@dayby/mcp-server 0.2.0 → 0.3.2

package/README.md

@@ -5,11 +5,10 @@ Post your dev progress to [DayBy.dev](https://dayby.dev) from Claude, Cursor, or
 ## How It Works
 
 ```
-You're coding with Claude → learn something cool →
-  draft_post (sanitized locally, never touches network) →
-  Claude shows you a clean preview →
-  You say "ship it" →
-  publish_post → DayBy API (only sanitized content sent)
+draft_post → sanitized locally, never touches network
+           → Claude shows you a clean preview
+           → you approve
+           → publish_post → DayBy API (sanitized content only)
 ```
 
 **The raw context from your codebase never touches the network.** Only the sanitized, approved version gets published.
@@ -18,11 +17,14 @@ You're coding with Claude → learn something cool →
 
 | Tool | What it does | Touches network? |
 |---|---|---|
-| `draft_post` | Creates a sanitized draft from your description | ❌ No |
-| `edit_draft` | Modify a draft before publishing | ❌ No |
-| `check_content` | Dry-run: see what would get stripped | ❌ No |
-| `publish_post` | Publish an approved draft to DayBy | ✅ Yes (sanitized only) |
-| `list_posts` | List your recent DayBy posts | ✅ Yes |
+| `draft_post` | Creates a sanitized draft from your description | No |
+| `edit_draft` | Modify a draft before publishing | No |
+| `check_content` | Dry-run: see what would get stripped | No |
+| `publish_post` | Publish an approved draft to DayBy | Yes (sanitized only) |
+| `list_posts` | List your recent DayBy posts | Yes |
+| `get_post` | Fetch a single post by slug | Yes |
+| `update_post` | Update title, content, or visibility | Yes |
+| `delete_post` | Permanently delete a post | Yes |
 
 ## What Gets Stripped (Automatically)
 
@@ -33,70 +35,103 @@ You're coding with Claude → learn something cool →
 - SSH keys, JWTs, GitHub tokens
 - Database connection URLs
 - File paths with usernames
-- Plus anything you configure in blocklist ↓
+- Plus anything you configure in blocklist
 
 ## Setup
 
-### 1. Get a DayBy API Key
+### 1. Install
 
-1. Sign up at [dayby.dev](https://dayby.dev)
-2. Go to Settings → API
-3. Enable API access and generate a key
+**Option A — npx (no install needed):**
 
-### 2. Configure Sanitizer (Optional but Recommended)
+```bash
+npx @dayby/mcp-server
+```
 
-Create `~/.dayby/sanitizer.json`:
+**Option B — global install:**
 
-```json
-{
-  "blockedTerms": ["YourCompany", "ProjectCodename"],
-  "blockedDomains": ["internal.yourcompany.com"],
-  "blockedNames": ["Your Boss Name"],
-  "customPatterns": ["JIRA-\\d+", "INTERNAL-\\d+"]
-}
+```bash
+npm install -g @dayby/mcp-server
 ```
 
-### 3. Install
+**Option C — from source:**
 
 ```bash
-npm install -g @dayby/mcp-server
+git clone https://github.com/ja-roque/dayby-mcp-server.git
+cd dayby-mcp-server
+npm install && npm run build
 ```
 
-### 4. Add to Claude Code / Claude Desktop / Cursor
+### 2. Authenticate
+
+Run the auth command to connect your DayBy account:
+
+```bash
+dayby-mcp auth
+```
+
+This opens your browser for a one-click authorization. Your token is saved locally at `~/.dayby/credentials.json`.
+
+To log out:
+
+```bash
+dayby-mcp auth --logout
+```
+
+Alternatively, you can set the `DAYBY_API_KEY` environment variable (from Settings > API on dayby.dev).
