSetting,
+        // 'none' in production for Claude.ai OAuth iframe compatibility
         path: "/",
         // Explicitly set path
         domain: cookieDomain,
@@ -2498,7 +2468,7 @@ function createAuthRouter(_config) {
         }
       });
     } catch (error) {
-      console.error("[POST /auth/login] Unexpected error:", error);
+      logger5.error("Login failed", error instanceof Error ? error : void 0);
       res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -2527,7 +2497,7 @@ function createAuthRouter(_config) {
         res.clearCookie("session_id", {
           httpOnly: true,
           secure: isProduction,
-          sameSite: "lax",
+          sameSite: isProduction ? "none" : "lax",
           path: "/",
           domain: cookieDomain
         });
@@ -2555,14 +2525,14 @@ function createAuthRouter(_config) {
         res.clearCookie("session_id", {
           httpOnly: true,
           secure: isProduction,
-          sameSite: "lax",
+          sameSite: isProduction ? "none" : "lax",
           path: "/",
           domain: cookieDomain
         });
       }
       res.status(204).send();
     } catch (error) {
-      console.error("[POST /auth/logout] Unexpected error:", error);
+      logger5.error("Logout failed", error instanceof Error ? error : void 0);
       res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred"
@@ -2575,9 +2545,36 @@ function createAuthRouter(_config) {
 // src/api/activity.ts
 import { Router as Router5 } from "express";
 import { z as z5 } from "zod";
+var logger6 = createLogger("api/activity");
 var usageSummaryQuerySchema = z5.object({
   months: z5.coerce.number().int().min(1).max(24).default(6)
 });
+var activityLogsQuerySchema = z5.object({
+  page: z5.coerce.number().int().min(1).default(1),
+  limit: z5.coerce.number().int().min(1).transform((val) => Math.min(val, 100)).default(50),
+  toolName: z5.string().optional(),
+  clientType: z5.enum(["api_key", "oauth_client"]).optional(),
+  oauthClientId: z5.string().uuid("Invalid OAuth client ID format").optional(),
+  apiKeyId: z5.string().uuid("Invalid API key ID format").optional(),
+  shopId: z5.string().uuid("Invalid shop ID format").optional(),
+  status: z5.enum(["SUCCESS", "ERROR", "VALIDATION_ERROR", "AUTH_ERROR", "TIMEOUT"]).optional(),
+  startDate: z5.string().datetime().optional(),
+  endDate: z5.string().datetime().optional()
+}).refine(
+  (data) => {
+    if (data.startDate && data.endDate) {
+      return new Date(data.endDate) >= new Date(data.startDate);
+    }
+    return true;
+  },
+  {
+    message: "endDate must be greater than or equal to startDate",
+    path: ["endDate"]
+  }
+);
+var activityStatsQuerySchema = z5.object({
+  period: z5.enum(["7d", "30d", "90d"]).default("7d")
+});
 function startOfMonth(d) {
   const out = new Date(d);
   out.setDate(1);
@@ -2640,18 +2637,453 @@ function createActivityRouter() {
       };
       return res.json(response);
     } catch (error) {
-      console.error("[ACTIVITY API] usage-summary error:", error);
+      logger6.error("usage-summary error", error);
       return res.status(500).json({
         error: "Internal Server Error",
         message: "Failed to compute usage summary"
       });
     }
   });
+  router.get("/logs", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const parsed = activityLogsQuerySchema.safeParse(req.query);
+      if (!parsed.success) {
+        return res.status(400).json({
+          error: "Validation Error",
+          message: "Invalid query parameters",
+          details: parsed.error.errors
+        });
+      }
+      const {
+        page,
+        limit,
+        toolName,
+        clientType,
+        oauthClientId,
+        apiKeyId,
+        shopId,
+        status,
+        startDate,
+        endDate
+      } = parsed.data;
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const response2 = {
+          logs: [],
+          pagination: {
+            page,
+            limit,
+            total: 0,
+            hasMore: false
+          }
+        };
+        return res.json(response2);
+      }
+      const where = {
+        tenantId,
+        ...toolName && { toolName },
+        ...clientType && { clientType },
+        ...oauthClientId && { oauthClientId },
+        ...apiKeyId && { apiKeyId },
+        ...shopId && { shopId },
+        ...status && { status },
+        ...(startDate || endDate) && {
+          createdAt: {
+            ...startDate && { gte: new Date(startDate) },
+            ...endDate && { lte: new Date(endDate) }
+          }
+        }
+      };
+      const skip = (page - 1) * limit;
+      const take = limit;
+      const [logs, total] = await Promise.all([
+        prisma2.toolExecutionLog.findMany({
+          where,
+          skip,
+          take,
+          orderBy: { createdAt: "desc" },
+          select: {
+            id: true,
+            toolName: true,
+            toolModule: true,
+            status: true,
+            clientType: true,
+            oauthClientId: true,
+            apiKeyId: true,
+            shopDomain: true,
+            durationMs: true,
+            createdAt: true
+          }
+        }),
+        prisma2.toolExecutionLog.count({ where })
+      ]);
+      const clientIds = /* @__PURE__ */ new Set();
+      for (const log3 of logs) {
+        if (log3.oauthClientId) clientIds.add(log3.oauthClientId);
+        if (log3.apiKeyId) clientIds.add(log3.apiKeyId);
+      }
+      const [oauthClients, apiKeys] = await Promise.all([
+        clientIds.size > 0 && logs.some((log3) => log3.oauthClientId) ? prisma2.oAuthClient.findMany({
+          where: {
+            id: { in: Array.from(clientIds) }
+          },
+          select: { id: true, clientName: true }
+        }) : Promise.resolve([]),
+        clientIds.size > 0 && logs.some((log3) => log3.apiKeyId) ? prisma2.apiKey.findMany({
+          where: {
+            id: { in: Array.from(clientIds) },
+            tenantId
+          },
+          select: { id: true, name: true }
+        }) : Promise.resolve([])
+      ]);
+      const clientNameMap = /* @__PURE__ */ new Map();
+      for (const client of oauthClients) {
+        clientNameMap.set(client.id, client.clientName);
+      }
+      for (const key of apiKeys) {
+        clientNameMap.set(key.id, key.name);
+      }
+      const responseLogs = logs.filter((log3) => log3.createdAt && !Number.isNaN(new Date(log3.createdAt).getTime())).map((log3) => ({
+        id: log3.id,
+        toolName: log3.toolName,
+        toolModule: log3.toolModule ?? void 0,
+        status: log3.status,
+        clientType: log3.clientType,
+        clientName: log3.oauthClientId ? clientNameMap.get(log3.oauthClientId) : log3.apiKeyId ? clientNameMap.get(log3.apiKeyId) : void 0,
+        shopDomain: log3.shopDomain ?? void 0,
+        durationMs: log3.durationMs ?? void 0,
+        createdAt: new Date(log3.createdAt).toISOString()
+      }));
+      const response = {
+        logs: responseLogs,
+        pagination: {
+          page,
+          limit,
+          total,
+          hasMore: skip + take < total
+        }
+      };
+      return res.json(response);
+    } catch (error) {
+      logger6.error("logs endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to fetch activity logs"
+      });
+    }
+  });
+  router.get("/logs/:id", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const logId = req.params.id;
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(logId)) {
+        return res.status(400).json({
+          error: "Validation Error",
+          message: "Invalid log ID format"
+        });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch {
+        tableExists = false;
+      }
+      if (!tableExists) {
+        return res.status(404).json({
+          error: "Not Found",
+          message: "Log entry not found"
+        });
+      }
+      const log3 = await prisma2.toolExecutionLog.findFirst({
+        where: {
+          id: logId,
+          tenantId
+          // Ensure tenant isolation
+        },
+        select: {
+          id: true,
+          toolName: true,
+          toolModule: true,
+          status: true,
+          clientType: true,
+          oauthClientId: true,
+          apiKeyId: true,
+          shopDomain: true,
+          durationMs: true,
+          createdAt: true,
+          inputParams: true,
+          outputSummary: true,
+          correlationId: true,
+          errorCode: true,
+          errorMessage: true
+        }
+      });
+      if (!log3) {
+        return res.status(404).json({
+          error: "Not Found",
+          message: "Log entry not found"
+        });
+      }
+      let clientName;
+      if (log3.oauthClientId) {
+        const oauthClient = await prisma2.oAuthClient.findUnique({
+          where: { id: log3.oauthClientId },
+          select: { clientName: true }
+        });
