@infrawise/mcp-server 0.1.0 → 0.1.1

package/README.md

@@ -13,27 +13,30 @@ Tools exposed to Claude Code:
 
 All tools support optional `subscription_filter` (subscription UUID).
 
-## 5-minute setup
+## 2-step quickstart
 
 ```bash
-# 1) Authenticate once with Azure AD device code flow
-npx @infrawise/mcp-server auth
-```
+# 1) Authenticate + register + validate in one command
+npx @infrawise/mcp-server setup
 
-Add this to `~/.claude/settings.json`:
-
-```json
-{
-  "mcpServers": {
-    "infrawise": {
-      "command": "npx",
-      "args": ["@infrawise/mcp-server"]
-    }
-  }
-}
+# 2) Restart Claude Code
 ```
 
-Restart Claude Code.
+> **Note:** Use `claude mcp add` — do not manually add `mcpServers` to `~/.claude/settings.json`, that key is not valid there.
+
+## Helpful commands
+
+```bash
+# Authenticate only (supports --tenant)
+npx @infrawise/mcp-server auth
+npx @infrawise/mcp-server auth --tenant <tenantId>
+
+# Setup with explicit tenant
+npx @infrawise/mcp-server setup --tenant <tenantId>
+
+# Diagnose auth and onboarding readiness with fix steps
+npx @infrawise/mcp-server doctor
+```
 
 ## Local development
 
@@ -44,12 +47,26 @@ npm run build
 node dist/index.js auth
 ```
 
+## Deploying package updates (npm publish)
+
+```bash
+cd packages/claude-mcp
+npm publish --access public
+```
+
+Notes:
+
+- `prepublishOnly` automatically runs `npm run clean && npm run build`
+- If npm prompts for browser sign-in or passkey/2FA approval, complete that flow and rerun publish if needed
+- Verify deployment with: `npm view @infrawise/mcp-server version`
+
 ## Environment variables
 
 - `INFRAWISE_API_BASE` (default: `https://api.infrawiseai.com/api`)
 - `INFRAWISE_AZURE_CLIENT_ID` (default: Infrawise API app ID)
 - `INFRAWISE_AZURE_API_SCOPE` (default: `api://<clientId>/delegated_access`)
 - `INFRAWISE_AZURE_AUTHORITY` (default: `https://login.microsoftonline.com/common`)
+- `INFRAWISE_AZURE_TENANT_ID` (optional: your Azure AD tenant ID; when set, authority is built automatically)
 
 ## Security
 

package/dist/auth.d.ts

@@ -5,6 +5,21 @@ export interface AuthSettings {
     authority: string;
     clientId: string;
     scope: string;
+    tenantId?: string;
 }
-export declare function runDeviceCodeAuth(): Promise<void>;
-export declare function getAccessToken(): Promise<string>;
+export interface AuthCommandOptions {
+    tenantId?: string;
+}
+export interface TokenCacheDiagnostics {
+    credentialPath: string;
+    cacheExists: boolean;
+    cacheUpdatedAt?: string;
+    cacheAuthority?: string;
+    resolvedAuthority: string;
+    resolvedTenantId?: string;
+    clientId: string;
+    scope: string;
+}
+export declare function runDeviceCodeAuth(options?: AuthCommandOptions): Promise<void>;
+export declare function getTokenCacheDiagnostics(options?: AuthCommandOptions): Promise<TokenCacheDiagnostics>;
+export declare function getAccessToken(options?: AuthCommandOptions): Promise<string>;

package/dist/auth.js

@@ -3,23 +3,53 @@ import { promises as fs } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 const DEFAULT_AUTHORITY = "https://login.microsoftonline.com/common";
+const ORGANIZATIONS_AUTHORITY = "https://login.microsoftonline.com/organizations";
+const MSA_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
+const DEVICE_CODE_AUTH_TIMEOUT_MS = 120_000;
 const DEFAULT_API_CLIENT_ID = "06dc6d06-11f1-4543-bb2c-9c91b263df56";
 const DEFAULT_SCOPE = `api://${DEFAULT_API_CLIENT_ID}/delegated_access`;
 const CREDENTIALS_DIR = ".infrawise";
 const CREDENTIALS_FILE = "mcp-credentials.json";
