npm - @centrali-io/centrali-mcp - Versions diffs - 4.6.0 → 5.0.0 - Mend

@centrali-io/centrali-mcp 4.6.0 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -4,36 +4,30 @@ MCP (Model Context Protocol) server for the Centrali platform. Lets AI assistant
 > **Full documentation:** [docs.centrali.io](https://docs.centrali.io) — SDK guide, API reference, compute functions, orchestrations, and more.
-Built on `@centrali-io/centrali-sdk`. Supports three auth methods: **OAuth client credentials** (recommended), **OAuth browser login** (Authorization Code + PKCE), and **service account** (RBAC).
+## Two ways to connect
-## Setup
+### Option 1: Hosted MCP Server (recommended)
-### Option 1: OAuth Client Credentials (recommended)
+The easiest way to connect any AI client to Centrali. Add a single URL — authentication happens in the browser via OAuth.
-Create an OAuth app in the Console under **Settings > OAuth Apps**, select the scopes you need, then configure:
+**Claude Desktop / Claude Code / Cursor:**
 ```json
 {
   "mcpServers": {
     "centrali": {
-      "command": "npx",
-      "args": ["@centrali-io/centrali-mcp"],
-      "env": {
-        "CENTRALI_URL": "https://centrali.io",
-        "CENTRALI_OAUTH_CLIENT_ID": "<oauth-client-id>",
-        "CENTRALI_OAUTH_CLIENT_SECRET": "<oauth-client-secret>",
-        "CENTRALI_WORKSPACE": "my-workspace"
-      }
+      "type": "url",
+      "url": "https://mcp.centrali.io"
     }
   }
 }
 ```
-OAuth clients use **scoped access** — the MCP can only access what the client's scopes allow.
+On first use, your AI client opens a browser for login and workspace selection. No client ID, secret, or workspace slug needed.
-### Option 2: OAuth Browser Login (Authorization Code + PKCE)
+### Option 2: Stdio with Service Account (CI/automation)
-For local development where you want the agent to act as **you** (not a bot). Create a **public** OAuth app (no secret needed), and the MCP will open your browser for login:
+For headless environments (CI pipelines, automation scripts, cron jobs) where browser login isn't possible. Uses service account credentials with RBAC permissions.
 ```json
 {
@@ -43,7 +37,8 @@ For local development where you want the agent to act as **you** (not a bot). Cr
       "args": ["@centrali-io/centrali-mcp"],
       "env": {
         "CENTRALI_URL": "https://centrali.io",
-        "CENTRALI_OAUTH_CLIENT_ID": "<oauth-client-id>",
+        "CENTRALI_CLIENT_ID": "<service-account-client-id>",
+        "CENTRALI_CLIENT_SECRET": "<service-account-secret>",
         "CENTRALI_WORKSPACE": "my-workspace"
       }
     }
@@ -51,53 +46,22 @@ For local development where you want the agent to act as **you** (not a bot). Cr
 }
 ```
-On first use, a browser window opens for login and consent. The token carries your user identity — audit logs show **you** performed the action, not a bot.
+### Migrating from OAuth stdio to hosted
-### Option 3: Service Account (RBAC)
+If you were previously using `CENTRALI_OAUTH_CLIENT_ID` with the stdio package, switch to the hosted URL:
-Service accounts use **RBAC permissions** via groups and roles. You must assign the service account to a group before it can access anything.
+1. Remove the old `command`/`args`/`env` configuration
+2. Replace with: `{ "type": "url", "url": "https://mcp.centrali.io" }`
+3. On next connection, authenticate in the browser
-```json
-{
-  "mcpServers": {
-    "centrali": {
-      "command": "npx",
-      "args": ["@centrali-io/centrali-mcp"],
-      "env": {
-        "CENTRALI_URL": "https://centrali.io",
-        "CENTRALI_CLIENT_ID": "<service-account-client-id>",
-        "CENTRALI_CLIENT_SECRET": "<service-account-secret>",
-        "CENTRALI_WORKSPACE": "my-workspace"
-      }
-    }
-  }
-}
-```
-### Environment Variables
+### Environment Variables (stdio mode only)
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `CENTRALI_URL` | Yes | Centrali instance URL (e.g., `https://centrali.io`) |
 | `CENTRALI_WORKSPACE` | Yes | Workspace slug to operate in |
-| `CENTRALI_OAUTH_CLIENT_ID` | OAuth | OAuth client ID (from Settings > OAuth Apps) |
-| `CENTRALI_OAUTH_CLIENT_SECRET` | OAuth | OAuth client secret (omit for browser flow) |
-| `CENTRALI_OAUTH_SCOPE` | No | Space-separated scopes (defaults to all allowed) |
-| `CENTRALI_CLIENT_ID` | SA | Service account client ID |
-| `CENTRALI_CLIENT_SECRET` | SA | Service account client secret |
-Set either the `CENTRALI_OAUTH_*` pair or the `CENTRALI_CLIENT_*` pair, not both.
