@atoms-tech/atoms-mcp 0.1.0

package/bin/atoms-mcp.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import("../dist/index.js");

package/dist/auth/login.d.ts

@@ -0,0 +1,23 @@
+/**
+ * OAuth 2.1 PKCE login flow for the MCP CLI.
+ *
+ * Flow:
+ * 1. Generate PKCE code_verifier + code_challenge
+ * 2. Start HTTP server on localhost:19275
+ * 3. Open browser to x.atoms.tech/auth/mcp-login (or Supabase auth directly)
+ * 4. User authenticates → redirect to localhost with tokens
+ * 5. Store tokens in ~/.atoms/credentials.json
+ */
+/**
+ * Run the interactive login flow.
+ * Opens browser, waits for callback, stores tokens.
+ *
+ * Uses OAuth 2.1 PKCE flow:
+ * 1. Redirect to Supabase with code_challenge
+ * 2. Supabase returns authorization code to localhost callback
+ * 3. Exchange code + code_verifier for session tokens
+ */
+export declare function login(): Promise<{
+    email: string;
+}>;
+//# sourceMappingURL=login.d.ts.map

package/dist/auth/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/auth/login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAWH;;;;;;;;GAQG;AACH,wBAAsB,KAAK,IAAI,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAyLxD"}

package/dist/auth/login.js

@@ -0,0 +1,246 @@
+/**
+ * OAuth 2.1 PKCE login flow for the MCP CLI.
+ *
+ * Flow:
+ * 1. Generate PKCE code_verifier + code_challenge
+ * 2. Start HTTP server on localhost:19275
+ * 3. Open browser to x.atoms.tech/auth/mcp-login (or Supabase auth directly)
+ * 4. User authenticates → redirect to localhost with tokens
+ * 5. Store tokens in ~/.atoms/credentials.json
+ */
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
+import { URL } from "node:url";
+import { writeCredentials } from "./token-store.js";
+import { ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY } from "../config.js";
+const CALLBACK_PORT = 19275;
+const CALLBACK_PATH = "/callback";
+/**
+ * Run the interactive login flow.
+ * Opens browser, waits for callback, stores tokens.
+ *
+ * Uses OAuth 2.1 PKCE flow:
+ * 1. Redirect to Supabase with code_challenge
+ * 2. Supabase returns authorization code to localhost callback
+ * 3. Exchange code + code_verifier for session tokens
+ */
+export async function login() {
+    // Generate PKCE challenge
+    const codeVerifier = randomBytes(32).toString("base64url");
+    const codeChallenge = createHash("sha256")
+        .update(codeVerifier)
+        .digest("base64url");
+    const redirectTo = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
+    // Build auth URL
+    const authUrl = new URL(`${ATOMS_SUPABASE_URL}/auth/v1/authorize`);
+    authUrl.searchParams.set("provider", "google");
+    authUrl.searchParams.set("redirect_to", redirectTo);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    return new Promise((resolve, reject) => {
+        const server = createServer(async (req, res) => {
+            const url = new URL(req.url ?? "/", `http://localhost:${CALLBACK_PORT}`);
+            if (url.pathname !== CALLBACK_PATH) {
+                res.writeHead(404);
+                res.end("Not found");
+                return;
+            }
+            try {
+                // PKCE flow: Supabase redirects with ?code=xxx in query params
+                const code = url.searchParams.get("code");
+                if (code) {
+                    // Exchange authorization code + code_verifier for tokens via REST API
+                    const tokenRes = await fetch(`${ATOMS_SUPABASE_URL}/auth/v1/token?grant_type=pkce`, {
+                        method: "POST",
+                        headers: {
+                            "Content-Type": "application/json",
+                            "apikey": ATOMS_SUPABASE_ANON_KEY,
+                        },
+                        body: JSON.stringify({
+                            auth_code: code,
+                            code_verifier: codeVerifier,
+                        }),
+                    });
+                    const tokenData = await tokenRes.json();
+                    if (!tokenRes.ok || !tokenData.access_token) {