 export class NotAuthenticatedError extends Error {
-    constructor(message = "Not authenticated. Run: npx @infrawise/mcp-server auth") {
+    constructor(message = "Not authenticated with Azure AD. Run: npx @infrawise/mcp-server auth") {
         super(message);
         this.name = "NotAuthenticatedError";
     }
 }
-function getAuthSettings() {
-    const clientId = process.env.INFRAWISE_AZURE_CLIENT_ID ?? DEFAULT_API_CLIENT_ID;
-    const scope = process.env.INFRAWISE_AZURE_API_SCOPE ?? `api://${clientId}/delegated_access`;
+class AuthTimeoutError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "AuthTimeoutError";
+    }
+}
+function normalizeTenantId(raw) {
+    const tenantId = raw?.trim();
+    return tenantId ? tenantId : undefined;
+}
+function buildTenantAuthority(tenantId) {
+    return `https://login.microsoftonline.com/${tenantId}`;
+}
+function getConfiguredAuthority() {
+    const value = process.env.INFRAWISE_AZURE_AUTHORITY?.trim();
+    return value ? value : undefined;
+}
+function resolveTenantOverride(options) {
+    return normalizeTenantId(options?.tenantId) ?? normalizeTenantId(process.env.INFRAWISE_AZURE_TENANT_ID);
+}
+function getAuthSettings(payload, options, authorityOverride) {
+    const clientId = process.env.INFRAWISE_AZURE_CLIENT_ID ?? payload?.clientId ?? DEFAULT_API_CLIENT_ID;
+    const scope = process.env.INFRAWISE_AZURE_API_SCOPE ?? payload?.scope ?? `api://${clientId}/delegated_access`;
+    const tenantId = resolveTenantOverride(options);
+    const authority = authorityOverride ??
+        (tenantId ? buildTenantAuthority(tenantId) : undefined) ??
+        getConfiguredAuthority() ??
+        payload?.authority ??
+        DEFAULT_AUTHORITY;
     return {
-        authority: process.env.INFRAWISE_AZURE_AUTHORITY ?? DEFAULT_AUTHORITY,
+        authority,
         clientId,
         scope,
+        tenantId,
     };
 }
 function getCredentialFilePath() {
@@ -58,8 +88,8 @@ async function writeCachePayload(payload) {
         // Best-effort on Windows.
     }
 }
-async function createClientFromSettings(settings) {
-    const payload = await readCachePayload();
+async function createClientFromSettings(settings, existingPayload) {
+    const payload = existingPayload ?? (await readCachePayload());
     const client = new PublicClientApplication({
         auth: {
             clientId: settings.clientId,
@@ -92,9 +122,37 @@ async function persistClientCache(client, settings, account) {
         updatedAt: new Date().toISOString(),
     });
 }
-export async function runDeviceCodeAuth() {
-    const settings = getAuthSettings();
-    const { client } = await createClientFromSettings(settings);
+function toErrorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+function getAuthorityAttempts(options) {
+    const tenantId = resolveTenantOverride(options);
+    if (tenantId) {
+        return [{ authority: buildTenantAuthority(tenantId), label: `tenant ${tenantId}` }];
+    }
+    const configuredAuthority = getConfiguredAuthority();
+    if (configuredAuthority) {
+        return [{ authority: configuredAuthority, label: "configured authority" }];
+    }
+    return [
+        { authority: DEFAULT_AUTHORITY, label: "common" },
+        { authority: ORGANIZATIONS_AUTHORITY, label: "organizations" },
+    ];
+}
+function readTenantIdFromResult(result) {
+    const claims = result.idTokenClaims;
+    return typeof claims?.tid === "string" ? claims.tid : undefined;
+}
+function assertTenantCompatibility(result, settings) {