+
+### 3. Add to your MCP client
 
 **Claude Code (simplest):**
+
 ```bash
 claude mcp add dayby -- dayby-mcp
 ```
 
+Or with npx:
+
+```bash
+claude mcp add dayby -- npx @dayby/mcp-server
+```
+
 **Claude Desktop** (`claude_desktop_config.json`):
+
 ```json
 {
   "mcpServers": {
     "dayby": {
-      "command": "dayby-mcp",
-      "env": {
-        "DAYBY_API_KEY": "your-api-key-here"
-      }
+      "command": "npx",
+      "args": ["@dayby/mcp-server"]
     }
   }
 }
 ```
 
 **Cursor** (`.cursor/mcp.json`):
+
 ```json
 {
   "mcpServers": {
     "dayby": {
-      "command": "dayby-mcp",
-      "env": {
-        "DAYBY_API_KEY": "your-api-key-here"
-      }
+      "command": "npx",
+      "args": ["@dayby/mcp-server"]
     }
   }
 }
 ```
 
+### 4. Configure Sanitizer (Optional but Recommended)
+
+Create `~/.dayby/sanitizer.json`:
+
+```json
+{
+  "blockedTerms": ["YourCompany", "ProjectCodename"],
+  "blockedDomains": ["internal.yourcompany.com"],
+  "blockedNames": ["Your Boss Name"],
+  "customPatterns": ["JIRA-\\d+", "INTERNAL-\\d+"]
+}
+```
+
 ## Usage Examples
 
 **While coding:**
@@ -114,11 +149,37 @@ Claude will use `draft_post` to sanitize locally, show you a preview, and only p
 
 | Variable | Description | Default |
 |---|---|---|
-| `DAYBY_API_KEY` | Your DayBy API key | (required) |
+| `DAYBY_API_KEY` | Your DayBy API key (alternative to `dayby-mcp auth`) | (none) |
 | `DAYBY_API_URL` | DayBy API URL | `https://dayby.dev` |
 | `DAYBY_BLOCKED_TERMS` | Comma-separated blocked terms | (none) |
 | `DAYBY_BLOCKED_DOMAINS` | Comma-separated blocked domains | (none) |
 
+## Troubleshooting
+
+**`dayby-mcp: command not found` after global install**
+
+Your npm global bin isn't in your PATH. Run:
+
+```bash
+source ~/.bashrc
+```
+
+Or add this to your `~/.bashrc` / `~/.zshrc`:
+
+```bash
+export PATH="$(npm bin -g):$PATH"
+```
+
+Then restart your terminal or run `source ~/.bashrc` again.
+
+**MCP server not showing up in Claude**
+
+Restart Claude Code / Claude Desktop after adding the MCP config.
+
+**`Not authenticated` errors**
+
+Run `dayby-mcp auth` to connect your account, or set `DAYBY_API_KEY` in your environment.
+
 ## License
 
 MIT

package/dist/auth.d.ts

@@ -0,0 +1,16 @@
+/**
+ * DayBy MCP — device authorization flow.
+ *
+ * Usage:
+ *   dayby-mcp auth           → interactive OAuth-style flow, saves token
+ *   dayby-mcp auth --logout  → clears saved credentials
+ */
+interface Credentials {
+    token: string;
+    api_url: string;
+}
+export declare function loadCredentials(): Credentials | null;
+export declare function clearCredentials(): void;
+export declare function getStoredToken(apiUrl?: string): string | null;
+export declare function runAuthFlow(apiUrl?: string): Promise<void>;
+export {};

package/dist/auth.js

@@ -0,0 +1,143 @@
+"use strict";
+/**
+ * DayBy MCP — device authorization flow.
+ *
+ * Usage:
+ *   dayby-mcp auth           → interactive OAuth-style flow, saves token
+ *   dayby-mcp auth --logout  → clears saved credentials
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadCredentials = loadCredentials;
+exports.clearCredentials = clearCredentials;
+exports.getStoredToken = getStoredToken;
+exports.runAuthFlow = runAuthFlow;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+// --- Config ---
+const DEFAULT_API_URL = 'https://dayby.dev';
+const CREDENTIALS_DIR = path.join(os.homedir(), '.dayby');
+const CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'credentials.json');
+const POLL_INTERVAL_MS = 2000;
+// --- Storage ---
+function loadCredentials() {
+    try {
+        return JSON.parse(fs.readFileSync(CREDENTIALS_FILE, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+function saveCredentials(creds) {
+    fs.mkdirSync(CREDENTIALS_DIR, { recursive: true });
+    fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), { mode: 0o600 });
+}
+function clearCredentials() {
+    try {
+        fs.unlinkSync(CREDENTIALS_FILE);
+        console.log('Logged out. Credentials cleared.');
+    }
+    catch {
+        console.log('No credentials found.');
+    }
+}
+function getStoredToken(apiUrl = DEFAULT_API_URL) {
+    const creds = loadCredentials();
+    if (!creds)
+        return null;
+    // If the stored token is for a different server, ignore it
+    if (creds.api_url !== apiUrl)
+        return null;
+    return creds.token;
+}
+// --- Browser ---
+function openBrowser(url) {
+    const display = process.env.DISPLAY || ':0';
+    const cmd = process.platform === 'darwin' ? `open "${url}"` :
+        process.platform === 'win32' ? `start "" "${url}"` :
+            `DISPLAY=${display} xdg-open "${url}"`;
+    (0, child_process_1.exec)(cmd, (err) => {
+        if (err) {
+            console.error(`Could not open browser: ${err.message}`);
+            console.log(`Please open this URL manually:\n  ${url}`);
+        }
+    });
+}
+// --- Poll ---
