npm - @integrity-labs/agt-cli - Versions diffs - 0.28.156 → 0.28.157 - Mend

@integrity-labs/agt-cli 0.28.156 → 0.28.157

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/{chunk-AYN7K3DY.js → chunk-E6ABR63O.js} RENAMED Viewed

@@ -3,7 +3,7 @@ import {
   formatMissingVar,
   isClaudeFastMode,
   probeMcpEnvSubstitution
-} from "./chunk-SKANUWSB.js";
+} from "./chunk-TLX6ORJ5.js";
 import {
   reapOrphanChannelMcps
 } from "./chunk-XWVM4KPK.js";
@@ -1588,4 +1588,4 @@ export {
   stopAllSessionsAndWait,
   getProjectDir
 };
-//# sourceMappingURL=chunk-AYN7K3DY.js.map
+//# sourceMappingURL=chunk-E6ABR63O.js.map

package/dist/{chunk-SKANUWSB.js → chunk-TLX6ORJ5.js} RENAMED Viewed

@@ -4306,6 +4306,40 @@ var OAUTH_PROVIDERS = {
     publicClient: true,
     mcpUrl: "https://ext-api.app.brandninja.ai/v1/mcp"
   },
+  "kajabi": {
+    // Kajabi MCP — remote streamable-HTTP at https://mcp.kajabi.com/mcp.
+    // Same Granola/Brand-Ninja shape: OAuth 2.0 authorization-code with
+    // mandatory PKCE (S256) and a public client (token_endpoint_auth_method
+    // 'none') issued via Dynamic Client Registration (RFC 7591). Values below
+    // are taken verbatim from Kajabi's RFC 8414 metadata at
+    // https://mcp.kajabi.com/.well-known/oauth-authorization-server (a Rails
+    // Doorkeeper AS), not inferred. NOTE the authorize host differs from the
+    // token host: authorize is on app.kajabi.com (the login surface), while
+    // token/register/revoke are on mcp.kajabi.com — do NOT "normalise" them to
+    // one host. The bootstrap script (packages/api/scripts/dcr-register.ts)
+    // registers a client once at deploy time against
+    // https://mcp.kajabi.com/mcp/oauth/register; OAUTH_KAJABI_CLIENT_ID is set
+    // from its output. Doorkeeper RESTRICTS a dynamic client to the scopes it
+    // registered with, so register with the union of defaultScopes below
+    // (--scope 'read write:contacts write:emails'). The AS advertises the
+    // refresh_token grant (no openid/offline_access scope needed), so the
+    // shared oauth-refresh cron rotates the bearer without operator action.
+    definitionId: "kajabi",
+    authorizeUrl: "https://app.kajabi.com/mcp/oauth/authorize",
+    tokenUrl: "https://mcp.kajabi.com/mcp/oauth/token",
+    revokeUrl: "https://mcp.kajabi.com/mcp/oauth/revoke",
+    // Coarse Doorkeeper scopes (NOT openid-style). Least-privilege v1: cross-
+    // domain reads (`read`) plus the two write surfaces this integration ships
+    // (contact tags/segments, email broadcasts/sequences). Widen here (and
+    // re-register the DCR client) when adding commerce/content/publish scopes.
+    defaultScopes: ["read", "write:contacts", "write:emails"],
+    supportsRefresh: true,
+    extraAuthorizeParams: {},
+    clientAuthMethod: "body",
+    pkce: "S256",
+    publicClient: true,
+    mcpUrl: "https://mcp.kajabi.com/mcp"
+  },
   "notion-cli": {
     // Notion's public OAuth app. Tokens are workspace-scoped and long-lived —
     // Notion does not issue refresh_tokens, so `supportsRefresh: false` and
@@ -6356,4 +6390,4 @@ export {
   parseEnvIntegrations,
   probeMcpEnvSubstitution
 };
-//# sourceMappingURL=chunk-SKANUWSB.js.map
+//# sourceMappingURL=chunk-TLX6ORJ5.js.map