-### OAuth Scopes
-When using OAuth, select the scopes your MCP workflows need:
-| Use case | Scopes |
-|----------|--------|
-| Read-only data access | `records:read records:list structures:list` |
-| Full data management | `records:read records:write records:list structures:read structures:list` |
-| Data + compute | Above + `compute:read compute:list compute:execute` |
-| Everything | Select all scopes when creating the OAuth app |
+| `CENTRALI_CLIENT_ID` | Yes | Service account client ID |
+| `CENTRALI_CLIENT_SECRET` | Yes | Service account client secret |
 ### Service Account Permissions

package/dist/index.js CHANGED Viewed

@@ -13,9 +13,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
 const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
 const centrali_sdk_1 = require("@centrali-io/centrali-sdk");
-const node_http_1 = require("node:http");
-const node_crypto_1 = require("node:crypto");
-const node_child_process_1 = require("node:child_process");
 const structures_js_1 = require("./tools/structures.js");
 const records_js_1 = require("./tools/records.js");
 const search_js_1 = require("./tools/search.js");
@@ -37,219 +34,34 @@ function getRequiredEnv(name) {
     }
     return value;
 }
-/**
- * Detect auth mode from environment variables.
- *
- * Browser mode: Set CENTRALI_OAUTH_CLIENT_ID (no secret)
- *   → Opens browser for Authorization Code + PKCE flow
- *
- * OAuth client_credentials mode: Set CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET
- *   → Uses POST /oauth/token with scoped access
- *
- * Service account mode: Set CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET
- *   → Uses OIDC client_credentials with RBAC (roles, groups, policies)
- */
-function detectAuthMode() {
-    const oauthClientId = process.env.CENTRALI_OAUTH_CLIENT_ID;
-    const oauthClientSecret = process.env.CENTRALI_OAUTH_CLIENT_SECRET;
-    if (oauthClientId && !oauthClientSecret) {
-        return "browser";
-    }
-    if (oauthClientId && oauthClientSecret) {
-        return "oauth";
-    }
-    if (process.env.CENTRALI_CLIENT_ID && process.env.CENTRALI_CLIENT_SECRET) {
-        return "service-account";
-    }
-    console.error("Missing auth credentials. Set one of:\n" +
-        "  CENTRALI_OAUTH_CLIENT_ID (browser OAuth — Authorization Code + PKCE)\n" +
-        "  CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET (OAuth client_credentials)\n" +
-        "  CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET (service account — RBAC permissions)");
-    process.exit(1);
-}
-/** Derive the IAM auth URL from the base URL. */
-function deriveAuthUrl(baseUrl) {
-    // Direct localhost port (e.g., http://localhost:7060) — already pointing at IAM
-    if (/localhost:\d+/.test(baseUrl)) {
-        return baseUrl.replace(/\/data$/, "").replace(/\/iam$/, "");
-    }
-    // Traefik or production — prepend auth. subdomain
-    // centrali.localhost → auth.centrali.localhost
-    // centrali.io → auth.centrali.io
-    return baseUrl.replace(/^(https?:\/\/)/, "$1auth.");
-}
-/** Open a URL in the default browser (safe — no shell interpolation). */
-function openBrowser(url) {
-    const cmd = process.platform === "darwin" ? "open"
-        : process.platform === "win32" ? "cmd" : "xdg-open";
-    const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
-    (0, node_child_process_1.execFile)(cmd, args, (err) => {
-        if (err)
-            console.error(`[centrali-mcp] Could not open browser: ${err.message}`);
-    });
-}
-/** Create a token fetcher for OAuth client_credentials flow. */
-function createClientCredentialsFetcher(baseUrl, clientId, clientSecret, scope) {
-    const tokenEndpoint = `${deriveAuthUrl(baseUrl)}/oauth/token`;
-    let cachedToken = null;
-    let expiresAt = 0;
-    return () => __awaiter(this, void 0, void 0, function* () {
-        if (cachedToken && Date.now() < expiresAt - 60000)
-            return cachedToken;
-        const params = new URLSearchParams({ grant_type: "client_credentials", client_id: clientId, client_secret: clientSecret });
-        if (scope)
-            params.set("scope", scope);
-        const resp = yield fetch(tokenEndpoint, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: params.toString() });
-        if (!resp.ok) {
-            const error = yield resp.json().catch(() => ({}));
-            throw new Error(`OAuth token request failed: ${error.error_description || resp.statusText}`);
-        }
-        const data = yield resp.json();
-        cachedToken = data.access_token;
-        expiresAt = Date.now() + data.expires_in * 1000;
-        return cachedToken;
-    });
-}
-/**
- * Perform Authorization Code + PKCE flow via a local HTTP callback server.