+    const signedInTenantId = readTenantIdFromResult(result);
+    if (signedInTenantId?.toLowerCase() === MSA_TENANT_ID) {
+        throw new Error("Signed in with a personal Microsoft account. Sign in with your organization Azure account and run: npx @infrawise/mcp-server auth");
+    }
+    if (settings.tenantId && signedInTenantId && settings.tenantId.toLowerCase() !== signedInTenantId.toLowerCase()) {
+        throw new Error(`Account/tenant mismatch detected. You requested tenant ${settings.tenantId}, but authenticated into tenant ${signedInTenantId}. Re-run with the correct tenant: npx @infrawise/mcp-server auth --tenant <tenantId>`);
+    }
+}
+async function acquireTokenByDeviceCodeWithTimeout(client, settings) {
     const request = {
         scopes: [settings.scope, "openid", "profile"],
         deviceCodeCallback: (response) => {
@@ -103,16 +161,82 @@ export async function runDeviceCodeAuth() {
             console.error(`[Infrawise MCP] ${msg}`);
         },
     };
-    const result = await client.acquireTokenByDeviceCode(request);
-    if (!result || !result.account) {
-        throw new Error("Device Code authentication did not return an account.");
+    let timeout;
+    try {
+        const authPromise = client.acquireTokenByDeviceCode(request);
+        const timeoutPromise = new Promise((_, reject) => {
+            timeout = setTimeout(() => {
+                reject(new AuthTimeoutError("Authentication did not complete within 120 seconds. Complete sign-in quickly after the device code is shown, or rerun with a specific tenant: npx @infrawise/mcp-server auth --tenant <tenantId>"));
+            }, DEVICE_CODE_AUTH_TIMEOUT_MS);
+        });
+        const result = await Promise.race([authPromise, timeoutPromise]);
+        if (!result) {
+            throw new Error("Device Code authentication did not return a result.");
+        }
+        return result;
     }
-    await persistClientCache(client, settings, result.account);
-    console.error(`[Infrawise MCP] Authentication complete. Token cache saved to ${getCredentialFilePath()}`);
+    finally {
+        if (timeout) {
+            clearTimeout(timeout);
+        }
+    }
+}
+export async function runDeviceCodeAuth(options) {
+    const payload = await readCachePayload();
+    const attempts = getAuthorityAttempts(options);
+    const errors = [];
+    for (const attempt of attempts) {
+        const settings = getAuthSettings(payload, options, attempt.authority);
+        const { client } = await createClientFromSettings(settings, payload);
+        try {
+            if (attempts.length > 1) {
+                console.error(`[Infrawise MCP] Authenticating with ${attempt.label} authority...`);
+            }
+            const result = await acquireTokenByDeviceCodeWithTimeout(client, settings);
+            if (!result.account) {
+                throw new Error("Device Code authentication did not return an account.");
+            }
+            assertTenantCompatibility(result, settings);
+            await persistClientCache(client, settings, result.account);
+            console.error(`[Infrawise MCP] Authentication complete. Token cache saved to ${getCredentialFilePath()}`);
+            return;
+        }
+        catch (error) {
+            errors.push(`${attempt.label}: ${toErrorMessage(error)}`);
+        }
+    }
+    const tenantHint = !resolveTenantOverride(options) && !getConfiguredAuthority()
+        ? " Hint: retry with your tenant ID: npx @infrawise/mcp-server auth --tenant <tenantId>."