+async function pollForToken(apiUrl, code) {
+    const url = `${apiUrl}/api/v2/auth/device/${code}`;
+    for (;;) {
+        await new Promise(r => setTimeout(r, POLL_INTERVAL_MS));
+        const res = await fetch(url);
+        if (res.status === 200) {
+            const data = await res.json();
+            return data.token;
+        }
+        if (res.status === 410) {
+            throw new Error('Authorization expired. Please run `dayby-mcp auth` again.');
+        }
+        if (res.status !== 202) {
+            throw new Error(`Unexpected response while waiting for authorization (${res.status}).`);
+        }
+        // 202 = still pending, keep polling
+    }
+}
+// --- Main flow ---
+async function runAuthFlow(apiUrl = DEFAULT_API_URL) {
+    console.log('\n🔐 DayBy Authentication\n');
+    console.log(`Connecting to ${apiUrl}...`);
+    // 1. Request a device code
+    const res = await fetch(`${apiUrl}/api/v2/auth/device`, { method: 'POST' });
+    if (!res.ok) {
+        console.error(`\n❌ Could not reach DayBy (HTTP ${res.status}). Check your connection.\n`);
+        process.exit(1);
+    }
+    const { code, verification_uri, expires_in } = await res.json();
+    const expiresMinutes = Math.round(expires_in / 60);
+    // 2. Open browser
+    console.log('Opening DayBy in your browser...\n');
+    console.log(`  URL:  ${verification_uri}`);
+    console.log(`  Code: ${code}`);
+    console.log(`  Expires in ${expiresMinutes} minutes\n`);
+    openBrowser(verification_uri);
+    // 3. Poll until the user clicks Authorize
+    console.log('Waiting for you to authorize in the browser...');
+    const token = await pollForToken(apiUrl, code);
+    // 4. Save
+    saveCredentials({ token, api_url: apiUrl });
+    console.log('\n✅ Authenticated! You can now use DayBy MCP.\n');
+}

package/dist/auth.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/auth.test.js

@@ -0,0 +1,105 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+// We test the exported functions directly
+const auth_js_1 = require("./auth.js");
+const CREDENTIALS_DIR = path.join(process.env.HOME || '~', '.dayby');
+const CREDENTIALS_FILE = path.join(CREDENTIALS_DIR, 'credentials.json');
+const BACKUP_FILE = CREDENTIALS_FILE + '.test-backup';
+(0, vitest_1.describe)('Auth', () => {
+    let originalCredentials = null;
+    (0, vitest_1.beforeEach)(() => {
+        // Back up existing credentials
+        try {
+            originalCredentials = fs.readFileSync(CREDENTIALS_FILE, 'utf-8');
+        }
+        catch {
+            originalCredentials = null;
+        }
+    });
+    (0, vitest_1.afterEach)(() => {
+        // Restore original credentials
+        if (originalCredentials) {
+            fs.writeFileSync(CREDENTIALS_FILE, originalCredentials, { mode: 0o600 });
+        }
+    });
+    (0, vitest_1.describe)('loadCredentials', () => {
+        (0, vitest_1.it)('returns null when no credentials file exists', () => {
+            // Temporarily rename the file
+            const tempPath = CREDENTIALS_FILE + '.tmp';
+            try {
+                fs.renameSync(CREDENTIALS_FILE, tempPath);
+            }
+            catch { }
+            try {
+                const result = (0, auth_js_1.loadCredentials)();
+                (0, vitest_1.expect)(result).toBeNull();
+            }
+            finally {
+                try {
+                    fs.renameSync(tempPath, CREDENTIALS_FILE);
+                }
+                catch { }
+            }
+        });
+        (0, vitest_1.it)('returns credentials when file exists', () => {
+            const creds = (0, auth_js_1.loadCredentials)();
+            // If credentials exist on this machine, they should have token and api_url
+            if (creds) {
+                (0, vitest_1.expect)(creds).toHaveProperty('token');
+                (0, vitest_1.expect)(creds).toHaveProperty('api_url');
+                (0, vitest_1.expect)(typeof creds.token).toBe('string');
+                (0, vitest_1.expect)(typeof creds.api_url).toBe('string');
+            }
+        });
+    });
+    (0, vitest_1.describe)('getStoredToken', () => {
+        (0, vitest_1.it)('returns null for a non-matching API URL', () => {
+            const token = (0, auth_js_1.getStoredToken)('https://not-the-right-server.com');
+            (0, vitest_1.expect)(token).toBeNull();
+        });
+        (0, vitest_1.it)('returns token for the correct API URL', () => {
+            const token = (0, auth_js_1.getStoredToken)('https://dayby.dev');
+            // Token exists on this dev machine
+            if (token) {
+                (0, vitest_1.expect)(typeof token).toBe('string');
+                (0, vitest_1.expect)(token.length).toBeGreaterThan(0);
+            }
+        });
+    });
+});

package/dist/dayby-client.d.ts

@@ -28,7 +28,11 @@ export interface PostsListResponse {
 export declare class DayByClient {