+                        const errMsg = tokenData.error_description ?? tokenData.msg ?? "Unknown error";
+                        res.writeHead(200, { "Content-Type": "text/html" });
+                        res.end(failurePage(`Code exchange failed: ${errMsg}`));
+                        server.close();
+                        reject(new Error(`Code exchange failed: ${errMsg}`));
+                        return;
+                    }
+                    // Decode JWT to get email
+                    let email = "authenticated";
+                    try {
+                        const payload = JSON.parse(Buffer.from(tokenData.access_token.split(".")[1], "base64").toString());
+                        email = payload.email ?? email;
+                    }
+                    catch { /* ignore decode errors */ }
+                    // Verify user has an ATOMS account (belongs to at least one org)
+                    const { createClient } = await import("@supabase/supabase-js");
+                    const verifyClient = createClient(ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY, {
+                        global: {
+                            headers: { Authorization: `Bearer ${tokenData.access_token}` },
+                        },
+                    });
+                    const { data: memberships, error: memErr } = await verifyClient
+                        .from("org_members")
+                        .select("org_id")
+                        .limit(1);
+                    if (memErr || !memberships || memberships.length === 0) {
+                        // User authenticated with Google but has no ATOMS account
+                        res.writeHead(200, { "Content-Type": "text/html" });
+                        res.end(failurePage("No ATOMS account found for this Google account.<br><br>" +
+                            "Please sign up at <a href=\"https://x.atoms.tech\">x.atoms.tech</a> first, " +
+                            "then run this login command again."));
+                        server.close();
+                        reject(new Error("No ATOMS account found. Sign up at x.atoms.tech first."));
+                        return;
+                    }
+                    await writeCredentials({
+                        access_token: tokenData.access_token,
+                        refresh_token: tokenData.refresh_token,
+                        expires_at: Date.now() + (tokenData.expires_in ?? 3600) * 1000,
+                        user_email: email,
+                    });
+                    res.writeHead(200, { "Content-Type": "text/html" });
+                    res.end(successPage(email));
+                    server.close();
+                    resolve({ email });
+                    return;
+                }
+                // Fallback: check for tokens in hash fragment via extractor page
+                const accessToken = url.searchParams.get("access_token");
+                const refreshToken = url.searchParams.get("refresh_token");
+                const expiresIn = parseInt(url.searchParams.get("expires_in") ?? "3600", 10);
+                if (accessToken && refreshToken) {
+                    await writeCredentials({
+                        access_token: accessToken,
+                        refresh_token: refreshToken,
+                        expires_at: Date.now() + expiresIn * 1000,
+                    });
+                    res.writeHead(200, { "Content-Type": "text/html" });
+                    res.end(successPage("authenticated"));
+                    server.close();
+                    resolve({ email: "authenticated" });
+                }
+                else {
+                    // Serve a page that extracts hash fragment and POSTs back
+                    res.writeHead(200, { "Content-Type": "text/html" });
+                    res.end(extractorPage());
+                }
+            }
+            catch (err) {
+                res.writeHead(500);