+        : "";
+    throw new Error(`Authentication failed after trying available authorities (${errors.join(" | ")}).${tenantHint}`);
+}
+export async function getTokenCacheDiagnostics(options) {
+    const payload = await readCachePayload();
+    const settings = getAuthSettings(payload, options);
+    const credentialPath = getCredentialFilePath();
+    let cacheExists = false;
+    try {
+        await fs.access(credentialPath);
+        cacheExists = true;
+    }
+    catch {
+        cacheExists = false;
+    }
+    return {
+        credentialPath,
+        cacheExists,
+        cacheUpdatedAt: payload?.updatedAt,
+        cacheAuthority: payload?.authority,
+        resolvedAuthority: settings.authority,
+        resolvedTenantId: settings.tenantId,
+        clientId: settings.clientId,
+        scope: settings.scope,
+    };
 }
-export async function getAccessToken() {
-    const settings = getAuthSettings();
-    const { client, payload } = await createClientFromSettings(settings);
+export async function getAccessToken(options) {
+    const payload = await readCachePayload();
+    const settings = getAuthSettings(payload, options);
+    const { client } = await createClientFromSettings(settings, payload);
     const account = await getPreferredAccount(client, payload?.homeAccountId);
     if (!account) {
         throw new NotAuthenticatedError();

package/dist/client.d.ts

@@ -1,7 +1,27 @@
+type OnboardingState = "ACTIVE" | "PENDING_DELEGATION" | "EXPIRED" | "SUSPENDED" | "UNKNOWN";
+export interface TenantReadinessEndpointResult {
+    ok: boolean;
+    status?: number;
+    code?: InfrawiseErrorCode;
+    message: string;
+}
+export interface TenantReadinessReport {
+    tenantValidation: TenantReadinessEndpointResult;
+    onboardingStatus: TenantReadinessEndpointResult & {
+        states?: OnboardingState[];
+    };
+}
 export type InfrawiseErrorCode = "NOT_AUTHENTICATED" | "NOT_ONBOARDED" | "PENDING_DELEGATION" | "UPSTREAM_ERROR";
+export interface InfrawiseRequestOptions {
+    accessToken?: string;
+    skipTenantCheck?: boolean;
+}
 export declare class InfrawiseClientError extends Error {
     code: InfrawiseErrorCode;
     status?: number;
     constructor(code: InfrawiseErrorCode, message: string, status?: number);
 }
-export declare function getInfrawiseData<T>(path: string): Promise<T>;
+export declare function ensureTenantReady(): Promise<string>;
+export declare function getTenantReadinessReport(token: string): Promise<TenantReadinessReport>;
+export declare function getInfrawiseData<T>(path: string, options?: InfrawiseRequestOptions): Promise<T>;
+export {};

package/dist/client.js

@@ -32,7 +32,7 @@ async function fetchJson(path, token) {
             signal: controller.signal,
         });
         if (response.status === 401 || response.status === 403) {
-            throw new InfrawiseClientError("NOT_AUTHENTICATED", "Token rejected by Infrawise API. Re-authenticate with: npx @infrawise/mcp-server auth", response.status);
+            throw new InfrawiseClientError("NOT_AUTHENTICATED", "Azure AD token rejected by Infrawise API. Re-authenticate with: npx @infrawise/mcp-server auth", response.status);
         }
         if (!response.ok) {
             const body = await response.text();
@@ -66,6 +66,20 @@ function normalizeOnboardingState(status) {
     }
     return "UNKNOWN";
 }
+function toEndpointResult(error, fallbackMessage) {
+    if (error instanceof InfrawiseClientError) {
+        return {
+            ok: false,
+            status: error.status,
+            code: error.code,
+            message: error.message,
+        };
+    }
+    return {
+        ok: false,
+        message: fallbackMessage,
+    };
+}
 async function assertTenantReady(token) {
     const tenantValidation = await fetchJson("/auth/validate-tenant", token);
     if (!tenantValidation.data?.authorized) {
@@ -85,10 +99,9 @@ async function assertTenantReady(token) {
     }
     throw new InfrawiseClientError("NOT_ONBOARDED", "No active Infrawise subscription found. Complete onboarding at https://infrawiseai.com/onboard");
 }
-export async function getInfrawiseData(path) {
-    let token;
+async function resolveAccessToken() {