     private apiUrl;
     private apiKey;
-    constructor(config: DayByConfig);
+    private resolveKey?;
+    constructor(config: DayByConfig & {
+        resolveKey?: () => string;
+    });
+    private getApiKey;
     private request;
     listPosts(page?: number, perPage?: number): Promise<PostsListResponse>;
     getPost(slug: string): Promise<{
@@ -38,6 +42,7 @@ export declare class DayByClient {
         title: string;
         content: string;
         visibility?: string;
+        tags?: string[];
     }): Promise<{
         post: DayByPost;
     }>;
@@ -45,9 +50,14 @@ export declare class DayByClient {
         title?: string;
         content?: string;
         visibility?: string;
+        tags?: string[];
     }): Promise<{
         post: DayByPost;
     }>;
+    updateArticle(slug: string, htmlArticle: string): Promise<{
+        post: DayByPost;
+        message: string;
+    }>;
     deletePost(slug: string): Promise<{
         message: string;
     }>;

package/dist/dayby-client.js

@@ -7,14 +7,22 @@ exports.DayByClient = void 0;
 class DayByClient {
     apiUrl;
     apiKey;
+    resolveKey;
     constructor(config) {
         this.apiUrl = config.apiUrl.replace(/\/$/, '');
         this.apiKey = config.apiKey;
+        this.resolveKey = config.resolveKey;
+    }
+    getApiKey() {
+        if (this.resolveKey)
+            return this.resolveKey();
+        return this.apiKey;
     }
     async request(method, path, body) {
         const url = `${this.apiUrl}${path}`;
+        const apiKey = this.getApiKey();
         const headers = {
-            'Authorization': `Bearer ${this.apiKey}`,
+            'Authorization': `Bearer ${apiKey}`,
             'Content-Type': 'application/json',
             'Accept': 'application/json',
         };
@@ -45,6 +53,9 @@ class DayByClient {
             post: params,
         });
     }
+    async updateArticle(slug, htmlArticle) {
+        return this.request('PUT', `/api/v2/posts/${slug}/article`, { html_article: htmlArticle });
+    }
     async deletePost(slug) {
         return this.request('DELETE', `/api/v2/posts/${slug}`);
     }

package/dist/index.d.ts

@@ -6,5 +6,9 @@
  * All content is sanitized locally before it ever touches the network.
  *
  * Flow: draft_post → review → publish_post (nothing leaves without approval)
+ *
+ * Auth:
+ *   Run `dayby-mcp auth` once to authorize via OAuth (no API key needed).
+ *   Or set DAYBY_API_KEY env var for the legacy API key flow.
  */
 export {};

package/dist/index.js

@@ -7,6 +7,10 @@
  * All content is sanitized locally before it ever touches the network.
  *
  * Flow: draft_post → review → publish_post (nothing leaves without approval)
+ *
+ * Auth:
+ *   Run `dayby-mcp auth` once to authorize via OAuth (no API key needed).
+ *   Or set DAYBY_API_KEY env var for the legacy API key flow.
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
@@ -47,16 +51,33 @@ const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
 const zod_1 = require("zod");
 const sanitizer_js_1 = require("./sanitizer.js");
 const dayby_client_js_1 = require("./dayby-client.js");
+const auth_js_1 = require("./auth.js");
+const visibility_js_1 = require("./visibility.js");
 const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
 const path = __importStar(require("path"));
+// --- Auth subcommand ---
+async function handleAuthCommand() {
+    const args = process.argv.slice(3); // after "auth"
+    if (args.includes('--logout')) {
+        (0, auth_js_1.clearCredentials)();
+        return;
+    }
+    const apiUrl = process.env.DAYBY_API_URL || 'https://dayby.dev';
+    await (0, auth_js_1.runAuthFlow)(apiUrl);
+}
 function loadConfig() {
-    // 1. Check env vars
     const apiUrl = process.env.DAYBY_API_URL || 'https://dayby.dev';
-    const apiKey = process.env.DAYBY_API_KEY || '';
-    // 2. Load sanitizer config from file if it exists
+    // 1. Env var takes priority (legacy)
+    let apiKey = process.env.DAYBY_API_KEY || '';
+    // 2. Fall back to stored token from `dayby-mcp auth`
+    if (!apiKey) {
+        apiKey = (0, auth_js_1.getStoredToken)(apiUrl) || '';
+    }
+    // 3. Load sanitizer config from file if it exists
     let sanitizerConfig = {};
     const configPaths = [
-        path.join(process.env.HOME || '~', '.dayby', 'sanitizer.json'),
+        path.join(os.homedir(), '.dayby', 'sanitizer.json'),
         path.join(process.cwd(), '.dayby-sanitizer.json'),
     ];
     for (const configPath of configPaths) {
@@ -69,7 +90,7 @@ function loadConfig() {
             // File doesn't exist, that's fine
         }
     }
-    // 3. Also load from env (comma-separated)
+    // 4. Also load from env (comma-separated)
     if (process.env.DAYBY_BLOCKED_TERMS) {
         sanitizerConfig.blockedTerms = [
             ...(sanitizerConfig.blockedTerms || []),
@@ -90,9 +111,21 @@ function generateDraftId() {
 }
 // --- Main ---