+                res.end("Authentication failed");
+                server.close();
+                reject(err);
+            }
+        });
+        // Handle POST from the extractor page (hash fragment fallback)
+        server.on("request", async (req, res) => {
+            if (req.method === "POST" && req.url === "/token") {
+                let body = "";
+                req.on("data", (chunk) => { body += chunk.toString(); });
+                req.on("end", async () => {
+                    try {
+                        const data = JSON.parse(body);
+                        await writeCredentials({
+                            access_token: data.access_token,
+                            refresh_token: data.refresh_token,
+                            expires_at: Date.now() + (data.expires_in ?? 3600) * 1000,
+                            user_email: data.user_email,
+                        });
+                        res.writeHead(200, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({ ok: true }));
+                        server.close();
+                        resolve({ email: data.user_email ?? "authenticated" });
+                    }
+                    catch (err) {
+                        res.writeHead(500);
+                        res.end("Failed to store credentials");
+                        server.close();
+                        reject(err);
+                    }
+                });
+            }
+        });
+        server.listen(CALLBACK_PORT, "127.0.0.1", async () => {
+            process.stderr.write(`\nOpening browser for ATOMS login...\n`);
+            process.stderr.write(`If the browser doesn't open, visit:\n${authUrl.toString()}\n\n`);
+            try {
+                const { default: openBrowser } = await import("open");
+                await openBrowser(authUrl.toString());
+            }
+            catch {
+                process.stderr.write("Could not open browser automatically. Please open the URL above.\n");
+            }
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            server.close();
+            reject(new Error("Login timed out after 5 minutes"));
+        }, 5 * 60_000);
+    });
+}
+function extractorPage() {
+    return `<!DOCTYPE html>
+<html>
+<head><title>ATOMS MCP Login</title></head>
+<body>
+  <h1>Completing login...</h1>
+  <script>
+    const hash = window.location.hash.substring(1);
+    const params = new URLSearchParams(hash);
+    const data = {
+      access_token: params.get('access_token'),
+      refresh_token: params.get('refresh_token'),
+      expires_in: params.get('expires_in'),
+      user_email: ''
+    };
+    if (data.access_token) {
+      // Decode JWT to get email
+      try {
+        const payload = JSON.parse(atob(data.access_token.split('.')[1]));
+        data.user_email = payload.email || '';
+      } catch(e) {}
+      fetch('/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(data)
+      }).then(() => {
+        document.body.innerHTML = '<h1>Login successful! You can close this tab.</h1>';
+      }).catch(() => {
+        document.body.innerHTML = '<h1>Login failed. Please try again.</h1>';
+      });
+    } else {
+      document.body.innerHTML = '<h1>Login failed — no tokens received.</h1>';
+    }
+  </script>
+</body>
+</html>`;
+}
+function successPage(email) {
+    return `<!DOCTYPE html>
+<html>
+<head><title>ATOMS MCP Login</title></head>
+<body style="font-family:system-ui;text-align:center;padding:60px">
+  <h1 style="color:#22c55e">Login successful!</h1>
+  <p>Authenticated as <strong>${email}</strong></p>
+  <p>You can close this tab and return to your terminal.</p>
+</body>
+</html>`;
+}
+function failurePage(reason) {
+    return `<!DOCTYPE html>
+<html>
+<head><title>ATOMS MCP Login</title></head>
+<body style="font-family:system-ui;text-align:center;padding:60px">
+  <h1 style="color:#ef4444">Login failed</h1>
+  <p>${reason}</p>
+  <p>Please close this tab and try again.</p>
+</body>
+</html>`;
+}
+//# sourceMappingURL=login.js.map