+        clientName = oauthClient?.clientName;
+      } else if (log3.apiKeyId) {
+        const apiKey = await prisma2.apiKey.findUnique({
+          where: { id: log3.apiKeyId, tenantId },
+          select: { name: true }
+        });
+        clientName = apiKey?.name;
+      }
+      const response = {
+        id: log3.id,
+        toolName: log3.toolName,
+        toolModule: log3.toolModule ?? void 0,
+        status: log3.status,
+        clientType: log3.clientType,
+        clientName,
+        shopDomain: log3.shopDomain ?? void 0,
+        durationMs: log3.durationMs ?? void 0,
+        createdAt: new Date(log3.createdAt).toISOString(),
+        inputParams: log3.inputParams ?? void 0,
+        outputSummary: log3.outputSummary ?? void 0,
+        correlationId: log3.correlationId ?? void 0,
+        errorCode: log3.errorCode ?? void 0,
+        errorMessage: log3.errorMessage ?? void 0
+      };
+      return res.json(response);
+    } catch (error) {
+      logger6.error("log details endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"],
+        logId: req.params.id
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to fetch log details"
+      });
+    }
+  });
+  router.get("/stats", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const parsed = activityStatsQuerySchema.safeParse(req.query);
+      if (!parsed.success) {
+        return res.status(400).json({
+          error: "Validation Error",
+          message: "Invalid query parameters",
+          details: parsed.error.errors
+        });
+      }
+      const { period } = parsed.data;
+      const now = /* @__PURE__ */ new Date();
+      const days = period === "7d" ? 7 : period === "30d" ? 30 : 90;
+      const startDate = new Date(now);
+      startDate.setDate(startDate.getDate() - days);
+      const baseWhere = {
+        tenantId,
+        createdAt: { gte: startDate }
+      };
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const response2 = {
+          period,
+          totalCalls: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          topTools: [],
+          byClient: [],
+          byShop: [],
+          byDay: []
+        };
+        return res.json(response2);
+      }
+      const [totalCalls, successCount, avgDuration, topTools, byClientGroup, byShopRaw] = await Promise.all([
+        // Total calls
+        prisma2.toolExecutionLog.count({ where: baseWhere }),
+        // Success count
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            status: "SUCCESS"
+          }
+        }),
+        // Average duration
+        prisma2.toolExecutionLog.aggregate({
+          where: baseWhere,
+          _avg: { durationMs: true }
+        }),
+        // Top 10 tools
+        prisma2.toolExecutionLog.groupBy({
+          by: ["toolName"],
+          where: baseWhere,
+          _count: { id: true },
+          orderBy: { _count: { id: "desc" } },
+          take: 10
+        }),
+        // By client
+        prisma2.toolExecutionLog.groupBy({
+          by: ["clientType", "oauthClientId", "apiKeyId"],
+          where: baseWhere,
+          _count: { id: true }
+        }),
+        // By shop - using raw SQL for better aggregation
+        tableExists ? prisma2.$queryRaw`
+                SELECT 
+                  shop_domain AS "shopDomain",
+                  COUNT(*)::bigint AS calls,
+                  COUNT(*) FILTER (WHERE status = 'SUCCESS')::bigint AS "successCount",
+                  AVG(duration_ms)::numeric AS "avgDuration"
+                FROM tool_execution_logs
+                WHERE tenant_id = ${tenantId}
+                  AND created_at >= ${startDate}
+                  AND shop_domain IS NOT NULL
+                GROUP BY shop_domain
+                ORDER BY calls DESC
+              ` : Promise.resolve([])
+      ]);
+      const byDayRaw = tableExists ? await prisma2.$queryRaw`
+            SELECT 
+              date_trunc('day', created_at)::date AS date,
+              COUNT(*)::bigint AS calls,
+              COUNT(*) FILTER (WHERE status != 'SUCCESS')::bigint AS errors
+            FROM tool_execution_logs
+            WHERE tenant_id = ${tenantId}
+              AND created_at >= ${startDate}
+            GROUP BY 1
+            ORDER BY 1 ASC
+          ` : [];
+      const clientIds = /* @__PURE__ */ new Set();
+      for (const group of byClientGroup) {
+        if (group.oauthClientId) clientIds.add(group.oauthClientId);
+        if (group.apiKeyId) clientIds.add(group.apiKeyId);
+      }
+      const [oauthClients, apiKeys] = await Promise.all([
+        clientIds.size > 0 && byClientGroup.some((g) => g.oauthClientId) ? prisma2.oAuthClient.findMany({
+          where: {
+            id: { in: Array.from(clientIds) }
+          },
+          select: { id: true, clientName: true }
+        }) : Promise.resolve([]),
+        clientIds.size > 0 && byClientGroup.some((g) => g.apiKeyId) ? prisma2.apiKey.findMany({
+          where: {
+            id: { in: Array.from(clientIds) },
+            tenantId
+          },
+          select: { id: true, name: true }
+        }) : Promise.resolve([])
+      ]);
+      const clientNameMap = /* @__PURE__ */ new Map();
+      for (const client of oauthClients) {
+        clientNameMap.set(client.id, client.clientName);
+      }
+      for (const key of apiKeys) {
+        clientNameMap.set(key.id, key.name);
+      }
+      const successRate = totalCalls > 0 ? successCount / totalCalls * 100 : 0;
+      const avgDurationMs = avgDuration._avg.durationMs ?? 0;
+      const topToolsFormatted = topTools.map((tool) => ({
+        name: tool.toolName,
+        calls: tool._count.id
+      }));
+      const byClientFormatted = byClientGroup.map((group) => ({
+        clientId: group.oauthClientId ?? void 0,
+        clientName: group.oauthClientId ? clientNameMap.get(group.oauthClientId) : void 0,
+        apiKeyId: group.apiKeyId ?? void 0,
+        keyName: group.apiKeyId ? clientNameMap.get(group.apiKeyId) : void 0,
+        type: group.clientType === "oauth_client" ? "oauth" : "api_key",
+        calls: group._count.id
+      }));
+      const byShopFormatted = byShopRaw.filter((row) => row.shopDomain).map((row) => {
+        const calls = Number(row.calls);
+        const successCount2 = Number(row.successCount ?? 0);
+        const successRate2 = calls > 0 ? successCount2 / calls * 100 : 0;
+        const avgDurationMs2 = row.avgDuration ? Number(row.avgDuration) : null;
+        return {
+          shopDomain: row.shopDomain,
+          calls,
+          successRate: Math.round(successRate2 * 100) / 100,
+          // Round to 2 decimal places
+          avgDurationMs: avgDurationMs2 ? Math.round(avgDurationMs2) : void 0
+        };
+      });
+      const byDayFormatted = byDayRaw.filter((row) => row.date && !Number.isNaN(new Date(row.date).getTime())).map((row) => ({
+        date: new Date(row.date).toISOString().split("T")[0],
+        // YYYY-MM-DD
+        calls: Number(row.calls),
+        errors: Number(row.errors)
+      }));
+      const response = {
+        period,
+        totalCalls,
+        successRate: Math.round(successRate * 100) / 100,
+        // Round to 2 decimal places
+        avgDurationMs: Math.round(avgDurationMs),
+        topTools: topToolsFormatted,
+        byClient: byClientFormatted,
+        byShop: byShopFormatted,
+        byDay: byDayFormatted
+      };
+      return res.json(response);
+    } catch (error) {
+      logger6.error("stats endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to compute activity statistics"
+      });
+    }
+  });
   return router;
 }
 
 // src/api/oauth-clients.ts
 import { Router as Router6 } from "express";
+var logger7 = createLogger("api/oauth-clients");
 var OAUTH_CLIENT_REVOKE_ACTION = "oauth_client:revoke";
 function createOAuthClientsRouter(options) {
   const { auditLogger: auditLogger2 } = options;
@@ -2669,10 +3101,309 @@ function createOAuthClientsRouter(options) {
       const clients = await getAuthorizedClients(prisma2, tenantId);
       return res.json({ clients });
     } catch (error) {
-      console.error("[OAUTH-CLIENTS API] List error:", error);
+      logger7.error("OAuth clients listing failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "An unexpected error occurred while listing OAuth clients"
+      });
+    }
+  });
+  router.get("/metrics/batch", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const activeTokens = await prisma2.oAuthRefreshToken.findMany({
+        where: {
+          tenantId,
+          revokedAt: null
+        },
+        select: {
+          clientId: true,
+          // This is the external clientId string
+          client: {
+            select: { id: true }
+            // This is the database CUID
+          }
+        },
+        distinct: ["clientId"]
+      });
+      if (activeTokens.length === 0) {
+        return res.json({ metrics: {} });
+      }
