@entergram/mcp 0.1.4 → 0.1.6

package/README.md

@@ -75,7 +75,7 @@ args = ["serve"]
 [mcp_servers.entergram.env]
 ENTERGRAM_MCP_ENV = "production"
 ENTERGRAM_MCP_CLIENT_ID = "entergram-ws-your-client-id"
-ENTERGRAM_MCP_SCOPE = "workspace.read members.read accounts.read contacts.read chats.read messages.read messages.write custom_fields.read custom_fields.write tickets.read offline_access"
+ENTERGRAM_MCP_SCOPE = "workspace.read members.read accounts.read contacts.read chats.read chats.write messages.read messages.write custom_fields.read custom_fields.write tickets.read tickets.write offline_access"
 ```
 
 ## Defaults
@@ -102,6 +102,13 @@ Use a workspace client if you need broader scopes such as:
 - `custom_fields.read`
 - `custom_fields.write`
 
+When `ENTERGRAM_MCP_CLIENT_ID` starts with `entergram-personal-`, the CLI uses a safer personal default scope that includes:
+
+- `chat_custom_fields.read`
+- `chat_custom_fields.write`
+
+and excludes workspace-admin scopes such as `members.read` and `custom_fields.write`.
+
 If the consent screen does not show the scopes you expect, update that OAuth client's `allowedScopes` in Entergram first, then run login again.
 
 ## Troubleshooting

package/dist/cli/config.js

@@ -1,6 +1,6 @@
 import os from "node:os";
 import path from "node:path";
-import { DEFAULT_CALLBACK_HOST, DEFAULT_CALLBACK_PATH, DEFAULT_CALLBACK_PORT, DEFAULT_CONFIG_DIRECTORY_NAME, DEFAULT_SCOPE, } from "./constants.js";
+import { DEFAULT_CALLBACK_HOST, DEFAULT_CALLBACK_PATH, DEFAULT_CALLBACK_PORT, DEFAULT_CONFIG_DIRECTORY_NAME, DEFAULT_PERSONAL_SCOPE, DEFAULT_WORKSPACE_SCOPE, } from "./constants.js";
 const ENVIRONMENT_PRESETS = {
     dev: {
         clientId: "entergram-dev-mcp-client",
@@ -40,6 +40,12 @@ function parsePositiveInteger(value, fallback) {
 function sanitizeFileSegment(value) {
     return value.replace(/[^a-zA-Z0-9._-]+/g, "-");
 }
+function defaultScopeForClientId(clientId) {
+    if (clientId.startsWith("entergram-personal-")) {
+        return DEFAULT_PERSONAL_SCOPE;
+    }
+    return DEFAULT_WORKSPACE_SCOPE;
+}
 export function resolveCliRuntimeConfig(flags) {
     const environment = getEnvironmentName(flags);
     const preset = ENVIRONMENT_PRESETS[environment];
@@ -52,9 +58,10 @@ export function resolveCliRuntimeConfig(flags) {
     const oauthIssuerUrl = getStringFlag(flags, "oauth-issuer-url") ||
         process.env.ENTERGRAM_MCP_OAUTH_ISSUER_URL?.trim() ||
         preset.oauthIssuerUrl;
+    const defaultScope = defaultScopeForClientId(clientId);
     const scope = getStringFlag(flags, "scope") ||
         process.env.ENTERGRAM_MCP_SCOPE?.trim() ||
-        DEFAULT_SCOPE;
+        defaultScope;
     const callbackPort = parsePositiveInteger(getStringFlag(flags, "callback-port") ||
         process.env.ENTERGRAM_MCP_CALLBACK_PORT?.trim(), DEFAULT_CALLBACK_PORT);
     const configDir = getStringFlag(flags, "config-dir") ||

package/dist/cli/constants.js

@@ -1,5 +1,6 @@
 export const CLI_VERSION = "0.1.0";
-export const DEFAULT_SCOPE = "workspace.read members.read accounts.read contacts.read chats.read messages.read messages.write custom_fields.read custom_fields.write tickets.read offline_access";
+export const DEFAULT_WORKSPACE_SCOPE = "workspace.read members.read accounts.read contacts.read chats.read chats.write messages.read messages.write custom_fields.read custom_fields.write tickets.read tickets.write offline_access";
+export const DEFAULT_PERSONAL_SCOPE = "workspace.read accounts.read contacts.read chats.read chat_custom_fields.read chat_custom_fields.write messages.read tickets.read tickets.write offline_access";
 export const DEFAULT_CALLBACK_HOST = "127.0.0.1";
 export const DEFAULT_CALLBACK_PORT = 8787;
 export const DEFAULT_CALLBACK_PATH = "/oauth/callback";

package/dist/cli/remote-client.js

@@ -50,19 +50,12 @@ export class EntergramRemoteClient {
             if (!(error instanceof UnauthorizedError) || !options.interactive) {
                 throw error;
             }
-            await client.close().catch(() => undefined);
-            ({ client, transport } = createPair());
             const callbackPromise = waitForOAuthCallback(this.config.callbackUrl, 5 * 60 * 1000, () => this.authProvider.expectedState());
-            try {
-                await client.connect(transport);
-            }
-            catch (interactiveError) {
-                if (!(interactiveError instanceof UnauthorizedError)) {
-                    throw interactiveError;
-                }
-            }
             const code = await callbackPromise;
             await transport.finishAuth(code);
+            await client.close().catch(() => undefined);
+            await transport.close().catch(() => undefined);
+            ({ client, transport } = createPair());
             await client.connect(transport);
         }
         this.client = client;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@entergram/mcp",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "private": false,
   "description": "Official Entergram MCP CLI for local MCP hosts with OAuth login, stdio bridging, and host config helpers.",
   "type": "module",
@@ -37,7 +37,10 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.29.0",
-    "jose": "^6.1.0"
+    "dotenv": "^17.4.2",
+    "fastify": "^5.8.5",
+    "jose": "^6.1.0",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/node": "^24.6.0",