package/dist/auth/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/auth/login.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AACpF,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE3E,MAAM,aAAa,GAAG,KAAK,CAAC;AAC5B,MAAM,aAAa,GAAG,WAAW,CAAC;AAElC;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK;IAEzB,0BAA0B;IAC1B,MAAM,YAAY,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC;SACvC,MAAM,CAAC,YAAY,CAAC;SACpB,MAAM,CAAC,WAAW,CAAC,CAAC;IAEvB,MAAM,UAAU,GAAG,oBAAoB,aAAa,GAAG,aAAa,EAAE,CAAC;IAEvE,iBAAiB;IACjB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,kBAAkB,oBAAoB,CAAC,CAAC;IACnE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC/C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;IACpD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAE1D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,GAAoB,EAAE,GAAmB,EAAE,EAAE;YAC9E,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,aAAa,EAAE,CAAC,CAAC;YAEzE,IAAI,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;gBACnC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,IAAI,CAAC;gBACH,+DAA+D;gBAC/D,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAE1C,IAAI,IAAI,EAAE,CAAC;oBACT,sEAAsE;oBACtE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,kBAAkB,gCAAgC,EAAE;wBAClF,MAAM,EAAE,MAAM;wBACd,OAAO,EAAE;4BACP,cAAc,EAAE,kBAAkB;4BAClC,QAAQ,EAAE,uBAAuB;yBAClC;wBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;4BACnB,SAAS,EAAE,IAAI;4BACf,aAAa,EAAE,YAAY;yBAC5B,CAAC;qBACH,CAAC,CAAC;oBAEH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAMpC,CAAC;oBAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;wBAC5C,MAAM,MAAM,GAAG,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,GAAG,IAAI,eAAe,CAAC;wBAC/E,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;wBACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,yBAAyB,MAAM,EAAE,CAAC,CAAC,CAAC;wBACxD,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,MAAM,CAAC,IAAI,KAAK,CAAC,yBAAyB,MAAM,EAAE,CAAC,CAAC,CAAC;wBACrD,OAAO;oBACT,CAAC;oBAED,0BAA0B;oBAC1B,IAAI,KAAK,GAAG,eAAe,CAAC;oBAC5B,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;wBACnG,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;oBACjC,CAAC;oBAAC,MAAM,CAAC,CAAC,0BAA0B,CAAC,CAAC;oBAEtC,iEAAiE;oBACjE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;oBAC/D,MAAM,YAAY,GAAG,YAAY,CAAC,kBAAkB,EAAE,uBAAuB,EAAE;wBAC7E,MAAM,EAAE;4BACN,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,SAAS,CAAC,YAAY,EAAE,EAAE;yBAC/D;qBACF,CAAC,CAAC;oBAEH,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,YAAY;yBAC5D,IAAI,CAAC,aAAa,CAAC;yBACnB,MAAM,CAAC,QAAQ,CAAC;yBAChB,KAAK,CAAC,CAAC,CAAC,CAAC;oBAEZ,IAAI,MAAM,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACvD,0DAA0D;wBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;wBACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CACjB,yDAAyD;4BACzD,6EAA6E;4BAC7E,oCAAoC,CACrC,CAAC,CAAC;wBACH,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,MAAM,CAAC,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC,CAAC;wBAC5E,OAAO;oBACT,CAAC;oBAED,MAAM,gBAAgB,CAAC;wBACrB,YAAY,EAAE,SAAS,CAAC,YAAa;wBACrC,aAAa,EAAE,SAAS,CAAC,aAAc;wBACvC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,IAAI;wBAC9D,UAAU,EAAE,KAAK;qBAClB,CAAC,CAAC;oBAEH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;oBAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,OAAO,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;oBACnB,OAAO;gBACT,CAAC;gBAED,iEAAiE;gBACjE,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;gBACzD,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;gBAC3D,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;gBAE7E,IAAI,WAAW,IAAI,YAAY,EAAE,CAAC;oBAChC,MAAM,gBAAgB,CAAC;wBACrB,YAAY,EAAE,WAAW;wBACzB,aAAa,EAAE,YAAY;wBAC3B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,IAAI;qBAC1C,CAAC,CAAC;oBAEH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,CAAC;oBACtC,MAAM,CAAC,KAAK,EAAE,CAAC;oBACf,OAAO,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;gBACtC,CAAC;qBAAM,CAAC;oBACN,0DAA0D;oBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC;gBAC3B,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBACjC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;YACtC,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAClD,IAAI,IAAI,GAAG,EAAE,CAAC;gBACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjE,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE;oBACvB,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBAC9B,MAAM,gBAAgB,CAAC;4BACrB,YAAY,EAAE,IAAI,CAAC,YAAY;4BAC/B,aAAa,EAAE,IAAI,CAAC,aAAa;4BACjC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,IAAI;4BACzD,UAAU,EAAE,IAAI,CAAC,UAAU;yBAC5B,CAAC,CAAC;wBAEH,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;wBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;wBACtC,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,OAAO,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,IAAI,eAAe,EAAE,CAAC,CAAC;oBACzD,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;wBACnB,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;wBACvC,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,MAAM,CAAC,GAAG,CAAC,CAAC;oBACd,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,WAAW,EAAE,KAAK,IAAI,EAAE;YACnD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC/D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAEvF,IAAI,CAAC;gBACH,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;gBACtD,MAAM,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;YAC7F,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,0BAA0B;QAC1B,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;QACvD,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa;IACpB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAkCD,CAAC;AACT,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO;;;;;gCAKuB,KAAK;;;QAG7B,CAAC;AACT,CAAC;AAED,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO;;;;;OAKF,MAAM;;;QAGL,CAAC;AACT,CAAC"}