     try {
-        token = await getAccessToken();
+        return await getAccessToken();
     }
     catch (error) {
         if (error instanceof NotAuthenticatedError) {
@@ -96,7 +109,91 @@ export async function getInfrawiseData(path) {
         }
         throw error;
     }
+}
+export async function ensureTenantReady() {
+    const token = await resolveAccessToken();
     await assertTenantReady(token);
+    return token;
+}
+export async function getTenantReadinessReport(token) {
+    let tenantValidation;
+    try {
+        const validation = await fetchJson("/auth/validate-tenant", token);
+        if (validation.data?.authorized) {
+            tenantValidation = {
+                ok: true,
+                status: validation.status,
+                message: "Tenant is authorized.",
+            };
+        }
+        else {
+            tenantValidation = {
+                ok: false,
+                status: validation.status,
+                code: "NOT_ONBOARDED",
+                message: validation.data?.message ?? "Tenant is not authorized in Infrawise.",
+            };
+        }
+    }
+    catch (error) {
+        tenantValidation = toEndpointResult(error, "Unable to validate tenant authorization.");
+    }
+    let onboardingStatus;
+    try {
+        const onboarding = await fetchJson("/onboarding/status", token);
+        if (!Array.isArray(onboarding.data) || onboarding.data.length === 0) {
+            onboardingStatus = {
+                ok: true,
+                status: onboarding.status,
+                message: "No onboarding records found (legacy allowlisted tenant).",
+            };
+        }
+        else {
+            const states = onboarding.data.map((entry) => normalizeOnboardingState(entry.status));
+            if (states.includes("ACTIVE")) {
+                onboardingStatus = {
+                    ok: true,
+                    status: onboarding.status,
+                    states,
+                    message: "At least one onboarding record is ACTIVE.",
+                };
+            }
+            else if (states.includes("PENDING_DELEGATION")) {
+                onboardingStatus = {
+                    ok: false,
+                    status: onboarding.status,
+                    code: "PENDING_DELEGATION",
+                    states,
+                    message: "Onboarding is pending Lighthouse delegation.",
+                };
+            }
+            else {
+                onboardingStatus = {
+                    ok: false,
+                    status: onboarding.status,
+                    code: "NOT_ONBOARDED",
+                    states,
+                    message: "No ACTIVE onboarding records found.",
+                };
+            }
+        }
+    }
+    catch (error) {
+        onboardingStatus = {
+            ...toEndpointResult(error, "Unable to read onboarding status."),
+            states: undefined,
+        };
+    }
+    return {
+        tenantValidation,
+        onboardingStatus,
+    };
+}
+export async function getInfrawiseData(path, options = {}) {
+    const token = options.accessToken ?? (await resolveAccessToken());
+    if (!options.skipTenantCheck) {
+        await assertTenantReady(token);
+    }
     const response = await fetchJson(path, token);
     return response.data;
 }

package/dist/index.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
+import { spawn } from "node:child_process";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
-import { runDeviceCodeAuth } from "./auth.js";
-import { InfrawiseClientError } from "./client.js";
+import { getAccessToken, getTokenCacheDiagnostics, runDeviceCodeAuth } from "./auth.js";
+import { getTenantReadinessReport, InfrawiseClientError } from "./client.js";
 import { getGeneralRecommendations } from "./tools/general-recommendations.js";
 import { getIdleResources } from "./tools/idle-resources.js";
 import { getSavingsSummary } from "./tools/summary.js";
@@ -47,15 +48,173 @@ function toToolError(error) {
         ],
     };
 }
-async function runAuthMode() {
+function parseCliOptions(argv) {
+    const firstArg = argv[2];
