@kadoa/mcp 0.3.10-rc.1 → 0.3.10-rc.3

package/dist/index.js

@@ -49167,13 +49167,37 @@ function createKadoaClient(auth) {
   });
   return client;
 }
-var ctxRefreshMutex;
+var refreshRawMutex, ctxRefreshMutex;
 var init_client = __esm(() => {
   init_dist2();
+  refreshRawMutex = new Map;
   ctxRefreshMutex = new WeakMap;
 });
 
 // src/client.ts
+var exports_client = {};
+__export(exports_client, {
+  refreshSupabaseJwtRaw: () => refreshSupabaseJwtRaw,
+  refreshSupabaseJwt: () => refreshSupabaseJwt,
+  isJwtExpired: () => isJwtExpired,
+  getValidJwt: () => getValidJwt,
+  decodeJwtClaims: () => decodeJwtClaims,
+  createKadoaClient: () => createKadoaClient2,
+  SessionExpiredError: () => SessionExpiredError,
+  KadoaSdkException: () => KadoaSdkException,
+  KadoaClient: () => KadoaClient
+});
+function createKadoaClient2(auth) {
+  const client = new KadoaClient({ bearerToken: auth.jwt });
+  client.axiosInstance.interceptors.request.use((config2) => {
+    config2.headers["x-kadoa-source"] = "mcp";
+    if (auth.teamId) {
+      config2.headers["x-team-id"] = auth.teamId;
+    }
+    return config2;
+  });
+  return client;
+}
 function decodeJwtClaims(jwt2) {
   try {
     const payload = JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
@@ -49195,36 +49219,57 @@ function isJwtExpired(jwt2) {
     return true;
   }
 }
-async function refreshSupabaseJwt(ctx) {
-  if (!ctx.supabaseRefreshToken) {
-    console.error("[JWT_REFRESH] No refresh token available, cannot refresh");
-    return;
+async function refreshSupabaseJwtRaw(supabaseRefreshToken) {
+  const inflight = refreshRawMutex2.get(supabaseRefreshToken);
+  if (inflight) {
+    console.error(`[JWT_REFRESH] DEDUP: reusing in-flight raw refresh`);
+    return inflight;
   }
+  const promise3 = _doRefreshRaw(supabaseRefreshToken).finally(() => {
+    refreshRawMutex2.delete(supabaseRefreshToken);
+  });
+  refreshRawMutex2.set(supabaseRefreshToken, promise3);
+  return promise3;
+}
+async function _doRefreshRaw(supabaseRefreshToken) {
   const supabaseUrl = process.env.SUPABASE_URL;
   if (!supabaseUrl) {
     console.error("[JWT_REFRESH] SUPABASE_URL not set, cannot refresh");
+    return null;
+  }
+  const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      apikey: process.env.SUPABASE_ANON_KEY
+    },
+    body: JSON.stringify({ refresh_token: supabaseRefreshToken })
+  });
+  if (res.ok) {
+    const data = await res.json();
+    return { jwt: data.access_token, refreshToken: data.refresh_token };
+  }
+  const body = await res.text().catch(() => "");
+  console.error(`[JWT_REFRESH] FAIL: Supabase returned ${res.status} (refreshToken=${supabaseRefreshToken.slice(0, 12)}...): ${body}`);
+  if (body.includes("session_expired") || body.includes("refresh_token_not_found") || body.includes("refresh_token_already_used")) {
+    throw new SessionExpiredError("Your Kadoa session has expired due to inactivity. Please reconnect to re-authenticate.");
+  }
+  return null;
+}
+async function refreshSupabaseJwt(ctx) {
+  if (!ctx.supabaseRefreshToken) {
+    console.error("[JWT_REFRESH] No refresh token available, cannot refresh");
     return;
   }
   try {
     const refreshToken = ctx.supabaseRefreshToken;
     console.error(`[JWT_REFRESH] Refreshing Supabase JWT (refreshToken=${refreshToken.slice(0, 12)}..., team=${ctx.teamId ?? "unknown"})`);
-    const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        apikey: process.env.SUPABASE_ANON_KEY
-      },
-      body: JSON.stringify({ refresh_token: refreshToken })
-    });
-    if (!res.ok) {
-      const body = await res.text().catch(() => "");
-      console.error(`[JWT_REFRESH] FAIL: Supabase returned ${res.status} (refreshToken=${refreshToken.slice(0, 12)}...): ${body}`);