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        const emptyMetrics = {};
+        for (const token of activeTokens) {
+          emptyMetrics[token.clientId] = {
+            calls7d: 0,
+            calls30d: 0,
+            successRate: 0,
+            avgDurationMs: 0,
+            topTools: [],
+            lastUsedAt: null
+          };
+        }
+        return res.json({ metrics: emptyMetrics });
+      }
+      const now = /* @__PURE__ */ new Date();
+      const sevenDaysAgo = new Date(now);
+      sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+      const thirtyDaysAgo = new Date(now);
+      thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+      const clientIdToDbId = /* @__PURE__ */ new Map();
+      const dbIdToClientId = /* @__PURE__ */ new Map();
+      const dbIds = [];
+      for (const token of activeTokens) {
+        clientIdToDbId.set(token.clientId, token.client.id);
+        dbIdToClientId.set(token.client.id, token.clientId);
+        dbIds.push(token.client.id);
+      }
+      const queryStartTime = Date.now();
+      const metricsRaw = await prisma2.$queryRaw`
+        SELECT
+          oauth_client_id,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS calls_7d,
+          COUNT(*)::bigint AS calls_30d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo} AND status = 'SUCCESS')::bigint AS success_count_7d,
+          COUNT(*) FILTER (WHERE created_at >= ${sevenDaysAgo})::bigint AS total_count_7d,
+          AVG(duration_ms) FILTER (WHERE created_at >= ${sevenDaysAgo})::numeric AS avg_duration_ms,
+          MAX(created_at) AS last_used_at
+        FROM tool_execution_logs
+        WHERE tenant_id = ${tenantId}
+          AND oauth_client_id = ANY(${dbIds})
+          AND created_at >= ${thirtyDaysAgo}
+        GROUP BY oauth_client_id
+      `;
+      const topToolsRaw = await prisma2.$queryRaw`
+        WITH ranked_tools AS (
+          SELECT
+            oauth_client_id,
+            tool_name,
+            COUNT(*)::bigint AS call_count,
+            ROW_NUMBER() OVER (PARTITION BY oauth_client_id ORDER BY COUNT(*) DESC) AS rn
+          FROM tool_execution_logs
+          WHERE tenant_id = ${tenantId}
+            AND oauth_client_id = ANY(${dbIds})
+            AND created_at >= ${sevenDaysAgo}
+          GROUP BY oauth_client_id, tool_name
+        )
+        SELECT oauth_client_id, tool_name, call_count
+        FROM ranked_tools
+        WHERE rn <= 3
+      `;
+      const topToolsByDbId = /* @__PURE__ */ new Map();
+      for (const row of topToolsRaw) {
+        const existing = topToolsByDbId.get(row.oauth_client_id) ?? [];
+        existing.push({ name: row.tool_name, calls: Number(row.call_count) });
+        topToolsByDbId.set(row.oauth_client_id, existing);
+      }
+      const metricsMap = {};
+      for (const token of activeTokens) {
+        metricsMap[token.clientId] = {
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          topTools: [],
+          lastUsedAt: null
+        };
+      }
+      for (const row of metricsRaw) {
+        const externalClientId = dbIdToClientId.get(row.oauth_client_id);
+        if (!externalClientId) continue;
+        const totalCount = Number(row.total_count_7d);
+        const successCount = Number(row.success_count_7d);
+        const successRate = totalCount > 0 ? successCount / totalCount * 100 : 0;
+        metricsMap[externalClientId] = {
+          calls7d: Number(row.calls_7d),
+          calls30d: Number(row.calls_30d),
+          successRate: Math.round(successRate * 10) / 10,
+          avgDurationMs: Math.round(row.avg_duration_ms ?? 0),
+          topTools: topToolsByDbId.get(row.oauth_client_id) ?? [],
+          lastUsedAt: row.last_used_at?.toISOString() ?? null
+        };
+      }
+      const queryDuration = Date.now() - queryStartTime;
+      if (queryDuration > 500) {
+        logger7.warn("Batch OAuth client metrics query exceeded 500ms", {
+          tenantId,
+          clientCount: activeTokens.length,
+          durationMs: queryDuration
+        });
+      }
+      return res.json({ metrics: metricsMap });
+    } catch (error) {
+      logger7.error("batch metrics endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
+      return res.status(500).json({
+        error: "Internal Server Error",
+        message: "Failed to compute OAuth client metrics"
+      });
+    }
+  });
+  router.get("/:clientId/metrics", async (req, res) => {
+    try {
+      const tenantId = req.tenantContext?.tenantId;
+      if (!tenantId) {
+        return res.status(401).json({
+          error: "Unauthorized",
+          message: "Tenant context not found"
+        });
+      }
+      const { clientId } = req.params;
+      const clientRecord = await prisma2.oAuthRefreshToken.findFirst({
+        where: {
+          clientId,
+          tenantId,
+          revokedAt: null
+        },
+        include: {
+          client: {
+            select: { id: true }
+          }
+        }
+      });
+      if (!clientRecord) {
+        return res.status(404).json({
+          error: "Not Found",
+          message: "OAuth client not found or no active tokens"
+        });
+      }
+      const oauthClientDbId = clientRecord.client.id;
+      let tableExists = true;
+      try {
+        await prisma2.$queryRaw`SELECT 1 FROM tool_execution_logs LIMIT 1`;
+      } catch (error) {
+        if (error instanceof Error && (error.message.includes("does not exist") || error.message.includes("relation") || error.message.includes("table"))) {
+          tableExists = false;
+        } else {
+          throw error;
+        }
+      }
+      if (!tableExists) {
+        return res.json({
+          calls7d: 0,
+          calls30d: 0,
+          successRate: 0,
+          avgDurationMs: 0,
+          topTools: [],
+          lastUsedAt: null
+        });
+      }
+      const now = /* @__PURE__ */ new Date();
+      const sevenDaysAgo = new Date(now);
+      sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+      const thirtyDaysAgo = new Date(now);
+      thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30);
+      const baseWhere = {
+        tenantId,
+        oauthClientId: oauthClientDbId
+      };
+      const queryStartTime = Date.now();
+      const [calls7d, calls30d, totalCalls, successCount, avgDuration, topTools, lastUsed] = await Promise.all([
+        // Calls in last 7 days
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo }
+          }
+        }),
+        // Calls in last 30 days
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: thirtyDaysAgo }
+          }
+        }),
+        // Total calls (for success rate calculation)
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo }
+          }
+        }),
+        // Success count (for success rate calculation)
+        prisma2.toolExecutionLog.count({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo },
+            status: "SUCCESS"
+          }
+        }),
+        // Average duration
+        prisma2.toolExecutionLog.aggregate({
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo },
+            durationMs: { not: null }
+          },
+          _avg: { durationMs: true }
+        }),
+        // Top 3 tools by call count in last 7 days
+        prisma2.toolExecutionLog.groupBy({
+          by: ["toolName"],
+          where: {
+            ...baseWhere,
+            createdAt: { gte: sevenDaysAgo }
+          },
+          _count: { id: true },
+          orderBy: { _count: { id: "desc" } },
+          take: 3
+        }),
+        // Most recent execution
+        prisma2.toolExecutionLog.findFirst({
+          where: baseWhere,
+          orderBy: { createdAt: "desc" },
+          select: { createdAt: true }
+        })
+      ]);
+      const successRate = totalCalls > 0 ? successCount / totalCalls * 100 : 0;
+      const topToolsFormatted = topTools.map((tool) => ({
+        name: tool.toolName,
+        calls: tool._count.id
+      }));
+      const queryDuration = Date.now() - queryStartTime;
+      if (queryDuration > 200) {
+        logger7.warn("OAuth client metrics query exceeded 200ms", {
+          clientId,
+          tenantId,
+          durationMs: queryDuration
+        });
+      }
+      const response = {
+        calls7d,
+        calls30d,
+        successRate: Math.round(successRate * 10) / 10,
+        // Round to 1 decimal place
+        avgDurationMs: Math.round(avgDuration._avg.durationMs ?? 0),
+        topTools: topToolsFormatted,
+        lastUsedAt: lastUsed?.createdAt.toISOString() ?? null
+      };
+      return res.json(response);
+    } catch (error) {
+      logger7.error("metrics endpoint error", error, {
+        correlationId: req.headers["x-correlation-id"]
+      });
       return res.status(500).json({
         error: "Internal Server Error",
-        message: "An unexpected error occurred while listing OAuth clients"