+    const mode = firstArg === "auth" || firstArg === "setup" || firstArg === "doctor" ? firstArg : "server";
+    const optionStart = mode === "server" ? 2 : 3;
+    let tenantId;
+    for (let i = optionStart; i < argv.length; i += 1) {
+        const arg = argv[i];
+        if (arg === "--tenant") {
+            const next = argv[i + 1];
+            if (!next || next.startsWith("--")) {
+                throw new Error("Missing value for --tenant. Usage: --tenant <tenantId>");
+            }
+            tenantId = next;
+            i += 1;
+            continue;
+        }
+        if (arg.startsWith("--tenant=")) {
+            tenantId = arg.slice("--tenant=".length);
+            continue;
+        }
+        throw new Error(`Unknown argument: ${arg}`);
+    }
+    return { mode, tenantId };
+}
+function commandWithTenant(base, tenantId) {
+    return tenantId ? `${base} --tenant ${tenantId}` : base;
+}
+function getClaudeCommand() {
+    return process.platform === "win32" ? "claude.cmd" : "claude";
+}
+async function runCommand(command, args) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(command, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+            windowsHide: true,
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (chunk) => {
+            stdout += String(chunk);
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on("error", (error) => {
+            if (error.code === "ENOENT") {
+                reject(new Error("Claude Code CLI is not installed or not on PATH. Install Claude Code, then retry setup."));
+                return;
+            }
+            reject(error);
+        });
+        child.on("close", (code) => {
+            resolve({ code: code ?? 1, stdout, stderr });
+        });
+    });
+}
+function isInfrawiseRegistered(listOutput) {
+    return /\binfrawise\b/i.test(listOutput);
+}
+async function listMcpRegistrations() {
+    const result = await runCommand(getClaudeCommand(), ["mcp", "list"]);
+    if (result.code !== 0) {
+        throw new Error(`Failed to list MCP servers: ${result.stderr || result.stdout || "unknown error"}`);
+    }
+    return result.stdout;
+}
+async function addMcpRegistration() {
+    const args = ["mcp", "add", "infrawise", "--", "npx", "@infrawise/mcp-server"];
+    const result = await runCommand(getClaudeCommand(), args);
+    if (result.code !== 0) {
+        throw new Error(`Failed to add MCP server: ${result.stderr || result.stdout || "unknown error"}`);
+    }
+}
+async function runAuthMode(options) {
+    await runDeviceCodeAuth({ tenantId: options.tenantId });
+}
+async function runSetupMode(options) {
+    await runDeviceCodeAuth({ tenantId: options.tenantId });
+    const before = await listMcpRegistrations();
+    if (!isInfrawiseRegistered(before)) {
+        await addMcpRegistration();
+    }
+    const after = await listMcpRegistrations();
+    if (!isInfrawiseRegistered(after)) {
+        throw new Error("Setup could not verify the Infrawise MCP registration. Run: claude mcp add infrawise -- npx @infrawise/mcp-server");
+    }
+    console.error("[Infrawise MCP] READY: Authenticated and registered with Claude Code. Restart Claude Code to load the server.");
+}
+function printCheck(ok, label, detail) {
+    const status = ok ? "PASS" : "FAIL";
+    console.error(`[Infrawise MCP Doctor] ${status} - ${label}: ${detail}`);
+}
+function addFix(fixes, fix) {
+    if (!fixes.includes(fix)) {
+        fixes.push(fix);
+    }
+}
+async function runDoctorMode(options) {
+    const cache = await getTokenCacheDiagnostics({ tenantId: options.tenantId });
+    const fixes = [];
+    const authCommand = commandWithTenant("npx @infrawise/mcp-server auth", options.tenantId);
+    printCheck(cache.cacheExists, "Token cache", cache.cacheExists ? `Found at ${cache.credentialPath}` : `Missing at ${cache.credentialPath}`);
+    if (!cache.cacheExists) {
+        addFix(fixes, `Authenticate: ${authCommand}`);
+    }
+    const authorityMatchesCache = !cache.cacheAuthority || cache.cacheAuthority === cache.resolvedAuthority;
+    printCheck(authorityMatchesCache, "Authority", `Resolved=${cache.resolvedAuthority}${cache.cacheAuthority ? `, cached=${cache.cacheAuthority}` : ""}`);