- *
- * 1. Start a temporary HTTP server on a random port
- * 2. Open the browser to /oauth/authorize with PKCE challenge
- * 3. Receive the callback with the authorization code
- * 4. Exchange the code for tokens
- * 5. Return a getToken function that auto-refreshes via refresh_token
- */
-function browserAuthFlow(baseUrl, clientId, scope) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const authUrl = deriveAuthUrl(baseUrl);
-        const tokenEndpoint = `${authUrl}/oauth/token`;
-        const codeVerifier = (0, node_crypto_1.randomBytes)(32).toString("base64url");
-        const codeChallenge = (0, node_crypto_1.createHash)("sha256").update(codeVerifier).digest("base64url");
-        const state = (0, node_crypto_1.randomBytes)(16).toString("hex");
-        let accessToken = null;
-        let refreshToken = null;
-        let expiresAt = 0;
-        // Wait for authorization code via local callback server
-        const { code, redirectUri } = yield new Promise((resolve, reject) => {
-            const server = (0, node_http_1.createServer)((req, res) => {
-                const url = new URL(req.url, "http://localhost");
-                if (url.pathname !== "/callback") {
-                    res.writeHead(404);
-                    res.end();
-                    return;
-                }
-                const error = url.searchParams.get("error");
-                if (error) {
-                    res.writeHead(200, { "Content-Type": "text/html" });
-                    res.end(`<h2>Authorization Failed</h2><p>${url.searchParams.get("error_description") || error}</p>`);
-                    server.close();
-                    reject(new Error(`Authorization denied: ${error}`));
-                    return;
-                }
-                if (url.searchParams.get("state") !== state) {
-                    res.writeHead(400, { "Content-Type": "text/html" });
-                    res.end("<h2>State Mismatch</h2>");
-                    server.close();
-                    reject(new Error("State mismatch — possible CSRF"));
-                    return;
-                }
-                const authCode = url.searchParams.get("code");
-                if (!authCode) {
-                    res.writeHead(400, { "Content-Type": "text/html" });
-                    res.end("<h2>Missing Code</h2>");
-                    server.close();
-                    reject(new Error("No authorization code"));
-                    return;
-                }
-                res.writeHead(200, { "Content-Type": "text/html" });
-                res.end("<h2>Authorization Successful</h2><p>You can close this window.</p><script>window.close()</script>");
-                const addr = server.address();
-                server.close();
-                resolve({ code: authCode, redirectUri: `http://localhost:${addr.port}/callback` });
-            });
-            server.listen(0, "127.0.0.1", () => {
-                const addr = server.address();
-                const callbackUri = `http://localhost:${addr.port}/callback`;
-                const authParams = new URLSearchParams({
-                    response_type: "code", client_id: clientId, redirect_uri: callbackUri,
-                    scope: scope || "",
-                    state, code_challenge: codeChallenge, code_challenge_method: "S256",
-                });
-                const authorizeUrl = `${authUrl}/oauth/authorize?${authParams.toString()}`;
-                console.error("[centrali-mcp] Opening browser for authorization...");
-                console.error(`[centrali-mcp] If the browser doesn't open, visit:\n  ${authorizeUrl}`);
-                openBrowser(authorizeUrl);
-                setTimeout(() => { server.close(); reject(new Error("Authorization timed out (5 min)")); }, 300000);
-            });
-        });
-        // Exchange authorization code for tokens
-        console.error("[centrali-mcp] Exchanging authorization code for tokens...");
-        const exchangeResp = yield fetch(tokenEndpoint, {
-            method: "POST",
-            headers: { "Content-Type": "application/x-www-form-urlencoded" },
-            body: new URLSearchParams({
-                grant_type: "authorization_code", code, redirect_uri: redirectUri,
-                client_id: clientId, code_verifier: codeVerifier,
-            }).toString(),
-        });
-        if (!exchangeResp.ok) {
-            const err = yield exchangeResp.json().catch(() => ({}));
-            throw new Error(`Token exchange failed: ${err.error_description || exchangeResp.statusText}`);
-        }
-        const tokenData = yield exchangeResp.json();
-        accessToken = tokenData.access_token;