+    const result = await refreshSupabaseJwtRaw(refreshToken);
+    if (!result)
       return;
-    }
-    const data = await res.json();
-    ctx.supabaseJwt = data.access_token;
-    ctx.supabaseRefreshToken = data.refresh_token;
-    ctx.client.setBearerToken(data.access_token);
+    ctx.supabaseJwt = result.jwt;
+    ctx.supabaseRefreshToken = result.refreshToken;
+    ctx.client.setBearerToken(result.jwt);
     try {
       await ctx.persist?.({
         supabaseJwt: ctx.supabaseJwt,
@@ -49234,9 +49279,11 @@ async function refreshSupabaseJwt(ctx) {
     } catch (e) {
       console.error("[JWT_REFRESH] WARN: persist failed, tokens updated in-memory only:", e);
     }
-    console.error(`[JWT_REFRESH] OK: token refreshed (team=${ctx.teamId ?? "unknown"}, newRefreshToken=${data.refresh_token.slice(0, 12)}...)`);
-    return data.access_token;
+    console.error(`[JWT_REFRESH] OK: token refreshed (team=${ctx.teamId ?? "unknown"}, newRefreshToken=${result.refreshToken.slice(0, 12)}...)`);
+    return result.jwt;
   } catch (error48) {
+    if (error48 instanceof SessionExpiredError)
+      throw error48;
     console.error("[JWT_REFRESH] FAIL: threw", error48);
     return;
   }
@@ -49257,9 +49304,16 @@ async function getValidJwt(ctx) {
   ctxRefreshMutex2.set(ctx, promise3);
   return promise3;
 }
-var ctxRefreshMutex2;
+var SessionExpiredError, refreshRawMutex2, ctxRefreshMutex2;
 var init_client2 = __esm(() => {
   init_dist2();
+  SessionExpiredError = class SessionExpiredError extends Error {
+    constructor(message) {
+      super(message ?? "Supabase session expired. Please re-authenticate.");
+      this.name = "SessionExpiredError";
+    }
+  };
+  refreshRawMutex2 = new Map;
   ctxRefreshMutex2 = new WeakMap;
 });
 
@@ -49281,6 +49335,32 @@ function coerceArray(wrapPlainString = false) {
     return val;
   };
 }
+function coerceNumber() {
+  return (val) => typeof val === "string" ? Number(val) : val;
+}
+function coerceBoolean() {
+  return (val) => {
+    if (typeof val === "string") {
+      if (val === "true")
+        return true;
+      if (val === "false")
+        return false;
+    }
+    return val;
+  };
+}
+function coerceJson() {
+  return (val) => {
+    if (typeof val === "string") {
+      try {
+        const parsed = JSON.parse(val);
+        if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed))
+          return parsed;
+      } catch {}
+    }
+    return val;
+  };
+}
 function isRealTimeInterval(interval) {
   return interval?.toUpperCase().replace("-", "_") === "REAL_TIME";
 }
@@ -49380,6 +49460,10 @@ function registerTools(server, ctx) {
         }
         return await handler(...args);
       } catch (error48) {
+        if (error48 instanceof SessionExpiredError) {
+          console.error(`[Tool Error] ${name}: session expired, user must re-authenticate`);
+          return errorResult("Your session has expired. Please reconnect the MCP server to re-authenticate.");
+        }
         let message = classifyError(error48);
         if (KadoaHttpException.isInstance(error48) && error48.httpStatus === 403) {
           try {
@@ -49435,7 +49519,7 @@ function registerTools(server, ctx) {
     headers: exports_external.object({}).passthrough().optional().describe("Custom headers as key-value pairs (required for 'header' type)")
   }).optional().describe("Authentication configuration for the webhook endpoint");
   const notificationsInputShape = {
-    notifications: exports_external.object({
+    notifications: exports_external.preprocess(coerceJson(), exports_external.object({
       email: exports_external.object({
         recipients: exports_external.array(exports_external.string().email()).optional().describe("Email addresses to notify. Omit to use account default email.")