+        message: "Failed to compute OAuth client metrics"
       });
     }
   });
@@ -2733,7 +3464,10 @@ function createOAuthClientsRouter(options) {
       });
       return res.status(204).send();
     } catch (error) {
-      console.error("[OAUTH-CLIENTS API] Revocation error:", error);
+      logger7.error("OAuth client revocation failed", error instanceof Error ? error : void 0, {
+        tenantId: req.tenantContext?.tenantId,
+        clientId: req.params.clientId
+      });
       return res.status(500).json({
         error: "Internal Server Error",
         message: "An unexpected error occurred during revocation"
@@ -2826,7 +3560,7 @@ var oauthClientsRouter = createOAuthClientsRouter({
 });
 
 // src/lifecycle/shutdown.ts
-var logger2 = createLogger("lifecycle/shutdown");
+var logger8 = createLogger("lifecycle/shutdown");
 var ShutdownManager = class {
   /** Current shutdown state */
   _state = "running";
@@ -2956,20 +3690,20 @@ var ShutdownManager = class {
    */
   registerSignalHandlers() {
     process.on("SIGTERM", () => {
-      logger2.info("Received SIGTERM signal");
+      logger8.info("Received SIGTERM signal");
       this.initiateShutdown().catch((error) => {
-        logger2.error("Shutdown failed", error instanceof Error ? error : void 0);
+        logger8.error("Shutdown failed", error instanceof Error ? error : void 0);
         process.exit(1);
       });
     });
     process.on("SIGINT", () => {
-      logger2.info("Received SIGINT signal");
+      logger8.info("Received SIGINT signal");
       this.initiateShutdown().catch((error) => {
-        logger2.error("Shutdown failed", error instanceof Error ? error : void 0);
+        logger8.error("Shutdown failed", error instanceof Error ? error : void 0);
         process.exit(1);
       });
     });
-    logger2.debug("Signal handlers registered (SIGTERM, SIGINT)");
+    logger8.debug("Signal handlers registered (SIGTERM, SIGINT)");
   }
   /**
    * Initiate graceful shutdown
@@ -2987,13 +3721,13 @@ var ShutdownManager = class {
    */
   async initiateShutdown() {
     if (this.shutdownInProgress) {
-      logger2.debug("Shutdown already in progress, ignoring duplicate call");
+      logger8.debug("Shutdown already in progress, ignoring duplicate call");
       return;
     }
     this.shutdownInProgress = true;
     this._state = "draining";
     this.drainingStartedAt = /* @__PURE__ */ new Date();
-    logger2.info("Shutdown initiated", {
+    logger8.info("Shutdown initiated", {
       drainTimeoutMs: this.drainTimeoutMs,
       activeConnections: this.getRemainingConnections()
     });
@@ -3009,11 +3743,11 @@ var ShutdownManager = class {
     }
     if (this.mcpSessionsCleanup) {
       try {
-        logger2.debug("Closing MCP sessions");
+        logger8.debug("Closing MCP sessions");
         await this.withTimeout(this.mcpSessionsCleanup(), 5e3, "MCP sessions cleanup");
-        logger2.debug("MCP sessions closed");
+        logger8.debug("MCP sessions closed");
       } catch (error) {
-        logger2.error("Failed to close MCP sessions", error instanceof Error ? error : void 0);
+        logger8.error("Failed to close MCP sessions", error instanceof Error ? error : void 0);
       }
     }
     const summary = await this.runCleanupCallbacks();
@@ -3031,14 +3765,14 @@ var ShutdownManager = class {
         resolve();
         return;
       }
-      logger2.debug("Stopping HTTP server from accepting new connections");
+      logger8.debug("Stopping HTTP server from accepting new connections");
       this.httpServer.close((error) => {
         if (error) {
           if (error.code !== "ERR_SERVER_NOT_RUNNING") {
-            logger2.warn("HTTP server close error", { error: error.message });
+            logger8.warn("HTTP server close error", { error: error.message });
           }
         }
-        logger2.debug("HTTP server stopped accepting connections");
+        logger8.debug("HTTP server stopped accepting connections");
         resolve();
       });
     });
@@ -3051,7 +3785,7 @@ var ShutdownManager = class {
     while (this.getRemainingConnections() > 0) {
       await new Promise((resolve) => setTimeout(resolve, pollInterval));
     }
-    logger2.debug("All connections drained");
+    logger8.debug("All connections drained");
   }
   /**
    * Create drain timeout promise
@@ -3059,7 +3793,7 @@ var ShutdownManager = class {
   createDrainTimeout() {
     return new Promise((resolve) => {
       this.drainTimeoutTimer = setTimeout(() => {
-        logger2.warn("Drain timeout reached, proceeding with shutdown", {
+        logger8.warn("Drain timeout reached, proceeding with shutdown", {
           remainingConnections: this.getRemainingConnections(),
           drainTimeoutMs: this.drainTimeoutMs
         });
@@ -3074,7 +3808,7 @@ var ShutdownManager = class {
   async runCleanupCallbacks() {
     const drainTimeMs = this.drainingStartedAt ? Date.now() - this.drainingStartedAt.getTime() : 0;
     let cleanupErrors = 0;
-    logger2.debug("Running cleanup callbacks", {
+    logger8.debug("Running cleanup callbacks", {
       count: this.cleanupCallbacks.length
     });
     for (let i = 0; i < this.cleanupCallbacks.length; i++) {
@@ -3087,7 +3821,7 @@ var ShutdownManager = class {
         );
       } catch (error) {
         cleanupErrors++;
-        logger2.error(
+        logger8.error(
           `Cleanup callback ${i + 1} failed`,
           error instanceof Error ? error : void 0
         );
@@ -3121,7 +3855,7 @@ var ShutdownManager = class {
    * Log final shutdown summary
    */
   logShutdownSummary(summary) {
-    logger2.info("Shutdown complete", {
+    logger8.info("Shutdown complete", {
       drainTimeMs: summary.drainTimeMs,
       cleanupCallbacksRun: summary.cleanupCallbacksRun,
       cleanupErrors: summary.cleanupErrors,
@@ -3208,36 +3942,6 @@ var ShutdownManager = class {
 };
 var shutdownManager = new ShutdownManager();
 
-// src/logging/correlation.ts
-import { randomUUID as randomUUID2 } from "crypto";
-var CORRELATION_ID_HEADER = "X-Correlation-ID";
-var UUID_V4_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
-function generateCorrelationId() {
-  return randomUUID2();
-}
-function isValidCorrelationId(id) {
-  return UUID_V4_REGEX.test(id);
-}
-function correlationMiddleware(req, res, next) {
-  const headerValue = req.headers[CORRELATION_ID_HEADER.toLowerCase()];
-  let correlationId;
-  if (headerValue && isValidCorrelationId(headerValue)) {
-    correlationId = headerValue;
-  } else {
-    correlationId = generateCorrelationId();
-  }
-  res.locals.correlationId = correlationId;
-  if (typeof res.set === "function") {
-    res.set(
-      CORRELATION_ID_HEADER,
-      correlationId
-    );
-  } else {
-    res.setHeader(CORRELATION_ID_HEADER, correlationId);
-  }
-  next();
-}
-
 // src/metrics/registry.ts
 import { Counter, Gauge, Histogram, Registry, collectDefaultMetrics } from "prom-client";
 var METRICS_PREFIX = "shopify_mcp_";
@@ -3920,10 +4624,10 @@ var OAuthDiscoveryService = class {
       // Used by ChatGPT for automatic client registration
       registration_endpoint: `${this.baseUrl}/oauth/register`,
       // Supported authentication methods at token endpoint
-      // Client authentication is required for token exchange
       // "client_secret_post" - credentials in request body (client_id, client_secret)
       // "client_secret_basic" - credentials in Authorization header (Basic auth)
-      token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
+      // "none" - public client with PKCE only (required for Claude.ai)
+      token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic", "none"],
       // Supported grant types
       // authorization_code: Standard OAuth 2.0 flow with PKCE
       // refresh_token: For obtaining new access tokens
@@ -3931,6 +4635,9 @@ var OAuthDiscoveryService = class {
       // Response types for authorization endpoint
       // "code" for authorization code flow
       response_types_supported: ["code"],
+      // Response modes for authorization endpoint
+      // "query" returns code in URL query string (standard for auth code flow)
+      response_modes_supported: ["query"],
       // PKCE code challenge methods supported (when PKCE is used)
       // S256 is the only method supported - plain is NOT allowed
       // Note: PKCE is optional for confidential clients (with client_secret)
@@ -4014,6 +4721,7 @@ var CLIENT_SECRET_BYTES = 16;
 var BCRYPT_COST_FACTOR2 = 12;
 var DEFAULT_GRANT_TYPES = ["authorization_code", "refresh_token"];
 var DEFAULT_SCOPES3 = ["mcp:full"];
+var PUBLIC_CLIENT_MARKER = "PUBLIC_CLIENT:none";
 var OAuthRegistrationService = class {
   prisma;
   /**
@@ -4084,22 +4792,40 @@ var OAuthRegistrationService = class {
    * hashed secret in the database, and returns RFC 7591 compliant
    * response with the plaintext secret (one-time reveal).
