@enfyra/mcp-server 0.0.104 → 0.0.105

package/README.md

@@ -169,6 +169,7 @@ For normal apps and demos, enter the app/admin URL such as `http://localhost:300
 Use `get_enfyra_examples` from the MCP tool list when asking an LLM to generate implementation patterns. It returns focused examples for:
 
 - SSR app auth and proxy setup
+- OAuth provider setup
 - schema, columns, relations, indexes, and validation
 - query filters, sorting, fields, deep relations, and aggregates
 - handlers, hooks, permissions, and RLS

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enfyra/mcp-server",
-  "version": "0.0.104",
+  "version": "0.0.105",
   "description": "MCP server for Enfyra - manage Enfyra instances from MCP-compatible coding tools",
   "type": "module",
   "license": "MIT",

package/src/lib/mcp-examples.js

@@ -457,6 +457,84 @@ window.location.href = url.toString()`,
       },
     ],
   },
+  'oauth-setup': {
+    title: 'OAuth provider setup',
+    useWhen: 'Use when configuring Google or another OAuth provider for an Enfyra-backed app.',
+    examples: [
+      {
+        name: 'Google OAuth setup workflow',
+        code: `// 1. Ask for the public app/admin URL, not the API URL.
+// Example input from the user:
+const appUrl = "https://demo.enfyra.io"
+
+// 2. Derive the Enfyra API base and provider callback.
+const apiBase = appUrl.replace(/\\/$/, "") + "/api"
+const googleCallbackUrl = apiBase + "/auth/google/callback"
+
+// 3. Tell the user to paste this exact value into Google Cloud Console:
+// APIs & Services -> Credentials -> OAuth 2.0 Client -> Authorized redirect URIs
+// https://demo.enfyra.io/api/auth/google/callback
+
+// 4. After the user provides Google client id/secret, save Enfyra config:
+create_record({
+  tableName: "enfyra_oauth_config",
+  body: JSON.stringify({
+    provider: "google",
+    clientId: "<google-client-id>",
+    clientSecret: "<google-client-secret>",
+    redirectUri: googleCallbackUrl,
+    isEnabled: true
+  })
+})`,
+        notes: [
+          'Ask for the app/admin URL such as https://demo.enfyra.io; derive the API base by appending /api.',
+          'The provider callback is {appUrl}/api/auth/{provider}/callback and must exactly match the Authorized redirect URI in Google Cloud Console.',
+          'Do not ask the user to choose or type the callback URL manually once the app URL is known; compute it and show the exact value to paste.',
+          'The OAuth callback is the Enfyra provider callback, not the final app page.',
+          'When starting OAuth from a browser app, use the same-origin proxy route with redirect and cookieBridgePrefix as shown in ssr-app-auth examples.',
+        ],
+      },
+      {
+        name: 'Browser OAuth start URL after setup',
+        code: `const returnUrl = new URL("/dashboard", window.location.origin)
+const oauthUrl = new URL("/enfyra/auth/google", window.location.origin)
+oauthUrl.searchParams.set("redirect", returnUrl.toString())
+oauthUrl.searchParams.set("cookieBridgePrefix", "/enfyra")
+window.location.href = oauthUrl.toString()`,
+        notes: [
+          'This is the browser start URL through the app proxy; it is different from the Google Authorized redirect URI.',
+          'After Enfyra finishes the Google callback, it bridges cookies through /enfyra/auth/set-cookies and returns to the absolute redirect URL.',
+          'After return, call /enfyra/me to load the user.',
+        ],
+      },
+      {
+        name: 'Update an existing Google OAuth config',
+        code: `const existing = await query_table({
+  tableName: "enfyra_oauth_config",
+  filter: JSON.stringify({ provider: { _eq: "google" } }),
+  fields: ["id", "provider", "redirectUri", "isEnabled"],
+  limit: 1
+})
+
+// If a row exists, update it instead of creating a duplicate.
+update_record({
+  tableName: "enfyra_oauth_config",
+  id: "<existing-config-id>",
+  body: JSON.stringify({
+    clientId: "<google-client-id>",
+    clientSecret: "<google-client-secret>",
+    redirectUri: "https://demo.enfyra.io/api/auth/google/callback",
+    isEnabled: true
+  })
+})`,
+        notes: [
+          'Inspect first so setup is idempotent.',
+          'Use the current system table name enfyra_oauth_config.',
+          'Never expose the client secret back in app code or documentation.',
+        ],
+      },
+    ],
+  },
   'schema-relations': {
     title: 'Tables, columns, relations, cascade, and indexes',
     useWhen: 'Use when creating or changing persisted data models.',

package/src/lib/mcp-instructions.js

@@ -51,7 +51,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '',
     '### App Connection Defaults',
     '- Generated Nuxt/Next/SSR apps should use a same-origin proxy such as `/enfyra/**` to the Enfyra API. Browser code calls `/enfyra/login`, `/enfyra/me`, `/enfyra/logout`, and `/enfyra/<table>`; it should not store JWTs.',
-    '- OAuth starts through the same proxy prefix with `redirect=<absoluteReturnUrl>` and `cookieBridgePrefix=/enfyra`. OAuth setup details live in `get_enfyra_examples({ category: "ssr-app-auth" })`.',
+    '- OAuth starts through the same proxy prefix with `redirect=<absoluteReturnUrl>` and `cookieBridgePrefix=/enfyra`. Provider setup details live in `get_enfyra_examples({ category: "oauth-setup" })`.',
     '- Socket.IO browser clients connect to the gateway namespace, e.g. `io("/chat", { path: "/socket.io", withCredentials: true })`, while the app proxies `/socket.io/**` to Enfyra `/ws/socket.io/**`.',
     '',
     '### Dynamic Script Surface',