-        refreshToken = tokenData.refresh_token;
-        expiresAt = Date.now() + tokenData.expires_in * 1000;
-        console.error(`[centrali-mcp] Authorization successful (scope: ${tokenData.scope})`);
-        // Return a getToken function with auto-refresh
-        return () => __awaiter(this, void 0, void 0, function* () {
-            if (accessToken && Date.now() < expiresAt - 60000)
-                return accessToken;
-            if (refreshToken) {
-                const resp = yield fetch(tokenEndpoint, {
-                    method: "POST",
-                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-                    body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken, client_id: clientId }).toString(),
-                });
-                if (resp.ok) {
-                    const data = yield resp.json();
-                    accessToken = data.access_token;
-                    refreshToken = data.refresh_token || refreshToken;
-                    expiresAt = Date.now() + data.expires_in * 1000;
-                    return accessToken;
-                }
-            }
-            throw new Error("Token expired and refresh failed — restart the MCP server to re-authorize.");
-        });
-    });
-}
 function main() {
     return __awaiter(this, void 0, void 0, function* () {
+        // ── Migration check ──────────────────────────────────────────
+        // Browser OAuth and client_credentials flows have moved to the hosted MCP server.
+        // Detect old env vars and guide users to the new setup.
+        if (process.env.CENTRALI_OAUTH_CLIENT_ID) {
+            console.error("\n" +
+                "══════════════════════════════════════════════════════════════\n" +
+                "  Browser OAuth has moved to the hosted MCP server.\n" +
+                "\n" +
+                "  Replace this stdio configuration with a single URL:\n" +
+                "\n" +
+                '    { "type": "url", "url": "https://mcp.centrali.io" }\n' +
+                "\n" +
+                "  Your AI client will open a browser for login automatically.\n" +
+                "  No client ID, secret, or workspace slug needed.\n" +
+                "\n" +
+                "  Guide: https://docs.centrali.io/sdk/mcp/\n" +
+                "══════════════════════════════════════════════════════════════\n");
+            process.exit(0);
+        }
+        // ── Service account mode (the only mode for stdio) ───────────
         const baseUrl = getRequiredEnv("CENTRALI_URL");
         const workspaceId = getRequiredEnv("CENTRALI_WORKSPACE");
-        const authMode = detectAuthMode();
-        let sdk;
-        if (authMode === "browser") {
-            const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
-            const scope = process.env.CENTRALI_OAUTH_SCOPE;
-            const getToken = yield browserAuthFlow(baseUrl, clientId, scope);
-            sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, getToken });
-            console.error(`[centrali-mcp] Ready — browser OAuth (client: ${clientId})`);
-        }
-        else if (authMode === "oauth") {
-            const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
-            const clientSecret = getRequiredEnv("CENTRALI_OAUTH_CLIENT_SECRET");
-            const scope = process.env.CENTRALI_OAUTH_SCOPE;
-            const getToken = createClientCredentialsFetcher(baseUrl, clientId, clientSecret, scope);
-            sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, getToken });
-            console.error(`[centrali-mcp] Ready — OAuth client_credentials (client: ${clientId})`);
-        }
-        else {
-            const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
-            const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
-            sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, clientId, clientSecret });
-            console.error(`[centrali-mcp] Ready — service account / RBAC (client: ${clientId})`);
-        }
+        const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
+        const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
+        const sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, clientId, clientSecret });
+        console.error(`[centrali-mcp] Ready — service account (client: ${clientId})`);
         const server = new mcp_js_1.McpServer({
             name: "centrali",
             version: "1.0.0",
@@ -266,7 +78,7 @@ function main() {
         (0, validation_js_1.registerValidationTools)(server, sdk);
         (0, pages_js_1.registerPageTools)(server, sdk, baseUrl, workspaceId);
         (0, auth_providers_js_1.registerAuthProviderTools)(server, sdk, baseUrl, workspaceId);