    *
+   * Supports both confidential clients (with client_secret) and
+   * public clients (token_endpoint_auth_method: "none", uses PKCE).
+   *
    * @param request - RFC 7591 client registration request
    * @returns RFC 7591 compliant registration response
    *
    * @throws Error if database operation fails
    *
    * @example
+   * // Confidential client (default)
    * const response = await service.registerClient({
    *   client_name: "ChatGPT MCP Client",
    *   redirect_uris: ["https://chatgpt.com/aip/g/callback"]
    * });
-   * // response.client_secret is only returned once!
+   *
+   * @example
+   * // Public client (no secret, uses PKCE) - required for Claude.ai
+   * const response = await service.registerClient({
+   *   client_name: "Claude AI",
+   *   redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
+   *   token_endpoint_auth_method: "none"
+   * });
    */
   async registerClient(request) {
     const clientId = this.generateClientId();
-    const clientSecret = this.generateClientSecret();
-    const clientSecretHash = await this.hashClientSecret(clientSecret);
+    const isPublicClient = request.token_endpoint_auth_method === "none";
+    let clientSecret;
+    let clientSecretHash;
+    if (isPublicClient) {
+      clientSecretHash = PUBLIC_CLIENT_MARKER;
+    } else {
+      clientSecret = this.generateClientSecret();
+      clientSecretHash = await this.hashClientSecret(clientSecret);
+    }
     const grantTypes = request.grant_types?.length ? request.grant_types : DEFAULT_GRANT_TYPES;
     const client = await this.prisma.oAuthClient.create({
       data: {
@@ -4111,10 +4837,8 @@ var OAuthRegistrationService = class {
         scopes: DEFAULT_SCOPES3
       }
     });
-    return {
+    const response = {
       client_id: clientId,
-      client_secret: clientSecret,
-      // One-time reveal!
       client_name: request.client_name,
       redirect_uris: request.redirect_uris,
       grant_types: grantTypes,
@@ -4122,6 +4846,10 @@ var OAuthRegistrationService = class {
       client_secret_expires_at: 0
       // Per RFC 7591 Section 3.2.1: 0 means no expiry
     };
+    if (clientSecret) {
+      response.client_secret = clientSecret;
+    }
+    return response;
   }
   /**
    * Find a client by client_id
@@ -4632,15 +5360,16 @@ var OAuthTokenService = class {
   /**
    * Authenticate a client from request
    *
-   * Supports two authentication methods:
+   * Supports three authentication methods:
    * - client_secret_post: client_id and client_secret in request body
    * - client_secret_basic: HTTP Basic auth header
+   * - none: public client (no secret), requires PKCE - used by Claude.ai
    *
    * Per RFC 6749 Section 2.3.1
    *
    * @param params - Token request parameters (may contain client_id/secret)
    * @param authorizationHeader - Authorization header value (if present)
-   * @returns Authenticated client entity
+   * @returns Authenticated client entity with isPublicClient flag
    * @throws OAuthTokenError if authentication fails
    */
   async authenticateClient(params, authorizationHeader) {
@@ -4675,15 +5404,18 @@ var OAuthTokenService = class {
       has_client_secret: !!clientSecret,
       secret_length: clientSecret?.length || 0
     });
-    if (!clientId || !clientSecret) {
-      log2.warn("Client authentication failed: missing credentials", {
-        has_client_id: !!clientId,
+    if (!clientId) {
+      clientId = params.client_id;
+    }
+    if (!clientId) {
+      log2.warn("Client authentication failed: missing client_id", {
+        has_client_id: false,
         has_client_secret: !!clientSecret,
         auth_method: authMethod
       });
       throw new OAuthTokenError(
         "invalid_client",
-        "Client authentication required. Provide client_id and client_secret.",
+        "Client authentication required. Provide client_id.",
         401
       );
     }
@@ -4696,6 +5428,31 @@ var OAuthTokenService = class {
       });
       throw new OAuthTokenError("invalid_client", "Unknown client_id", 401);
     }
+    const isPublicClient = client.clientSecretHash === PUBLIC_CLIENT_MARKER;
+    if (isPublicClient) {
+      log2.info("Public client authenticated (no secret required, PKCE enforced)", {
+        client_id: clientId,
+        client_name: client.clientName,
+        auth_method: "none"
+      });
+      return {
+        clientId: client.clientId,
+        clientSecretHash: client.clientSecretHash,
+        clientName: client.clientName,
+        isPublicClient: true
+      };
+    }
+    if (!clientSecret) {
+      log2.warn("Client authentication failed: missing client_secret for confidential client", {
+        client_id: clientId,
+        client_name: client.clientName
+      });
+      throw new OAuthTokenError(
+        "invalid_client",
+        "Client authentication required. Provide client_id and client_secret.",
+        401
+      );
+    }
     const isValidSecret = await bcrypt5.compare(clientSecret, client.clientSecretHash);
     if (!isValidSecret) {
       log2.warn("Client authentication failed: invalid client_secret", {
@@ -4712,7 +5469,8 @@ var OAuthTokenService = class {
     return {
       clientId: client.clientId,
       clientSecretHash: client.clientSecretHash,
-      clientName: client.clientName
+      clientName: client.clientName,
+      isPublicClient: false
     };
   }
   // ===========================================================================
@@ -4850,6 +5608,19 @@ var OAuthTokenService = class {
       });
       throw new OAuthTokenError("invalid_grant", "Authorization code has already been used");
     }
+    const client = await this.prisma.oAuthClient.findUnique({
+      where: { clientId }
+    });
+    const isPublicClient = client?.clientSecretHash === PUBLIC_CLIENT_MARKER;
+    if (isPublicClient && !authCode.codeChallenge) {
+      log2.warn("Token exchange failed: public client did not use PKCE", {
+        client_id: clientId
+      });
+      throw new OAuthTokenError(
+        "invalid_grant",
+        "Public clients must use PKCE. No code_challenge was provided during authorization."