 async function main() {
+    // Handle `dayby-mcp auth [--logout]` subcommand
+    if (process.argv[2] === 'auth') {
+        await handleAuthCommand();
+        process.exit(0);
+    }
     const config = loadConfig();
     const sanitizer = new sanitizer_js_1.Sanitizer(config.sanitizer);
-    const client = new dayby_client_js_1.DayByClient({ apiUrl: config.apiUrl, apiKey: config.apiKey });
+    const client = new dayby_client_js_1.DayByClient({
+        apiUrl: config.apiUrl,
+        apiKey: config.apiKey,
+        resolveKey: () => {
+            // Re-check env and stored credentials on every call
+            return process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey;
+        },
+    });
     const server = new mcp_js_1.McpServer({
         name: 'dayby',
         version: '0.1.0',
@@ -105,7 +138,8 @@ async function main() {
         title: zod_1.z.string().describe('Post title — focus on the technology/skill learned'),
         content: zod_1.z.string().describe('Post content — describe what you learned, built, or solved. The sanitizer will strip any sensitive data automatically.'),
         visibility: zod_1.z.enum(['published', 'draft']).default('published').describe('Post visibility on DayBy'),
-    }, async ({ title, content, visibility }) => {
+        tags: zod_1.z.array(zod_1.z.string()).optional().describe('Tags/project names for this post (e.g., ["playflow", "rust"]). Used to filter posts by project in the public API.'),
+    }, async ({ title, content, visibility, tags }) => {
         // Sanitize both title and content locally
         const titleResult = sanitizer.sanitize(title);
         const contentResult = sanitizer.sanitize(content);
@@ -118,6 +152,7 @@ async function main() {
             sanitizedContent: contentResult.clean,
             strippedItems: allStripped,
             visibility,
+            tags: tags || [],
             createdAt: new Date(),
         };
         drafts.set(draftId, draft);
@@ -126,6 +161,9 @@ async function main() {
         response += `**Title:** ${draft.sanitizedTitle}\n\n`;
         response += `**Content:**\n${draft.sanitizedContent}\n\n`;
         response += `**Visibility:** ${visibility}\n`;
+        if (draft.tags.length > 0) {
+            response += `**Tags:** ${draft.tags.join(', ')}\n`;
+        }
         if (allStripped.length > 0) {
             response += `\n⚠️ **Sanitizer removed ${allStripped.length} sensitive item(s):**\n`;
             for (const item of allStripped.slice(0, 10)) {
@@ -151,7 +189,8 @@ async function main() {
         title: zod_1.z.string().optional().describe('Updated title (will be re-sanitized)'),
         content: zod_1.z.string().optional().describe('Updated content (will be re-sanitized)'),
         visibility: zod_1.z.enum(['published', 'draft']).optional().describe('Updated visibility'),
-    }, async ({ draft_id, title, content, visibility }) => {
+        tags: zod_1.z.array(zod_1.z.string()).optional().describe('Updated tags/project names'),
+    }, async ({ draft_id, title, content, visibility, tags }) => {
         const draft = drafts.get(draft_id);
         if (!draft) {
             return {
@@ -172,6 +211,9 @@ async function main() {
         if (visibility) {
             draft.visibility = visibility;
         }
+        if (tags) {
+            draft.tags = tags;
+        }
         let response = `✏️ **Draft Updated** (ID: ${draft_id})\n\n`;
         response += `**Title:** ${draft.sanitizedTitle}\n\n`;
         response += `**Content:**\n${draft.sanitizedContent}\n\n`;
@@ -193,11 +235,12 @@ async function main() {
                 content: [{ type: 'text', text: `❌ Draft not found: ${draft_id}. Use draft_post to create a new one.` }],
             };
         }
-        if (!config.apiKey) {
+        const currentKey = process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey;
+        if (!currentKey) {
             return {
                 content: [{
                         type: 'text',
-                        text: '❌ No API key configured. Set DAYBY_API_KEY environment variable or add it to your MCP config.',
+                        text: '❌ Not authenticated. Run `dayby-mcp auth` in your terminal to connect your DayBy account.',
                     }],
             };
         }
@@ -206,7 +249,8 @@ async function main() {
             const result = await client.createPost({
                 title: draft.sanitizedTitle,
                 content: draft.sanitizedContent,
-                visibility: draft.visibility,
+                visibility: (0, visibility_js_1.toApiVisibility)(draft.visibility),
+                tags: draft.tags.length > 0 ? draft.tags : undefined,
             });
             let response = `✅ **Published to DayBy!**\n\n`;
             response += `**Title:** ${result.post.title}\n`;
@@ -241,9 +285,9 @@ async function main() {