-        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, authMode === "service-account" ? getRequiredEnv("CENTRALI_CLIENT_ID") : (process.env.CENTRALI_OAUTH_CLIENT_ID || ""));
+        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, clientId);
         (0, describe_js_1.registerDescribeTools)(server);
         // Register resources
         (0, structures_js_2.registerCollectionResources)(server, sdk);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@centrali-io/centrali-mcp",
-  "version": "4.6.0",
+  "version": "5.0.0",
   "description": "Centrali MCP Server - AI assistant integration for Centrali workspaces",
   "main": "dist/index.js",
   "type": "commonjs",

package/src/index.ts CHANGED Viewed

@@ -3,9 +3,6 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CentraliSDK } from "@centrali-io/centrali-sdk";
-import { createServer } from "node:http";
-import { randomBytes, createHash } from "node:crypto";
-import { execFile } from "node:child_process";
 import { registerStructureTools, registerCollectionTools } from "./tools/structures.js";
 import { registerRecordTools } from "./tools/records.js";
 import { registerSearchTools } from "./tools/search.js";
@@ -29,234 +26,37 @@ function getRequiredEnv(name: string): string {
   return value;
 }
-/**
- * Detect auth mode from environment variables.
- *
- * Browser mode: Set CENTRALI_OAUTH_CLIENT_ID (no secret)
- *   → Opens browser for Authorization Code + PKCE flow
- *
- * OAuth client_credentials mode: Set CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET
- *   → Uses POST /oauth/token with scoped access
- *
- * Service account mode: Set CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET
- *   → Uses OIDC client_credentials with RBAC (roles, groups, policies)
- */
-function detectAuthMode(): "browser" | "oauth" | "service-account" {
-  const oauthClientId = process.env.CENTRALI_OAUTH_CLIENT_ID;
-  const oauthClientSecret = process.env.CENTRALI_OAUTH_CLIENT_SECRET;
-  if (oauthClientId && !oauthClientSecret) {
-    return "browser";
-  }
-  if (oauthClientId && oauthClientSecret) {
-    return "oauth";
-  }
-  if (process.env.CENTRALI_CLIENT_ID && process.env.CENTRALI_CLIENT_SECRET) {
-    return "service-account";
-  }
-  console.error(
-    "Missing auth credentials. Set one of:\n" +
-    "  CENTRALI_OAUTH_CLIENT_ID (browser OAuth — Authorization Code + PKCE)\n" +
-    "  CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET (OAuth client_credentials)\n" +
-    "  CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET (service account — RBAC permissions)"
-  );
-  process.exit(1);
-}
-/** Derive the IAM auth URL from the base URL. */
-function deriveAuthUrl(baseUrl: string): string {
-  // Direct localhost port (e.g., http://localhost:7060) — already pointing at IAM
-  if (/localhost:\d+/.test(baseUrl)) {
-    return baseUrl.replace(/\/data$/, "").replace(/\/iam$/, "");
-  }
-  // Traefik or production — prepend auth. subdomain
-  // centrali.localhost → auth.centrali.localhost
-  // centrali.io → auth.centrali.io
-  return baseUrl.replace(/^(https?:\/\/)/, "$1auth.");
-}
-/** Open a URL in the default browser (safe — no shell interpolation). */
-function openBrowser(url: string): void {
-  const cmd = process.platform === "darwin" ? "open"
-            : process.platform === "win32" ? "cmd" : "xdg-open";
-  const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
-  execFile(cmd, args, (err) => {
-    if (err) console.error(`[centrali-mcp] Could not open browser: ${err.message}`);
-  });
-}
-/** Create a token fetcher for OAuth client_credentials flow. */
-function createClientCredentialsFetcher(baseUrl: string, clientId: string, clientSecret: string, scope?: string) {
-  const tokenEndpoint = `${deriveAuthUrl(baseUrl)}/oauth/token`;
-  let cachedToken: string | null = null;
-  let expiresAt = 0;
-  return async (): Promise<string> => {
-    if (cachedToken && Date.now() < expiresAt - 60_000) return cachedToken;
-    const params = new URLSearchParams({ grant_type: "client_credentials", client_id: clientId, client_secret: clientSecret });
-    if (scope) params.set("scope", scope);
-    const resp = await fetch(tokenEndpoint, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: params.toString() });
-    if (!resp.ok) {
-      const error = await resp.json().catch(() => ({}));
-      throw new Error(`OAuth token request failed: ${error.error_description || resp.statusText}`);
-    }
-    const data = await resp.json();
-    cachedToken = data.access_token;
-    expiresAt = Date.now() + data.expires_in * 1000;
-    return cachedToken!;
-  };
-}
-/**
- * Perform Authorization Code + PKCE flow via a local HTTP callback server.