       }).optional().describe("Send email notifications. Pass {} for account default email, or {recipients: [...]} for custom addresses."),
@@ -49450,7 +49534,7 @@ function registerTools(server, ctx) {
         slackChannelName: exports_external.string().optional().describe("Slack channel name (e.g. #alerts)")
       }).optional().describe("Send notifications to a Slack channel. Use slackChannelId/slackChannelName for OAuth integration, or webhookUrl for legacy incoming webhooks."),
       websocket: exports_external.boolean().optional().describe("Enable WebSocket notifications for programmatic real-time consumption")
-    }).optional().describe("Notification channels to alert when data changes.")
+    }).optional().describe("Notification channels to alert when data changes."))
   };
   function resolveUrls(args) {
     const urls = args.urls ?? (args.url ? [args.url] : []);
@@ -49529,7 +49613,10 @@ function registerTools(server, ctx) {
     inputSchema: strictSchema({
       ...extractionInputShape,
       ...urlInputShape,
-      interval: exports_external.enum([
+      description: exports_external.string().max(500).optional().describe("Description of what this workflow does (max 500 characters)"),
+      tags: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string())).optional().describe("Tags for organizing workflows"),
+      limit: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Maximum number of records to extract per run. Useful for limiting scope or cost control."),
+      updateInterval: exports_external.enum([
         "ONLY_ONCE",
         "EVERY_10_MINUTES",
         "HALF_HOURLY",
@@ -49545,8 +49632,10 @@ function registerTools(server, ctx) {
         "BIWEEKLY",
         "TRIWEEKLY",
         "FOUR_WEEKS",
-        "MONTHLY"
-      ]).optional().describe("How often the workflow runs. Defaults to ONLY_ONCE."),
+        "MONTHLY",
+        "CUSTOM"
+      ]).optional().describe("How often the workflow runs. Defaults to ONLY_ONCE. Use CUSTOM with the 'schedules' field for cron-based scheduling."),
+      schedules: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string())).optional().describe("Cron expressions for CUSTOM updateInterval (e.g. '0 8 * * 2' for Tuesdays at 8am UTC). Requires updateInterval='CUSTOM'."),
       ...notificationsInputShape
     }),
     annotations: { readOnlyHint: false, destructiveHint: false, idempotentHint: false }
@@ -49555,13 +49644,18 @@ function registerTools(server, ctx) {
     if (!urls) {
       return errorResult("At least one URL is required. Provide 'urls' (array) or 'url' (string).");
     }
+    if (args.updateInterval === "CUSTOM" && (!args.schedules || args.schedules.length === 0)) {
+      return errorResult("updateInterval='CUSTOM' requires at least one cron expression in the 'schedules' field (e.g. '0 8 * * 2' for Tuesdays at 8am UTC).");
+    }
     let builder = ctx.client.extract({
       urls,
       name: args.name || "Untitled Workflow",
       navigationMode: "agentic-navigation",
       userPrompt: args.prompt,
       extraction: buildExtraction(args),
-      interval: args.interval
+      interval: args.updateInterval,
+      description: args.description,
+      schedules: args.schedules
     });
     const n = args.notifications;
     const hasNotifications = n && (n.email || n.webhook || n.slack || n.websocket);
@@ -49572,6 +49666,15 @@ function registerTools(server, ctx) {
       });
     }
     const workflow = await builder.create();
+    const needsUpdate = args.limit !== undefined || args.tags && args.tags.length > 0;
+    if (needsUpdate) {
+      const updates = {};
+      if (args.limit !== undefined)
+        updates.limit = args.limit;
+      if (args.tags && args.tags.length > 0)
+        updates.tags = args.tags;
+      await ctx.client.workflow.update(workflow.workflowId, updates);
+    }
     const enabledChannels = await describeNotifications(n);
     let message = "Workflow created successfully. The AI agent will start extracting data automatically.";
     if (enabledChannels.length > 0) {
@@ -49592,6 +49695,8 @@ function registerTools(server, ctx) {
     inputSchema: strictSchema({
       ...extractionInputShape,
       ...urlInputShape,
+      description: exports_external.string().max(500).optional().describe("Description of what this monitor watches (max 500 characters)"),