         page: zod_1.z.number().default(1).describe('Page number'),
         per_page: zod_1.z.number().default(10).describe('Posts per page'),
     }, async ({ page, per_page }) => {
-        if (!config.apiKey) {
+        if (!(process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey)) {
             return {
-                content: [{ type: 'text', text: '❌ No API key configured.' }],
+                content: [{ type: 'text', text: '❌ Not authenticated. Run `dayby-mcp auth` to connect your DayBy account.' }],
             };
         }
         try {
@@ -252,7 +296,7 @@ async function main() {
             for (const post of result.posts) {
                 response += `• **${post.title}** — ${post.url}\n`;
                 response += `  ${post.content.slice(0, 100)}${post.content.length > 100 ? '...' : ''}\n`;
-                response += `  _${post.created_at.slice(0, 10)} · ${post.visibility}_\n\n`;
+                response += `  _${post.created_at.slice(0, 10)} · ${(0, visibility_js_1.fromApiVisibility)(post.visibility)}_\n\n`;
             }
             return { content: [{ type: 'text', text: response }] };
         }
@@ -271,8 +315,8 @@ async function main() {
     server.tool('get_post', 'Get a single DayBy post by its slug.', {
         slug: zod_1.z.string().describe('The post slug'),
     }, async ({ slug }) => {
-        if (!config.apiKey) {
-            return { content: [{ type: 'text', text: '❌ No API key configured.' }] };
+        if (!(process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey)) {
+            return { content: [{ type: 'text', text: '❌ Not authenticated. Run `dayby-mcp auth` to connect your DayBy account.' }] };
         }
         try {
             const result = await client.getPost(slug);
@@ -280,7 +324,7 @@ async function main() {
             let response = `📄 **${post.title}**\n\n`;
             response += `**Slug:** ${post.slug}\n`;
             response += `**URL:** ${post.url}\n`;
-            response += `**Visibility:** ${post.visibility}\n`;
+            response += `**Visibility:** ${(0, visibility_js_1.fromApiVisibility)(post.visibility)}\n`;
             response += `**Created:** ${post.created_at.slice(0, 10)}\n\n`;
             response += post.content;
             return { content: [{ type: 'text', text: response }] };
@@ -299,9 +343,10 @@ async function main() {
         title: zod_1.z.string().optional().describe('New title (will be sanitized)'),
         content: zod_1.z.string().optional().describe('New content (will be sanitized)'),
         visibility: zod_1.z.enum(['published', 'draft']).optional().describe('New visibility'),
-    }, async ({ slug, title, content, visibility }) => {
-        if (!config.apiKey) {
-            return { content: [{ type: 'text', text: '❌ No API key configured.' }] };
+        tags: zod_1.z.array(zod_1.z.string()).optional().describe('Updated tags/project names'),
+    }, async ({ slug, title, content, visibility, tags }) => {
+        if (!(process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey)) {
+            return { content: [{ type: 'text', text: '❌ Not authenticated. Run `dayby-mcp auth` to connect your DayBy account.' }] };
         }
         const params = {};
         if (title)
@@ -309,9 +354,11 @@ async function main() {
         if (content)
             params.content = sanitizer.sanitize(content).clean;
         if (visibility)
-            params.visibility = visibility;
+            params.visibility = (0, visibility_js_1.toApiVisibility)(visibility);
+        if (tags)
+            params.tags = tags;
         if (Object.keys(params).length === 0) {
-            return { content: [{ type: 'text', text: '❌ Provide at least one field to update (title, content, or visibility).' }] };
+            return { content: [{ type: 'text', text: '❌ Provide at least one field to update (title, content, visibility, or tags).' }] };
         }
         try {
             const result = await client.updatePost(slug, params);
@@ -319,7 +366,7 @@ async function main() {
             let response = `✅ **Post Updated**\n\n`;
             response += `**Title:** ${post.title}\n`;
             response += `**URL:** ${post.url}\n`;
-            response += `**Visibility:** ${post.visibility}\n`;
+            response += `**Visibility:** ${(0, visibility_js_1.fromApiVisibility)(post.visibility)}\n`;
             return { content: [{ type: 'text', text: response }] };
         }
         catch (e) {
@@ -329,13 +376,52 @@ async function main() {
         }
     });
     // ========================================
+    // Tool: update_article
+    // Let the user's AI generate or edit the HTML article directly.
+    // ========================================
+    server.tool('update_article', `Set or replace the HTML article for a DayBy post. Use this to write custom articles with CTAs, rich formatting, or any content the user wants.