- *
- * 1. Start a temporary HTTP server on a random port
- * 2. Open the browser to /oauth/authorize with PKCE challenge
- * 3. Receive the callback with the authorization code
- * 4. Exchange the code for tokens
- * 5. Return a getToken function that auto-refreshes via refresh_token
- */
-async function browserAuthFlow(baseUrl: string, clientId: string, scope?: string): Promise<() => Promise<string>> {
-  const authUrl = deriveAuthUrl(baseUrl);
-  const tokenEndpoint = `${authUrl}/oauth/token`;
-  const codeVerifier = randomBytes(32).toString("base64url");
-  const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
-  const state = randomBytes(16).toString("hex");
-  let accessToken: string | null = null;
-  let refreshToken: string | null = null;
-  let expiresAt = 0;
-  // Wait for authorization code via local callback server
-  const { code, redirectUri } = await new Promise<{ code: string; redirectUri: string }>((resolve, reject) => {
-    const server = createServer((req, res) => {
-      const url = new URL(req.url!, "http://localhost");
-      if (url.pathname !== "/callback") { res.writeHead(404); res.end(); return; }
-      const error = url.searchParams.get("error");
-      if (error) {
-        res.writeHead(200, { "Content-Type": "text/html" });
-        res.end(`<h2>Authorization Failed</h2><p>${url.searchParams.get("error_description") || error}</p>`);
-        server.close();
-        reject(new Error(`Authorization denied: ${error}`));
-        return;
-      }
-      if (url.searchParams.get("state") !== state) {
-        res.writeHead(400, { "Content-Type": "text/html" });
-        res.end("<h2>State Mismatch</h2>");
-        server.close();
-        reject(new Error("State mismatch — possible CSRF"));
-        return;
-      }
-      const authCode = url.searchParams.get("code");
-      if (!authCode) {
-        res.writeHead(400, { "Content-Type": "text/html" });
-        res.end("<h2>Missing Code</h2>");
-        server.close();
-        reject(new Error("No authorization code"));
-        return;
-      }
-      res.writeHead(200, { "Content-Type": "text/html" });
-      res.end("<h2>Authorization Successful</h2><p>You can close this window.</p><script>window.close()</script>");
-      const addr = server.address() as { port: number };
-      server.close();
-      resolve({ code: authCode, redirectUri: `http://localhost:${addr.port}/callback` });
-    });
-    server.listen(0, "127.0.0.1", () => {
-      const addr = server.address() as { port: number };
-      const callbackUri = `http://localhost:${addr.port}/callback`;
-      const authParams = new URLSearchParams({
-        response_type: "code", client_id: clientId, redirect_uri: callbackUri,
-        scope: scope || "",
-        state, code_challenge: codeChallenge, code_challenge_method: "S256",
-      });
-      const authorizeUrl = `${authUrl}/oauth/authorize?${authParams.toString()}`;
-      console.error("[centrali-mcp] Opening browser for authorization...");
-      console.error(`[centrali-mcp] If the browser doesn't open, visit:\n  ${authorizeUrl}`);
-      openBrowser(authorizeUrl);
-      setTimeout(() => { server.close(); reject(new Error("Authorization timed out (5 min)")); }, 300_000);
-    });
-  });
-  // Exchange authorization code for tokens
-  console.error("[centrali-mcp] Exchanging authorization code for tokens...");
-  const exchangeResp = await fetch(tokenEndpoint, {
-    method: "POST",
-    headers: { "Content-Type": "application/x-www-form-urlencoded" },
-    body: new URLSearchParams({
-      grant_type: "authorization_code", code, redirect_uri: redirectUri,
-      client_id: clientId, code_verifier: codeVerifier,
-    }).toString(),
-  });
-  if (!exchangeResp.ok) {
-    const err = await exchangeResp.json().catch(() => ({}));
-    throw new Error(`Token exchange failed: ${err.error_description || exchangeResp.statusText}`);
+async function main() {
+  // ── Migration check ──────────────────────────────────────────
+  // Browser OAuth and client_credentials flows have moved to the hosted MCP server.