+      tags: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string())).optional().describe("Tags for organizing monitors"),
       ...notificationsInputShape
     }),
     annotations: { readOnlyHint: false, destructiveHint: false, idempotentHint: false }
@@ -49610,13 +49715,17 @@ function registerTools(server, ctx) {
       name: args.name || "Untitled Monitor",
       userPrompt: args.prompt,
       extraction: buildExtraction(args),
-      interval: "REAL_TIME"
+      interval: "REAL_TIME",
+      description: args.description
     });
     builder = builder.withNotifications({
       events: ["workflow_data_change"],
       channels: buildNotificationChannels(n)
     });
     const workflow = await builder.create();
+    if (args.tags && args.tags.length > 0) {
+      await ctx.client.workflow.update(workflow.workflowId, { tags: args.tags });
+    }
     const enabledChannels = await describeNotifications(n);
     let message = "Real-time monitor created successfully. It will continuously watch for changes — no manual runs needed.";
     if (enabledChannels.length > 0) {
@@ -49633,7 +49742,7 @@ function registerTools(server, ctx) {
   server.registerTool("list_workflows", {
     description: "List all workflows with their current status",
     inputSchema: {
-      limit: exports_external.number().optional().describe("Maximum number of workflows to return"),
+      limit: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Maximum number of workflows to return"),
       state: exports_external.enum(["ACTIVE", "FAILED", "PAUSED", "PREVIEW"]).optional().describe("Filter by state (ACTIVE, FAILED, PAUSED, PREVIEW)")
     },
     annotations: { readOnlyHint: true, destructiveHint: false, idempotentHint: true }
@@ -49694,7 +49803,7 @@ function registerTools(server, ctx) {
     description: "Run a workflow to extract fresh data. The run is asynchronous and may take several minutes. Do NOT poll or sleep-wait for completion. Return the workflow ID to the user and let them check status with get_workflow or fetch results later with fetch_data.",
     inputSchema: {
       workflowId: exports_external.string().describe("The workflow ID to run"),
-      limit: exports_external.number().optional().describe("Maximum number of records to extract (default: 1000)")
+      limit: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Maximum number of records to extract (default: 1000)")
     },
     annotations: { readOnlyHint: false, destructiveHint: false, idempotentHint: false }
   }, withErrorHandling("run_workflow", async (args) => {
@@ -49715,8 +49824,8 @@ function registerTools(server, ctx) {
     description: "Get extracted data from a workflow. Data is only available after the workflow run has completed (displayState is no longer RUNNING). Do NOT poll or sleep-wait for completion.",
     inputSchema: {
       workflowId: exports_external.string().describe("The workflow ID"),
-      limit: exports_external.number().optional().describe("Maximum number of records to return"),
-      page: exports_external.number().optional().describe("Page number for pagination")
+      limit: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Maximum number of records to return"),
+      page: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Page number for pagination")
     },
     annotations: { readOnlyHint: true, destructiveHint: false, idempotentHint: true }
   }, withErrorHandling("fetch_data", async (args) => {
@@ -49735,7 +49844,7 @@ function registerTools(server, ctx) {
     description: "Delete a workflow permanently. This is irreversible. " + "You MUST first call this tool without confirmed=true to preview what will be deleted, " + "then show the user the workflow name and ask for confirmation, " + "then call again with confirmed=true only after the user explicitly agrees.",
     inputSchema: {
       workflowId: exports_external.string().describe("The workflow ID to delete"),
-      confirmed: exports_external.boolean().optional().describe("Set to true only after the user has explicitly confirmed deletion. Omit or set to false for the initial preview call.")
+      confirmed: exports_external.preprocess(coerceBoolean(), exports_external.boolean()).optional().describe("Set to true only after the user has explicitly confirmed deletion. Omit or set to false for the initial preview call.")