+
+DayBy article HTML rules:
+- Return clean HTML fragments only (no wrapper divs, article tags, doctype, html, head, body)
+- Use <p> tags for paragraphs (no classes needed)
+- Use <h2> for section headings, <h3> for sub-sections
+- Use <strong> for key terms, <em> for emphasis
+- Use <blockquote> for pull quotes
+- Use <pre><code> for code blocks, <code> inline for references
+- Use <ul>/<ol> for lists (prefer prose over lists)
+- Use <a href="..." target="_blank"> for links and CTAs
+- No CSS classes on elements (the page stylesheet handles typography)
+- Target length: 600-1000 words
+- Keep the author's voice and perspective from the original post`, {
+        slug: zod_1.z.string().describe('The post slug to update'),
+        html_article: zod_1.z.string().describe('The HTML article content. Follow DayBy article HTML rules in the tool description.'),
+    }, async ({ slug, html_article }) => {
+        if (!(process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey)) {
+            return { content: [{ type: 'text', text: '❌ Not authenticated. Run `dayby-mcp auth` to connect your DayBy account.' }] };
+        }
+        try {
+            const result = await client.updateArticle(slug, html_article);
+            const post = result.post;
+            let response = `✅ **Article Updated**\n\n`;
+            response += `**Title:** ${post.title}\n`;
+            response += `**URL:** ${post.url}\n`;
+            response += `${result.message}\n`;
+            return { content: [{ type: 'text', text: response }] };
+        }
+        catch (e) {
+            return {
+                content: [{ type: 'text', text: `❌ Failed to update article: ${e instanceof Error ? e.message : 'Unknown error'}` }],
+            };
+        }
+    });
+    // ========================================
     // Tool: delete_post
     // ========================================
     server.tool('delete_post', 'Permanently delete a DayBy post by its slug.', {
         slug: zod_1.z.string().describe('The post slug to delete'),
     }, async ({ slug }) => {
-        if (!config.apiKey) {
-            return { content: [{ type: 'text', text: '❌ No API key configured.' }] };
+        if (!(process.env.DAYBY_API_KEY || (0, auth_js_1.getStoredToken)(config.apiUrl) || config.apiKey)) {
+            return { content: [{ type: 'text', text: '❌ Not authenticated. Run `dayby-mcp auth` to connect your DayBy account.' }] };
         }
         try {
             const result = await client.deletePost(slug);

package/dist/sanitizer.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/sanitizer.test.js

@@ -0,0 +1,88 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const sanitizer_js_1 = require("./sanitizer.js");
+(0, vitest_1.describe)('Sanitizer', () => {
+    const sanitizer = new sanitizer_js_1.Sanitizer();
+    (0, vitest_1.describe)('default patterns', () => {
+        (0, vitest_1.it)('strips API keys', () => {
+            const fakeKey = 'xk_test_' + 'a1b2c3d4e5f6g7h8i9j0k1l2';
+            const result = sanitizer.sanitize(`My api_key=${fakeKey}`);
+            (0, vitest_1.expect)(result.clean).not.toContain(fakeKey);
+            (0, vitest_1.expect)(result.stripped.length).toBeGreaterThan(0);
+        });
+        (0, vitest_1.it)('strips AWS access keys', () => {
+            const result = sanitizer.sanitize('Key: AKIAIOSFODNN7EXAMPLE');
+            (0, vitest_1.expect)(result.clean).not.toContain('AKIAIOSFODNN7EXAMPLE');
+        });
+        (0, vitest_1.it)('strips private IPs', () => {
+            const result = sanitizer.sanitize('Server at 192.168.1.100');
+            (0, vitest_1.expect)(result.clean).not.toContain('192.168.1.100');
+            (0, vitest_1.expect)(result.clean).toContain('[REDACTED]');
+        });
+        (0, vitest_1.it)('strips email addresses', () => {
+            const result = sanitizer.sanitize('Contact me at user@company.com');
+            (0, vitest_1.expect)(result.clean).not.toContain('user@company.com');
+        });
+        (0, vitest_1.it)('strips database URLs', () => {
+            const result = sanitizer.sanitize('postgres://user:pass@localhost/db');
+            (0, vitest_1.expect)(result.clean).not.toContain('postgres://');
+        });
+        (0, vitest_1.it)('strips file paths with usernames', () => {
+            const result = sanitizer.sanitize('File at /home/javier/project');
+            (0, vitest_1.expect)(result.clean).not.toContain('/home/javier');
+        });
+        (0, vitest_1.it)('strips JWT tokens', () => {
+            const result = sanitizer.sanitize('Token: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxfQ.abc123def456');
+            (0, vitest_1.expect)(result.clean).not.toContain('eyJhbGci');
+        });
+        (0, vitest_1.it)('strips GitHub tokens', () => {
+            const result = sanitizer.sanitize('ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkl');
+            (0, vitest_1.expect)(result.clean).not.toContain('ghp_');
+        });
+    });
+    (0, vitest_1.describe)('safe content', () => {
+        (0, vitest_1.it)('leaves clean text untouched', () => {
+            const text = 'I built a feature using React and TypeScript today.';
+            const result = sanitizer.sanitize(text);
+            (0, vitest_1.expect)(result.clean).toBe(text);
+            (0, vitest_1.expect)(result.stripped).toHaveLength(0);
+        });
+        (0, vitest_1.it)('leaves public IPs alone', () => {
+            const result = sanitizer.sanitize('Server at 8.8.8.8');
+            (0, vitest_1.expect)(result.clean).toContain('8.8.8.8');
+        });