+      );
+    }
     if (authCode.codeChallenge) {
       if (!params.code_verifier) {
         throw new OAuthTokenError(
@@ -5072,7 +5843,10 @@ var clientRegistrationRequestSchema = z6.object({
     invalid_type_error: "redirect_uris must be an array"
   }).min(1, "redirect_uris cannot be empty"),
   grant_types: z6.array(z6.string()).optional(),
-  response_types: z6.array(z6.string()).optional()
+  response_types: z6.array(z6.string()).optional(),
+  // Token endpoint authentication method (RFC 7591)
+  // 'none' = public client (no client_secret, uses PKCE) - required for Claude.ai
+  token_endpoint_auth_method: z6.enum(["client_secret_post", "client_secret_basic", "none"]).optional()
 });
 function validateClientRegistrationRequest(data) {
   const result = clientRegistrationRequestSchema.safeParse(data);
@@ -5101,6 +5875,7 @@ var TokenRefreshService = class {
   cryptoService;
   config;
   refreshInterval = null;
+  clientPool = null;
   constructor(prisma2, cryptoService, config) {
     this.prisma = prisma2;
     this.cryptoService = cryptoService;
@@ -5112,6 +5887,14 @@ var TokenRefreshService = class {
     };
     log.debug("TokenRefreshService initialized");
   }
+  /**
+   * Set the client pool for cache eviction after token refresh
+   * Must be called after both services are initialized to avoid circular dependency
+   */
+  setClientPool(clientPool) {
+    this.clientPool = clientPool;
+    log.debug("TokenRefreshService: client pool reference set");
+  }
   /**
    * Refresh an access token using the refresh token
    *
@@ -5200,6 +5983,12 @@ var TokenRefreshService = class {
         where: { id: shop.id },
         data: updateData
       });
+      if (this.clientPool) {
+        this.clientPool.evict(shop.tenantId, shop.shopDomain);
+        log.debug(
+          `Evicted cached client for ${shop.shopDomain.substring(0, 20)} after token refresh`
+        );
+      }
       log.info(
         `Token refreshed successfully for ${shop.shopDomain.substring(0, 20)} (expires in ${tokenData.expires_in}s)`
       );
@@ -5214,6 +6003,18 @@ var TokenRefreshService = class {
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : "Unknown error during refresh";
       log.error(`Token refresh error: ${errorMessage}`);
+      const isDecryptionFailure = errorMessage.includes("Decryption failed") || errorMessage.includes("invalid key") || errorMessage.includes("corrupted data");
+      if (isDecryptionFailure) {
+        log.error(
+          `CRITICAL: Cannot decrypt tokens for shop ${shop.shopDomain.substring(0, 20)}. This likely means ENCRYPTION_KEY was changed. Shop must reconnect.`
+        );
+        await this.updateTokenStatus(shop.id, "needs_reauth" /* NEEDS_REAUTH */);
+        return {
+          success: false,
+          error: `Token expired and refresh failed for shop ${shop.shopDomain.substring(0, 20)}.... Please reconnect the shop.`,
+          status: "needs_reauth" /* NEEDS_REAUTH */
+        };
+      }
       return {
         success: false,
         error: errorMessage,
@@ -6047,6 +6848,104 @@ function createGDPRWebhooksRouter(options) {
   return router;
 }
 
+// src/transports/http/health-endpoints.ts
+var FAVICON_PNG_BASE64 = "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAAKklEQVR42u3NQQkAAAgEsItnQutYzRQ+hMH+S0+dikAgEAgEAoFAIPgSLM8edFuULS3fAAAAAElFTkSuQmCC";
+var FAVICON_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" width="32" height="32">
+  <rect width="32" height="32" rx="6" fill="#96BF48"/>
+  <path d="M10 8h12l2 6v12a2 2 0 0 1-2 2H10a2 2 0 0 1-2-2V14l2-6z" fill="white" stroke="white" stroke-width="1"/>
+  <path d="M12 8v-2a4 4 0 0 1 8 0v2" fill="none" stroke="#96BF48" stroke-width="2" stroke-linecap="round"/>
+</svg>`;
+function registerHealthEndpoints(app, config) {
+  let oauthStatus = null;
+  if (isRemoteMode(config)) {
+    const shopifyClientId = config.SHOPIFY_CLIENT_ID;
+    const shopifyClientSecret = config.SHOPIFY_CLIENT_SECRET;
+    const appUrl = config.APP_URL || `http://localhost:${config.PORT}`;
+    oauthStatus = {
+      enabled: !!(shopifyClientId && shopifyClientSecret),
+      hasClientId: !!shopifyClientId,
+      hasClientSecret: !!shopifyClientSecret,
+      hasAppUrl: !!config.APP_URL,
+      redirectUri: shopifyClientId && shopifyClientSecret ? `${appUrl}/oauth/callback` : void 0
+    };
+  }
+  app.get("/metrics", async (_req, res) => {
+    if (!isMetricsEnabled(config)) {
+      res.status(404).json({
+        error: "Not Found",
+        message: "Metrics endpoint is disabled"
+      });
+      return;
+    }
+    try {
+      const metrics = await getMetricsOutput();
+      res.setHeader("Content-Type", getMetricsContentType());
+      res.send(metrics);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Failed to collect metrics";
+      log.error("Metrics collection failed", error instanceof Error ? error : void 0);
+      res.status(500).json({
+        error: "Internal Server Error",
+        message
+      });
+    }
+  });
+  app.get("/health", async (_req, res) => {
+    try {
+      let drainingInfo;
+      if (shutdownManager.isDraining()) {
+        const info = shutdownManager.getDrainingInfo();
+        if (info) {
+          drainingInfo = {
+            startedAt: info.startedAt,
+            remainingConnections: shutdownManager.getRemainingConnections(),
+            shutdownDeadline: info.shutdownDeadline
+          };
+        }
+      }
+      const health = await checkHealth({ drainingInfo });
+      const statusCode = health.status === "draining" ? 503 : 200;
+      log.debug(`Health check: ${health.status}`);
+      const healthResponse = {
+        ...health,
+        ...isRemoteMode(config) && oauthStatus ? { oauth: oauthStatus } : {}
+      };
+      res.status(statusCode).json(healthResponse);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Health check failed unexpectedly";
+      log.warn(`Health check failed unexpectedly: ${message}`);
+      res.status(503).json({
+        status: "unhealthy",
+        version: getVersion(),
+        shopify: {
+          connected: false,
+          error: "Health check failed unexpectedly"
+        },
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  });
+  app.get("/favicon.ico", (_req, res) => {
+    const faviconBuffer = Buffer.from(FAVICON_PNG_BASE64, "base64");
+    res.setHeader("Content-Type", "image/png");
+    res.setHeader("Content-Length", faviconBuffer.length.toString());
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.send(faviconBuffer);
+  });
+  app.get("/favicon.png", (_req, res) => {
+    const faviconBuffer = Buffer.from(FAVICON_PNG_BASE64, "base64");
+    res.setHeader("Content-Type", "image/png");
+    res.setHeader("Content-Length", faviconBuffer.length.toString());
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.send(faviconBuffer);
+  });
+  app.get("/favicon.svg", (_req, res) => {
+    res.setHeader("Content-Type", "image/svg+xml");
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.send(FAVICON_SVG);
+  });
+}
+
 // src/transports/http.ts
 async function createHttpTransport(server) {
   const app = express();
@@ -6062,7 +6961,7 @@ async function createHttpTransport(server) {
   }
   app.use(sentryRequestMiddleware);
   if (isRemoteMode(config)) {
-    const { createCorsMiddleware } = await import("./security-44M6F2QU.js");
+    const { createCorsMiddleware } = await import("./security-6CNKRY2G.js");
     const { getAllowedOrigins } = await import("./schema-SOWYIQIV.js");
     const allowedOrigins = getAllowedOrigins(config);
     app.use(
@@ -6073,8 +6972,19 @@ async function createHttpTransport(server) {
     );
     log.info(`CORS middleware enabled with ${allowedOrigins.length} allowed origin(s)`);
     app.use((req, res, next) => {
-      const isOAuthPage = req.path.startsWith("/oauth/authorize") || req.path.startsWith("/app/oauth/");
-      const frameAncestors = isOAuthPage ? "frame-ancestors 'self' https://claude.ai https://*.anthropic.com" : "frame-ancestors 'none'";
+      const isShopifyEmbeddedPage = req.path.startsWith("/app");
+      const isOAuthRelatedPage = req.path.startsWith("/oauth/authorize") || req.path.startsWith("/app/oauth/") || req.path.startsWith("/app/login");
+      let frameAncestors;
+      if (isShopifyEmbeddedPage) {
+        frameAncestors = "frame-ancestors 'self' https://admin.shopify.com https://*.myshopify.com https://claude.ai https://*.anthropic.com https://*.claude.ai";