package/dist/auth/refresh.d.ts

@@ -0,0 +1,17 @@
+/**
+ * JWT refresh logic for MCP server startup.
+ *
+ * On each MCP session start, we check if the access_token is expired
+ * and use the refresh_token to get a new one from Supabase.
+ */
+/**
+ * Get a valid access token, refreshing if needed.
+ * Returns { access_token, user_id, email } or throws.
+ */
+export declare function getValidToken(): Promise<{
+    access_token: string;
+    refresh_token: string;
+    user_id: string;
+    email: string;
+}>;
+//# sourceMappingURL=refresh.d.ts.map

package/dist/auth/refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../src/auth/refresh.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC;IAC7C,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf,CAAC,CA+DD"}

package/dist/auth/refresh.js

@@ -0,0 +1,82 @@
+/**
+ * JWT refresh logic for MCP server startup.
+ *
+ * On each MCP session start, we check if the access_token is expired
+ * and use the refresh_token to get a new one from Supabase.
+ */
+import { createClient } from "@supabase/supabase-js";
+import { readCredentials, writeCredentials } from "./token-store.js";
+import { ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY } from "../config.js";
+/**
+ * Get a valid access token, refreshing if needed.
+ * Returns { access_token, user_id, email } or throws.
+ */
+export async function getValidToken() {
+    // Priority 1: Environment variable (for CI/CD, headless)
+    const envToken = process.env.ATOMS_ACCESS_TOKEN;
+    if (envToken) {
+        const payload = decodeJwtPayload(envToken);
+        return {
+            access_token: envToken,
+            refresh_token: "",
+            user_id: payload.sub,
+            email: payload.email ?? "",
+        };
+    }
+    // Priority 2: Stored credentials
+    const creds = await readCredentials();
+    if (!creds) {
+        throw new Error("Not authenticated. Run 'npx @atoms-tech/atoms-mcp login' to connect your ATOMS account.");
+    }
+    // Check if token is still valid (with 60s buffer)
+    if (creds.expires_at > Date.now() + 60_000) {
+        const payload = decodeJwtPayload(creds.access_token);
+        return {
+            access_token: creds.access_token,
+            refresh_token: creds.refresh_token,
+            user_id: payload.sub,
+            email: payload.email ?? creds.user_email ?? "",
+        };
+    }
+    // Token expired — refresh it
+    process.stderr.write("[atoms-mcp] Refreshing access token...\n");
+    const supabase = createClient(ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY);
+    const { data, error } = await supabase.auth.refreshSession({
+        refresh_token: creds.refresh_token,
+    });
+    if (error || !data.session) {
+        throw new Error(`Token refresh failed: ${error?.message ?? "No session returned"}. ` +
+            "Re-run 'npx @atoms-tech/atoms-mcp login'.");
+    }
+    const session = data.session;
+    // Update stored credentials
+    await writeCredentials({
+        access_token: session.access_token,
+        refresh_token: session.refresh_token,
+        expires_at: Date.now() + (session.expires_in ?? 3600) * 1000,
+        user_email: session.user?.email,
+    });
+    return {
+        access_token: session.access_token,
+        refresh_token: session.refresh_token,
+        user_id: session.user?.id ?? "",
+        email: session.user?.email ?? "",
+    };
+}
+/**
+ * Decode JWT payload without verification (Supabase already verified it).
+ */
+function decodeJwtPayload(jwt) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3)
+        throw new Error("Invalid JWT format");
+    const padded = parts[1]
+        .replace(/-/g, "+")
+        .replace(/_/g, "/")
+        .padEnd(parts[1].length + ((4 - (parts[1].length % 4)) % 4), "=");
+    const payload = JSON.parse(Buffer.from(padded, "base64").toString("utf-8"));
+    if (!payload.sub)
+        throw new Error("JWT missing 'sub' claim");
+    return payload;
+}
+//# sourceMappingURL=refresh.js.map