+    });
+    (0, vitest_1.describe)('blocked terms', () => {
+        (0, vitest_1.it)('strips configured blocked terms', () => {
+            const s = new sanitizer_js_1.Sanitizer({ blockedTerms: ['Acme Corp'] });
+            const result = s.sanitize('Working on the Acme Corp project');
+            (0, vitest_1.expect)(result.clean).not.toContain('Acme Corp');
+        });
+        (0, vitest_1.it)('strips blocked names', () => {
+            const s = new sanitizer_js_1.Sanitizer({ blockedNames: ['John Doe'] });
+            const result = s.sanitize('Paired with John Doe on the fix');
+            (0, vitest_1.expect)(result.clean).not.toContain('John Doe');
+        });
+    });
+    (0, vitest_1.describe)('blocked domains', () => {
+        (0, vitest_1.it)('strips blocked domain URLs', () => {
+            const s = new sanitizer_js_1.Sanitizer({ blockedDomains: ['internal.corp.com'] });
+            const result = s.sanitize('Check https://jira.internal.corp.com/browse/TICK-123');
+            (0, vitest_1.expect)(result.clean).not.toContain('internal.corp.com');
+            (0, vitest_1.expect)(result.clean).toContain('[REDACTED-URL]');
+        });
+    });
+    (0, vitest_1.describe)('check', () => {
+        (0, vitest_1.it)('returns safe for clean content', () => {
+            const result = sanitizer.check('Just a normal post about coding.');
+            (0, vitest_1.expect)(result.safe).toBe(true);
+            (0, vitest_1.expect)(result.issues).toHaveLength(0);
+        });
+        (0, vitest_1.it)('returns unsafe for sensitive content', () => {
+            const result = sanitizer.check('My api_key=super_secret_key_1234567890');
+            (0, vitest_1.expect)(result.safe).toBe(false);
+            (0, vitest_1.expect)(result.issues.length).toBeGreaterThan(0);
+        });
+    });
+});

package/dist/visibility.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Visibility mapping between MCP (user-facing) and DayBy API values.
+ *
+ * MCP uses "published"/"draft" (intuitive for users).
+ * DayBy API uses "publik"/"draft"/"hidden" (Rails enum).
+ */
+export declare function toApiVisibility(v: string): string;
+export declare function fromApiVisibility(v: string): string;

package/dist/visibility.js

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * Visibility mapping between MCP (user-facing) and DayBy API values.
+ *
+ * MCP uses "published"/"draft" (intuitive for users).
+ * DayBy API uses "publik"/"draft"/"hidden" (Rails enum).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toApiVisibility = toApiVisibility;
+exports.fromApiVisibility = fromApiVisibility;
+function toApiVisibility(v) {
+    return v === 'published' ? 'publik' : v;
+}
+function fromApiVisibility(v) {
+    return v === 'publik' ? 'published' : v;
+}

package/dist/visibility.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/visibility.test.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const visibility_js_1 = require("./visibility.js");
+(0, vitest_1.describe)('Visibility mapping', () => {
+    (0, vitest_1.describe)('toApiVisibility', () => {
+        (0, vitest_1.it)('maps "published" to "publik"', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.toApiVisibility)('published')).toBe('publik');
+        });
+        (0, vitest_1.it)('passes "draft" through unchanged', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.toApiVisibility)('draft')).toBe('draft');
+        });
+        (0, vitest_1.it)('passes "hidden" through unchanged', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.toApiVisibility)('hidden')).toBe('hidden');
+        });
+    });
+    (0, vitest_1.describe)('fromApiVisibility', () => {
+        (0, vitest_1.it)('maps "publik" to "published"', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.fromApiVisibility)('publik')).toBe('published');
+        });
+        (0, vitest_1.it)('passes "draft" through unchanged', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.fromApiVisibility)('draft')).toBe('draft');
+        });
+        (0, vitest_1.it)('passes "hidden" through unchanged', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.fromApiVisibility)('hidden')).toBe('hidden');
+        });
+    });
+    (0, vitest_1.describe)('round-trip', () => {
+        (0, vitest_1.it)('published -> publik -> published', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.fromApiVisibility)((0, visibility_js_1.toApiVisibility)('published'))).toBe('published');
+        });
+        (0, vitest_1.it)('draft -> draft -> draft', () => {
+            (0, vitest_1.expect)((0, visibility_js_1.fromApiVisibility)((0, visibility_js_1.toApiVisibility)('draft'))).toBe('draft');
+        });
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dayby/mcp-server",
-  "version": "0.2.0",
+  "version": "0.3.2",
   "description": "DayBy MCP Server — Post your dev progress from Claude, Cursor, or any MCP client. Local sanitization built in.",
   "main": "dist/index.js",
   "bin": {
@@ -13,15 +13,25 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
-    "start": "node dist/index.js"
+    "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest"
   },
-  "keywords": ["mcp", "dayby", "developer", "journal", "claude"],
+  "keywords": [
+    "mcp",
+    "dayby",
+    "developer",
+    "journal",
+    "claude"
+  ],
   "license": "MIT",
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0"
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "zod": "^3.22.0"
   },
   "devDependencies": {
+    "@types/node": "^20.0.0",
     "typescript": "^5.3.0",
-    "@types/node": "^20.0.0"
+    "vitest": "^4.1.5"
   }
 }