+      } else if (isOAuthRelatedPage) {
+        frameAncestors = "frame-ancestors 'self' https://claude.ai https://*.anthropic.com https://*.claude.ai";
+      } else {
+        frameAncestors = "frame-ancestors 'none'";
+      }
+      if (isShopifyEmbeddedPage || isOAuthRelatedPage) {
+        res.locals.allowIframeEmbedding = true;
+      }
       res.setHeader(
         "Content-Security-Policy",
         [
@@ -6086,7 +6996,8 @@ async function createHttpTransport(server) {
           "connect-src 'self' https://*.myshopify.com",
           frameAncestors,
           "base-uri 'self'",
-          "form-action 'self' https://claude.ai"
+          // Allow form submissions to Claude and Anthropic domains for OAuth redirects
+          "form-action 'self' https://claude.ai https://*.claude.ai https://*.anthropic.com"
         ].join("; ")
       );
       next();
@@ -6097,20 +7008,61 @@ async function createHttpTransport(server) {
   let clientPool = null;
   let auditLogger2 = null;
   let cryptoService = null;
+  let keepAliveInterval = null;
   if (isRemoteMode(config)) {
     log.info("Remote mode: enabling tenant onboarding API routes");
+    try {
+      await warmupDatabase();
+    } catch (error) {
+      log.error("Database warmup failed, server may experience cold-start delays");
+    }
     const prisma2 = getPrismaClient();
     const encryptionKey = requireEncryptionKey(config);
     cryptoService = new CredentialEncryptionService(encryptionKey);
     auditLogger2 = new AuditLogger(prisma2);
+    getToolExecutionLogger(prisma2);
+    log.info("ToolExecutionLogger initialized for activity logging");
     apiKeyService = new ApiKeyService(prisma2);
     clientPool = new TenantClientPool(cryptoService, prisma2);
     log.info("TenantClientPool initialized for multi-tenant MCP");
+    try {
+      const validationResult = await cryptoService.validateEncryptionKeyOnStartup(prisma2);
+      if (validationResult.totalCount > 0) {
+        if (validationResult.failedCount > 0) {
+          log.error(
+            `CRITICAL: ENCRYPTION_KEY MISMATCH DETECTED! ${validationResult.failedCount}/${validationResult.totalCount} shop tokens cannot be decrypted. Affected shops will need to reconnect.`
+          );
+          captureError(
+            new Error(
+              `Encryption key mismatch: ${validationResult.failedCount} tokens cannot be decrypted`
+            ),
+            {
+              totalCount: validationResult.totalCount,
+              failedCount: validationResult.failedCount,
+              failedShopIds: validationResult.failedShopIds
+            }
+          );
+          await cryptoService.markShopsAsNeedingReauth(prisma2, validationResult.failedShopIds);
+          log.warn(`Marked ${validationResult.failedCount} shops as needing re-authentication`);
+        } else {
+          log.info(
+            `Encryption key validation passed: ${validationResult.successCount} shop tokens verified`
+          );
+        }
+      }
+    } catch (validationError) {
+      log.error(
+        `Failed to validate encryption key on startup: ${validationError instanceof Error ? validationError.message : "Unknown"}`
+      );
+    }
     if (config.SHOPIFY_CLIENT_ID && config.SHOPIFY_CLIENT_SECRET) {
       const tokenRefreshService = initializeTokenRefreshService(prisma2, cryptoService, {
         clientId: config.SHOPIFY_CLIENT_ID,
         clientSecret: config.SHOPIFY_CLIENT_SECRET
       });
+      if (clientPool) {
+        tokenRefreshService.setClientPool(clientPool);
+      }
       tokenRefreshService.startBackgroundRefresh();
       log.info("TokenRefreshService initialized (background refresh enabled)");
     } else {
@@ -6205,6 +7157,50 @@ async function createHttpTransport(server) {
     }
     next();
   });
+  app.head("/mcp", async (req, res) => {
+    const authHeader = req.headers.authorization;
+    const bearerToken = typeof authHeader === "string" && authHeader.toLowerCase().startsWith("bearer ") ? authHeader.slice(7) : void 0;
+    log.info("[mcp] HEAD /mcp probe request", {
+      hasAuth: !!bearerToken,
+      userAgent: req.headers["user-agent"]
+    });
+    if (!bearerToken) {
+      const wwwAuth2 = oauthDiscoveryService.getWwwAuthenticateHeader(
+        "invalid_token",
+        "Authentication required"
+      );
+      res.setHeader("WWW-Authenticate", wwwAuth2);
+      res.status(401).json({
+        error: "unauthorized",
+        message: "Authentication required. Initiate OAuth flow."
+      });
+      return;
+    }
+    if (apiKeyService) {
+      try {
+        const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
+        const authResult = await validateMcpBearerToken(
+          `Bearer ${bearerToken}`,
+          apiKeyService,
+          getPrismaClient()
+        );
+        if (authResult.valid) {
+          res.status(200).end();
+          return;
+        }
+      } catch {
+      }
+    }
+    const wwwAuth = oauthDiscoveryService.getWwwAuthenticateHeader(
+      "invalid_token",
+      "Invalid or expired token"
+    );
+    res.setHeader("WWW-Authenticate", wwwAuth);
+    res.status(401).json({
+      error: "unauthorized",
+      message: "Invalid or expired token"
+    });
+  });
   app.post("/mcp", async (req, res) => {
     try {
       const authHeader = req.headers.authorization;
@@ -6252,7 +7248,7 @@ async function createHttpTransport(server) {
           }
           if (sessionContext && methodRequiresShop && isRemote && apiKeyService && clientPool && prisma2 && (!sessionContext.requestContext?.client || !sessionContext.requestContext?.shopDomain)) {
             log.debug(`[mcp] Lazy loading context for existing session: ${sessionPrefix}...`);
-            const { validateMcpBearerToken } = await import("./mcp-auth-F25V6FEY.js");
+            const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
             const authResult = await validateMcpBearerToken(
               req.headers.authorization,
               apiKeyService,
@@ -6271,7 +7267,12 @@ async function createHttpTransport(server) {
                     authResult.tenant.defaultShop.domain,
                     authResult.tenant.tenantId,
                     authResult.tenant.apiKeyId || "",
-                    authResult.tenant.allowedShops
+                    authResult.tenant.allowedShops,
+                    {
+                      oauthClientId: authResult.tenant.oauthClientId,
+                      oauthClientName: authResult.tenant.oauthClientName,
+                      correlationId
+                    }
                   ),
                   correlationId
                 };
@@ -6356,7 +7357,7 @@ async function createHttpTransport(server) {
       let shopifyClient;
       let multiTenantContext;
       if (isRemote && apiKeyService && clientPool && prisma2) {
-        const { validateMcpBearerToken } = await import("./mcp-auth-F25V6FEY.js");
+        const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
         const authResult = await validateMcpBearerToken(
           req.headers.authorization,
           apiKeyService,
@@ -6437,7 +7438,12 @@ async function createHttpTransport(server) {
               mcpTenantContext.defaultShop.domain,
               mcpTenantContext.tenantId,
               mcpTenantContext.apiKeyId || "",
-              mcpTenantContext.allowedShops
+              mcpTenantContext.allowedShops,
+              {
+                oauthClientId: mcpTenantContext.oauthClientId,
+                oauthClientName: mcpTenantContext.oauthClientName,
+                correlationId
+              }
             ),
             correlationId
           };
@@ -6447,7 +7453,7 @@ async function createHttpTransport(server) {
         `[mcp] Creating new transport: isInitReq=${isInitReq}, has_tenant=${!!mcpTenantContext}, has_client=${!!shopifyClient}`
       );
       transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => randomUUID3(),
+        sessionIdGenerator: () => randomUUID2(),
         onsessioninitialized: (newSessionId) => {
           log.info(`[mcp] Session initialized: ${newSessionId.substring(0, 8)}...`);
           transports.set(newSessionId, transport);
@@ -6500,7 +7506,7 @@ async function createHttpTransport(server) {
       });
       await server.connect(transport);
       log.info("[mcp] Transport connected to server, handling request...");
-      const tempContextKey = multiTenantContext?.correlationId || randomUUID3();