package/dist/auth/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../src/auth/refresh.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE3E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IAMjC,yDAAyD;IACzD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAChD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC3C,OAAO;YACL,YAAY,EAAE,QAAQ;YACtB,aAAa,EAAE,EAAE;YACjB,OAAO,EAAE,OAAO,CAAC,GAAG;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;SAC3B,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,MAAM,KAAK,GAAG,MAAM,eAAe,EAAE,CAAC;IACtC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;IACJ,CAAC;IAED,kDAAkD;IAClD,IAAI,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACrD,OAAO;YACL,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,aAAa,EAAE,KAAK,CAAC,aAAa;YAClC,OAAO,EAAE,OAAO,CAAC,GAAG;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,IAAI,EAAE;SAC/C,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,YAAY,CAAC,kBAAkB,EAAE,uBAAuB,CAAC,CAAC;IAC3E,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC;QACzD,aAAa,EAAE,KAAK,CAAC,aAAa;KACnC,CAAC,CAAC;IAEH,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,EAAE,OAAO,IAAI,qBAAqB,IAAI;YACpE,2CAA2C,CAC5C,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAE7B,4BAA4B;IAC5B,MAAM,gBAAgB,CAAC;QACrB,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,IAAI;QAC5D,UAAU,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK;KAChC,CAAC,CAAC;IAEH,OAAO;QACL,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE;QAC/B,KAAK,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE;KACjC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC9D,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAE;SACrB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,MAAM,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5E,IAAI,CAAC,OAAO,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7D,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/auth/token-store.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Token storage for MCP auth credentials.
+ *
+ * Stores access_token + refresh_token in ~/.atoms/credentials.json
+ * with file permissions 0600 (owner read/write only).
+ */
+export interface StoredCredentials {
+    access_token: string;
+    refresh_token: string;
+    expires_at: number;
+    user_email?: string;
+    supabase_url?: string;
+}
+/**
+ * Read stored credentials. Returns null if not found or invalid.
+ */
+export declare function readCredentials(): Promise<StoredCredentials | null>;
+/**
+ * Write credentials to disk with secure permissions.
+ */
+export declare function writeCredentials(creds: StoredCredentials): Promise<void>;
+/**
+ * Check if stored credentials exist and are not expired.
+ */
+export declare function hasValidCredentials(): Promise<boolean>;
+/**
+ * Delete stored credentials (logout).
+ */
+export declare function clearCredentials(): Promise<void>;
+/**
+ * Get the credentials file path (for user-facing messages).
+ */
+export declare function getCredentialsPath(): string;
+//# sourceMappingURL=token-store.d.ts.map

package/dist/auth/token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CASzE;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAO9E;AAED;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,OAAO,CAAC,CAK5D;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAMtD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C"}

package/dist/auth/token-store.js

@@ -0,0 +1,61 @@
+/**
+ * Token storage for MCP auth credentials.
+ *
+ * Stores access_token + refresh_token in ~/.atoms/credentials.json
+ * with file permissions 0600 (owner read/write only).
+ */
+import { readFile, writeFile, mkdir, unlink } from "node:fs/promises";
+import { homedir } from "node:os";
+import { join } from "node:path";
+const ATOMS_DIR = join(homedir(), ".atoms");
+const CREDENTIALS_FILE = join(ATOMS_DIR, "credentials.json");
+/**
+ * Read stored credentials. Returns null if not found or invalid.
+ */
+export async function readCredentials() {
+    try {
+        const content = await readFile(CREDENTIALS_FILE, "utf-8");
+        const creds = JSON.parse(content);
+        if (!creds.access_token || !creds.refresh_token)
+            return null;
+        return creds;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write credentials to disk with secure permissions.
+ */
+export async function writeCredentials(creds) {
+    await mkdir(ATOMS_DIR, { recursive: true, mode: 0o700 });
+    await writeFile(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), { mode: 0o600 });
+}
+/**
+ * Check if stored credentials exist and are not expired.
+ */
+export async function hasValidCredentials() {
+    const creds = await readCredentials();
+    if (!creds)
+        return false;
+    // Consider expired if less than 60 seconds remaining
+    return creds.expires_at > Date.now() + 60_000;
+}
+/**
+ * Delete stored credentials (logout).
+ */
+export async function clearCredentials() {
+    try {
+        await unlink(CREDENTIALS_FILE);
+    }
+    catch {
+        // File doesn't exist — already logged out
+    }
+}
+/**
+ * Get the credentials file path (for user-facing messages).
+ */
+export function getCredentialsPath() {
+    return CREDENTIALS_FILE;
+}
+//# sourceMappingURL=token-store.js.map