+    if (!authorityMatchesCache) {
+        addFix(fixes, `Re-authenticate to refresh authority metadata: ${authCommand}`);
+    }
+    let token;
     try {
-        await runDeviceCodeAuth();
+        token = await getAccessToken({ tenantId: options.tenantId });
+        printCheck(true, "Silent token acquisition", "Access token acquired successfully.");
     }
     catch (error) {
         const message = error instanceof Error ? error.message : String(error);
-        console.error(`[Infrawise MCP] Authentication failed: ${message}`);
+        printCheck(false, "Silent token acquisition", message);
+        addFix(fixes, `Re-authenticate: ${authCommand}`);
+    }
+    if (!token) {
+        console.error("[Infrawise MCP Doctor] Not ready.");
+        if (fixes.length > 0) {
+            console.error("[Infrawise MCP Doctor] Fix steps:");
+            fixes.forEach((fix, index) => {
+                console.error(`${index + 1}. ${fix}`);
+            });
+        }
         process.exitCode = 1;
+        return;
+    }
+    const readiness = await getTenantReadinessReport(token);
+    printCheck(readiness.tenantValidation.ok, "Tenant validation (/auth/validate-tenant)", readiness.tenantValidation.message);
+    if (!readiness.tenantValidation.ok) {
+        if (readiness.tenantValidation.code === "NOT_AUTHENTICATED") {
+            addFix(fixes, `Re-authenticate: ${authCommand}`);
+        }
+        else {
+            addFix(fixes, "Complete onboarding: https://infrawiseai.com/onboard");
+        }
+    }
+    const onboardingDetail = readiness.onboardingStatus.states?.length
+        ? `${readiness.onboardingStatus.message} States=${readiness.onboardingStatus.states.join(",")}`
+        : readiness.onboardingStatus.message;
+    printCheck(readiness.onboardingStatus.ok, "Onboarding status (/onboarding/status)", onboardingDetail);
+    if (!readiness.onboardingStatus.ok) {
+        if (readiness.onboardingStatus.code === "PENDING_DELEGATION") {
+            addFix(fixes, "Finish Lighthouse delegation in onboarding: https://infrawiseai.com/onboard");
+        }
+        else if (readiness.onboardingStatus.code === "NOT_AUTHENTICATED") {
+            addFix(fixes, `Re-authenticate: ${authCommand}`);
+        }
+        else {
+            addFix(fixes, "Ensure at least one ACTIVE Infrawise onboarding record: https://infrawiseai.com/onboard");
+        }
+    }
+    const ready = fixes.length === 0;
+    if (ready) {
+        console.error("[Infrawise MCP Doctor] READY: All checks passed.");
+        return;
     }
+    console.error("[Infrawise MCP Doctor] Not ready.");
+    console.error("[Infrawise MCP Doctor] Fix steps:");
+    fixes.forEach((fix, index) => {
+        console.error(`${index + 1}. ${fix}`);
+    });
+    process.exitCode = 1;
 }
 async function runServerMode() {
     const server = new McpServer({
@@ -109,11 +268,26 @@ async function runServerMode() {
     await server.connect(transport);
 }
 async function main() {
-    const mode = process.argv[2];
-    if (mode === "auth") {
-        await runAuthMode();
-        return;
+    try {
+        const options = parseCliOptions(process.argv);
+        if (options.mode === "auth") {
+            await runAuthMode(options);
+            return;
+        }
+        if (options.mode === "setup") {
+            await runSetupMode(options);
+            return;
+        }
+        if (options.mode === "doctor") {
+            await runDoctorMode(options);
+            return;
+        }
+        await runServerMode();
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`[Infrawise MCP] ${message}`);
+        process.exitCode = 1;
     }
-    await runServerMode();
 }
 await main();

package/dist/tools/general-recommendations.d.ts

@@ -1,2 +1,7 @@
 import { type GeneralRecommendation } from "./types.js";
-export declare function getGeneralRecommendations(subscriptionFilter?: string): Promise<GeneralRecommendation[]>;
+interface ToolRequestOptions {
+    accessToken?: string;
+    skipTenantCheck?: boolean;
+}
+export declare function getGeneralRecommendations(subscriptionFilter?: string, options?: ToolRequestOptions): Promise<GeneralRecommendation[]>;