+      const tempContextKey = multiTenantContext?.correlationId || randomUUID2();
       try {
         if (multiTenantContext) {
           setFallbackContext(tempContextKey, multiTenantContext);
@@ -6639,7 +7645,7 @@ async function createHttpTransport(server) {
     let shopifyClient;
     let multiTenantContext;
     if (isRemote && apiKeyService && clientPool && prisma2) {
-      const { validateMcpBearerToken } = await import("./mcp-auth-F25V6FEY.js");
+      const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
       const authResult = await validateMcpBearerToken(
         req.headers.authorization,
         apiKeyService,
@@ -6804,7 +7810,7 @@ data: ${JSON.stringify({
     const isRemote = isRemoteMode(config);
     const prisma2 = isRemote ? getPrismaClient() : null;
     if (isRemote && apiKeyService && prisma2) {
-      const { validateMcpBearerToken } = await import("./mcp-auth-F25V6FEY.js");
+      const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
       const authResult = await validateMcpBearerToken(
         req.headers.authorization,
         apiKeyService,
@@ -6855,7 +7861,7 @@ data: ${JSON.stringify({
         return;
       }
       if (body.method === "tools/list") {
-        const { getRegisteredTools } = await import("./tools-HVUCP53D.js");
+        const { getRegisteredTools } = await import("./tools-SVKPHJYW.js");
         const tools = getRegisteredTools();
         const response = {
           jsonrpc: "2.0",
@@ -6893,7 +7899,7 @@ data: ${JSON.stringify({
         return;
       }
       if (body.method === "tools/call" && isRemote && apiKeyService && clientPool && prisma2) {
-        const { validateMcpBearerToken } = await import("./mcp-auth-F25V6FEY.js");
+        const { validateMcpBearerToken } = await import("./mcp-auth-54BVOYFJ.js");
         const authResult = await validateMcpBearerToken(
           req.headers.authorization,
           apiKeyService,
@@ -6950,7 +7956,7 @@ data: ${JSON.stringify({
             ),
             correlationId
           };
-          const { getToolByName } = await import("./tools-HVUCP53D.js");
+          const { getToolByName } = await import("./tools-SVKPHJYW.js");
           const params = body.params;
           const rawToolName = params?.name;
           const toolArgs = params?.arguments || {};
@@ -7074,27 +8080,7 @@ data: ${JSON.stringify({
     const queryString = Object.keys(req.query).length ? `?${new URLSearchParams(req.query).toString()}` : "";
     res.redirect(307, `/sse${queryString}`);
   });
-  app.get("/metrics", async (_req, res) => {
-    if (!isMetricsEnabled(config)) {
-      res.status(404).json({
-        error: "Not Found",
-        message: "Metrics endpoint is disabled"
-      });
-      return;
-    }
-    try {
-      const metrics = await getMetricsOutput();
-      res.setHeader("Content-Type", getMetricsContentType());
-      res.send(metrics);
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Failed to collect metrics";
-      log.error("Metrics collection failed", error instanceof Error ? error : void 0);
-      res.status(500).json({
-        error: "Internal Server Error",
-        message
-      });
-    }
-  });
+  registerHealthEndpoints(app, config);
   let oauthStatus = null;
   if (isRemoteMode(config)) {
     const shopifyClientId = config.SHOPIFY_CLIENT_ID;
@@ -7108,41 +8094,6 @@ data: ${JSON.stringify({
       redirectUri: shopifyClientId && shopifyClientSecret ? `${appUrl}/oauth/callback` : void 0
     };
   }
-  app.get("/health", async (_req, res) => {
-    try {
-      let drainingInfo;
-      if (shutdownManager.isDraining()) {
-        const info = shutdownManager.getDrainingInfo();
-        if (info) {
-          drainingInfo = {
-            startedAt: info.startedAt,
-            remainingConnections: shutdownManager.getRemainingConnections(),
-            shutdownDeadline: info.shutdownDeadline
-          };
-        }
-      }
-      const health = await checkHealth({ drainingInfo });
-      const statusCode = health.status === "draining" ? 503 : 200;
-      log.debug(`Health check: ${health.status}`);
-      const healthResponse = {
-        ...health,
-        ...isRemoteMode(config) && oauthStatus ? { oauth: oauthStatus } : {}
-      };
-      res.status(statusCode).json(healthResponse);
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Health check failed unexpectedly";
-      log.warn(`Health check failed unexpectedly: ${message}`);
-      res.status(503).json({
-        status: "unhealthy",
-        version: getVersion(),
-        shopify: {
-          connected: false,
-          error: "Health check failed unexpectedly"
-        },
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  });
   const oauthDiscoveryService = createOAuthDiscoveryService(discoveryBaseUrl);
   app.get("/.well-known/oauth-authorization-server", (_req, res) => {
     const metadata = oauthDiscoveryService.getAuthorizationServerMetadata();
@@ -7184,18 +8135,43 @@ data: ${JSON.stringify({
   const oauthAuthorizeService = createOAuthAuthorizeService(void 0, cryptoService || void 0);
   app.get("/oauth/authorize", async (req, res) => {
     try {
+      const userAgent = req.headers["user-agent"] || "unknown";
+      const origin = req.headers.origin || req.headers.referer || "none";
+      const clientId = req.query.client_id;
+      log.info("[OAuth] GET /oauth/authorize request", {
+        client_id: clientId?.substring(0, 20),
+        has_session_cookie: !!req.cookies?.session_id,
+        origin: typeof origin === "string" ? origin.substring(0, 50) : "none",
+        user_agent: userAgent.substring(0, 80),
+        redirect_uri: req.query.redirect_uri?.substring(0, 80),
+        // Check if this looks like a Claude request
+        is_claude_origin: origin.includes("claude.ai") || origin.includes("anthropic.com")
+      });
       const sessionId = req.cookies?.session_id;
       if (!sessionId) {
+        log.info("[OAuth] No session cookie - redirecting to login", {
+          client_id: clientId?.substring(0, 20),
+          is_iframe: req.headers["sec-fetch-dest"] === "iframe"
+        });
         const returnUrl = `/oauth/authorize?${new URLSearchParams(req.query).toString()}`;
         res.redirect(`/app/login?redirect=${encodeURIComponent(returnUrl)}`);
         return;
       }
       const session = await sessionStore.get(sessionId);
       if (!session || session.expiresAt < Date.now()) {
+        log.info("[OAuth] Session expired or invalid - redirecting to login", {
+          client_id: clientId?.substring(0, 20),
+          session_exists: !!session,
+          expired: session ? session.expiresAt < Date.now() : "N/A"
+        });
         const returnUrl = `/oauth/authorize?${new URLSearchParams(req.query).toString()}`;
         res.redirect(`/app/login?redirect=${encodeURIComponent(returnUrl)}`);
         return;
       }
+      log.info("[OAuth] Valid session found, proceeding with authorization", {
+        client_id: clientId?.substring(0, 20),
+        tenant_id: session.tenantId.substring(0, 8)
+      });
       const validationResult = await oauthAuthorizeService.validateAuthorizationRequest(
         req.query
       );
@@ -7748,6 +8724,13 @@ data: ${JSON.stringify({
       log.debug("Disconnecting Prisma");
       await disconnectPrisma();
     });
+    shutdownManager.onShutdown(() => {
+      if (keepAliveInterval) {
+        log.debug("Stopping database keep-alive");
+        clearInterval(keepAliveInterval);
+        keepAliveInterval = null;
+      }
+    });
   }
   return {
     app,
@@ -7756,6 +8739,21 @@ data: ${JSON.stringify({
       shutdownManager.setHttpServer(httpServer);
       shutdownManager.registerSignalHandlers();
       log.info("Graceful shutdown handlers registered");
+      if (isRemoteMode(config)) {
+        const KEEP_ALIVE_INTERVAL_MS = 4 * 60 * 1e3;
+        keepAliveInterval = setInterval(async () => {
+          try {
+            const prisma2 = getPrismaClient();
+            await prisma2.$queryRaw`SELECT 1`;
+            log.debug("Database keep-alive ping successful");
+          } catch (error) {
+            const message = error instanceof Error ? error.message : "Unknown error";
+            log.warn(`Database keep-alive ping failed: ${message}`);
+          }
+        }, KEEP_ALIVE_INTERVAL_MS);
+        keepAliveInterval.unref();
+        log.info("Database keep-alive started (interval: 4 minutes)");
+      }
       return httpServer;
     }
   };