package/dist/auth/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC5C,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;AAU7D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAsB,CAAC;QACvD,IAAI,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,KAAK,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAC7D,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAwB;IAC7D,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzD,MAAM,SAAS,CACb,gBAAgB,EAChB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAC9B,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,KAAK,GAAG,MAAM,eAAe,EAAE,CAAC;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,qDAAqD;IACrD,OAAO,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,0CAA0C;IAC5C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,17 @@
+/**
+ * ATOMS MCP Server — Public client configuration.
+ *
+ * These are PUBLISHABLE values — identical to the ones embedded in the
+ * ATOMS.tech React frontend bundle (NEXT_PUBLIC_SUPABASE_*).
+ *
+ * The anon key is NOT a secret. It only grants access to Supabase's API
+ * gateway. All data access is gated by Row Level Security (RLS) policies
+ * which require a valid user JWT. Without authentication, these values
+ * grant zero data access.
+ *
+ * This is the standard pattern used by Supabase, Firebase, and Clerk
+ * for client-side applications.
+ */
+export declare const ATOMS_SUPABASE_URL = "https://gmebjyhomsbvhrxffzre.supabase.co";
+export declare const ATOMS_SUPABASE_ANON_KEY = "sb_publishable_b49MUAB8XCrQiF7x5b9lUA_w1aplSBH";
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,eAAO,MAAM,kBAAkB,6CAA6C,CAAC;AAC7E,eAAO,MAAM,uBAAuB,mDACc,CAAC"}

package/dist/config.js

@@ -0,0 +1,17 @@
+/**
+ * ATOMS MCP Server — Public client configuration.
+ *
+ * These are PUBLISHABLE values — identical to the ones embedded in the
+ * ATOMS.tech React frontend bundle (NEXT_PUBLIC_SUPABASE_*).
+ *
+ * The anon key is NOT a secret. It only grants access to Supabase's API
+ * gateway. All data access is gated by Row Level Security (RLS) policies
+ * which require a valid user JWT. Without authentication, these values
+ * grant zero data access.
+ *
+ * This is the standard pattern used by Supabase, Firebase, and Clerk
+ * for client-side applications.
+ */
+export const ATOMS_SUPABASE_URL = "https://gmebjyhomsbvhrxffzre.supabase.co";
+export const ATOMS_SUPABASE_ANON_KEY = "sb_publishable_b49MUAB8XCrQiF7x5b9lUA_w1aplSBH";
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,CAAC,MAAM,kBAAkB,GAAG,0CAA0C,CAAC;AAC7E,MAAM,CAAC,MAAM,uBAAuB,GAClC,gDAAgD,CAAC"}

package/dist/db/client.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Supabase client factory for the MCP server.
+ *
+ * Creates a user-scoped client with JWT — RLS enforced automatically.
+ * Never uses service role key (all queries respect user permissions).
+ */
+import { type SupabaseClient } from "@supabase/supabase-js";
+/**
+ * Get or create an authenticated Supabase client.
+ * Auto-refreshes JWT when expired. All queries run with user's RLS permissions.
+ */
+export declare function getClient(): Promise<SupabaseClient>;
+/**
+ * Get the authenticated user's ID. Must call getClient() first.
+ */
+export declare function getUserId(): string;
+/**
+ * Get the authenticated user's email.
+ */
+export declare function getUserEmail(): string;
+/**
+ * Reset the cached client (for token refresh).
+ */
+export declare function resetClient(): void;
+/**
+ * Check if the user has write access to a project.
+ * Returns the user's org role, or throws a descriptive error.
+ */
+export declare function requireWriteAccess(client: SupabaseClient, projectId: string): Promise<string>;
+//# sourceMappingURL=client.d.ts.map

package/dist/db/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/db/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAgB,KAAK,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAS1E;;;GAGG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,cAAc,CAAC,CAuCzD;AAED;;GAEG;AACH,wBAAgB,SAAS,IAAI,MAAM,CAKlC;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,IAAI,CAKlC;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,CAoCjB"}