+export {};

package/dist/tools/general-recommendations.js

@@ -1,7 +1,7 @@
 import { getInfrawiseData } from "../client.js";
 import { filterBySubscription } from "./types.js";
-export async function getGeneralRecommendations(subscriptionFilter) {
-    const data = await getInfrawiseData("/general-recommendations");
+export async function getGeneralRecommendations(subscriptionFilter, options = {}) {
+    const data = await getInfrawiseData("/general-recommendations", options);
     const rows = Array.isArray(data) ? data : [];
     return filterBySubscription(rows, subscriptionFilter);
 }

package/dist/tools/idle-resources.d.ts

@@ -1,2 +1,7 @@
 import { type IdleResource } from "./types.js";
-export declare function getIdleResources(subscriptionFilter?: string): Promise<IdleResource[]>;
+interface ToolRequestOptions {
+    accessToken?: string;
+    skipTenantCheck?: boolean;
+}
+export declare function getIdleResources(subscriptionFilter?: string, options?: ToolRequestOptions): Promise<IdleResource[]>;
+export {};

package/dist/tools/idle-resources.js

@@ -1,7 +1,7 @@
 import { getInfrawiseData } from "../client.js";
 import { filterBySubscription } from "./types.js";
-export async function getIdleResources(subscriptionFilter) {
-    const data = await getInfrawiseData("/idle-resources");
+export async function getIdleResources(subscriptionFilter, options = {}) {
+    const data = await getInfrawiseData("/idle-resources", options);
     const rows = Array.isArray(data) ? data : [];
     return filterBySubscription(rows, subscriptionFilter);
 }

package/dist/tools/sku-optimizations.d.ts

@@ -1,2 +1,7 @@
 import { type SkuOptimization } from "./types.js";
-export declare function getSkuOptimizations(subscriptionFilter?: string): Promise<SkuOptimization[]>;
+interface ToolRequestOptions {
+    accessToken?: string;
+    skipTenantCheck?: boolean;
+}
+export declare function getSkuOptimizations(subscriptionFilter?: string, options?: ToolRequestOptions): Promise<SkuOptimization[]>;
+export {};

package/dist/tools/sku-optimizations.js

@@ -1,7 +1,7 @@
 import { getInfrawiseData } from "../client.js";
 import { filterBySubscription } from "./types.js";
-export async function getSkuOptimizations(subscriptionFilter) {
-    const data = await getInfrawiseData("/sku-optimizations");
+export async function getSkuOptimizations(subscriptionFilter, options = {}) {
+    const data = await getInfrawiseData("/sku-optimizations", options);
     const rows = Array.isArray(data) ? data : [];
     return filterBySubscription(rows, subscriptionFilter);
 }

package/dist/tools/summary.js

@@ -1,3 +1,4 @@
+import { ensureTenantReady } from "../client.js";
 import { getGeneralRecommendations } from "./general-recommendations.js";
 import { getIdleResources } from "./idle-resources.js";
 import { getSkuOptimizations } from "./sku-optimizations.js";
@@ -6,10 +7,11 @@ function roundCurrency(value) {
     return Math.round(value * 100) / 100;
 }
 export async function getSavingsSummary(subscriptionFilter) {
+    const accessToken = await ensureTenantReady();
     const [idleResources, skuOptimizations, generalRecommendations] = await Promise.all([
-        getIdleResources(subscriptionFilter),
-        getSkuOptimizations(subscriptionFilter),
-        getGeneralRecommendations(subscriptionFilter),
+        getIdleResources(subscriptionFilter, { accessToken, skipTenantCheck: true }),
+        getSkuOptimizations(subscriptionFilter, { accessToken, skipTenantCheck: true }),
+        getGeneralRecommendations(subscriptionFilter, { accessToken, skipTenantCheck: true }),
     ]);
     const idleMonthly = idleResources.reduce((sum, item) => sum + toNumber(item.monthlyCost), 0);
     const idleAnnual = idleResources.reduce((sum, item) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infrawise/mcp-server",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Infrawise MCP server for Claude Code",
   "type": "module",
   "main": "dist/index.js",
@@ -14,7 +14,7 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/admonitor-inc/infrawise.git",
+    "url": "git+https://github.com/Infrawise/infrawise.git",
     "directory": "packages/claude-mcp"
   },
   "scripts": {