+  // Detect old env vars and guide users to the new setup.
+  if (process.env.CENTRALI_OAUTH_CLIENT_ID) {
+    console.error(
+      "\n" +
+      "══════════════════════════════════════════════════════════════\n" +
+      "  Browser OAuth has moved to the hosted MCP server.\n" +
+      "\n" +
+      "  Replace this stdio configuration with a single URL:\n" +
+      "\n" +
+      '    { "type": "url", "url": "https://mcp.centrali.io" }\n' +
+      "\n" +
+      "  Your AI client will open a browser for login automatically.\n" +
+      "  No client ID, secret, or workspace slug needed.\n" +
+      "\n" +
+      "  Guide: https://docs.centrali.io/sdk/mcp/\n" +
+      "══════════════════════════════════════════════════════════════\n"
+    );
+    process.exit(0);
   }
-  const tokenData = await exchangeResp.json();
-  accessToken = tokenData.access_token;
-  refreshToken = tokenData.refresh_token;
-  expiresAt = Date.now() + tokenData.expires_in * 1000;
-  console.error(`[centrali-mcp] Authorization successful (scope: ${tokenData.scope})`);
-  // Return a getToken function with auto-refresh
-  return async (): Promise<string> => {
-    if (accessToken && Date.now() < expiresAt - 60_000) return accessToken;
-    if (refreshToken) {
-      const resp = await fetch(tokenEndpoint, {
-        method: "POST",
-        headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken!, client_id: clientId }).toString(),
-      });
-      if (resp.ok) {
-        const data = await resp.json();
-        accessToken = data.access_token;
-        refreshToken = data.refresh_token || refreshToken;
-        expiresAt = Date.now() + data.expires_in * 1000;
-        return accessToken!;
-      }
-    }
-    throw new Error("Token expired and refresh failed — restart the MCP server to re-authorize.");
-  };
-}
-async function main() {
+  // ── Service account mode (the only mode for stdio) ───────────
   const baseUrl = getRequiredEnv("CENTRALI_URL");
   const workspaceId = getRequiredEnv("CENTRALI_WORKSPACE");
-  const authMode = detectAuthMode();
+  const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
+  const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
-  let sdk: CentraliSDK;
-  if (authMode === "browser") {
-    const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
-    const scope = process.env.CENTRALI_OAUTH_SCOPE;
-    const getToken = await browserAuthFlow(baseUrl, clientId, scope);
-    sdk = new CentraliSDK({ baseUrl, workspaceId, getToken });
-    console.error(`[centrali-mcp] Ready — browser OAuth (client: ${clientId})`);
-  } else if (authMode === "oauth") {
-    const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
-    const clientSecret = getRequiredEnv("CENTRALI_OAUTH_CLIENT_SECRET");
-    const scope = process.env.CENTRALI_OAUTH_SCOPE;
-    const getToken = createClientCredentialsFetcher(baseUrl, clientId, clientSecret, scope);
-    sdk = new CentraliSDK({ baseUrl, workspaceId, getToken });
-    console.error(`[centrali-mcp] Ready — OAuth client_credentials (client: ${clientId})`);
-  } else {
-    const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
-    const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
-    sdk = new CentraliSDK({ baseUrl, workspaceId, clientId, clientSecret });
-    console.error(`[centrali-mcp] Ready — service account / RBAC (client: ${clientId})`);
-  }
+  const sdk = new CentraliSDK({ baseUrl, workspaceId, clientId, clientSecret });
+  console.error(`[centrali-mcp] Ready — service account (client: ${clientId})`);
   const server = new McpServer({
     name: "centrali",
@@ -275,7 +75,7 @@ async function main() {
   registerValidationTools(server, sdk);
   registerPageTools(server, sdk, baseUrl, workspaceId);
   registerAuthProviderTools(server, sdk, baseUrl, workspaceId);
-  registerServiceAccountTools(server, sdk, baseUrl, workspaceId, authMode === "service-account" ? getRequiredEnv("CENTRALI_CLIENT_ID") : (process.env.CENTRALI_OAUTH_CLIENT_ID || ""));
+  registerServiceAccountTools(server, sdk, baseUrl, workspaceId, clientId);
   registerDescribeTools(server);
   // Register resources