     },
     annotations: { readOnlyHint: false, destructiveHint: true, idempotentHint: true }
   }, withErrorHandling("delete_workflow", async (args) => {
@@ -49785,7 +49894,7 @@ function registerTools(server, ctx) {
       urls: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string()).min(1)).optional().describe("New target URLs for the workflow (array of strings). Also accepts a single URL string."),
       entity: exports_external.string().optional().describe("Entity name for extraction (e.g., 'Product', 'Job Posting')"),
       schema: exports_external.preprocess(coerceArray(), exports_external.array(exports_external.object(SchemaFieldShape))).optional().describe("New extraction schema fields"),
-      description: exports_external.string().optional().describe("Workflow description"),
+      description: exports_external.string().max(500).optional().describe("Workflow description (max 500 characters)"),
       tags: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string())).optional().describe("Tags for organizing workflows"),
       userPrompt: exports_external.string().optional().describe("Navigation prompt for agentic-navigation mode (10-5000 characters)"),
       updateInterval: exports_external.enum([
@@ -49808,7 +49917,7 @@ function registerTools(server, ctx) {
         "CUSTOM"
       ]).optional().describe("How often the workflow should run. CUSTOM requires schedules. Note: REAL_TIME is NOT allowed here — real-time workflows must be created via create_workflow."),
       schedules: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string())).optional().describe("Cron expressions for CUSTOM update interval"),
-      limit: exports_external.number().optional().describe("Maximum number of records to extract per run")
+      limit: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Maximum number of records to extract per run")
     }),
     annotations: { readOnlyHint: false, destructiveHint: false, idempotentHint: true }
   }, withErrorHandling("update_workflow", async (args) => {
@@ -49824,6 +49933,9 @@ function registerTools(server, ctx) {
         return errorResult("Cannot change a real-time workflow's interval to a scheduled interval. " + "Real-time workflows are architecturally different and cannot be converted to regular workflows. " + "Delete this workflow and create a new one with the desired interval using create_workflow.");
       }
     }
+    if (updates.updateInterval === "CUSTOM" && (!updates.schedules || updates.schedules.length === 0)) {
+      return errorResult("updateInterval='CUSTOM' requires at least one cron expression in the 'schedules' field (e.g. '0 8 * * 2' for Tuesdays at 8am UTC).");
+    }
     const result = await ctx.client.workflow.update(workflowId, updates);
     return jsonResult({
       success: true,
@@ -49894,7 +50006,7 @@ function registerTools(server, ctx) {
     description: "Delete a notification channel by ID. " + "Call first without confirmed=true to preview, then with confirmed=true after user agrees.",
     inputSchema: {
       channelId: exports_external.string().describe("The channel ID to delete"),
-      confirmed: exports_external.boolean().optional().describe("Set to true only after the user has explicitly confirmed deletion.")
+      confirmed: exports_external.preprocess(coerceBoolean(), exports_external.boolean()).optional().describe("Set to true only after the user has explicitly confirmed deletion.")
     },
     annotations: { readOnlyHint: false, destructiveHint: true, idempotentHint: true }
   }, withErrorHandling("delete_notification_channel", async (args) => {
@@ -50032,7 +50144,7 @@ function registerTools(server, ctx) {
     description: "Delete a notification setting by ID. This removes the event-to-channel mapping but does not delete the channels themselves. " + "Call first without confirmed=true to preview, then with confirmed=true after user agrees.",
     inputSchema: {
       settingsId: exports_external.string().describe("The notification settings ID to delete"),
-      confirmed: exports_external.boolean().optional().describe("Set to true only after the user has explicitly confirmed deletion.")
+      confirmed: exports_external.preprocess(coerceBoolean(), exports_external.boolean()).optional().describe("Set to true only after the user has explicitly confirmed deletion.")
     },
     annotations: { readOnlyHint: false, destructiveHint: true, idempotentHint: true }
   }, withErrorHandling("delete_notification_setting", async (args) => {
@@ -50097,7 +50209,7 @@ function registerTools(server, ctx) {
     });
   }));
 }
-var SchemaFieldShape, DASHBOARD_BASE_URL = "https://app.kadoa.com";
+var SchemaFieldShape, DASHBOARD_BASE_URL = "https://www.kadoa.com";
 var init_tools = __esm(() => {
   init_zod();
   init_dist2();
@@ -54108,45 +54220,6 @@ function generatePKCE() {
   const challenge = createHash2("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
-async function refreshSupabaseToken(supabaseRefreshToken, context) {
-  const inflight = supabaseRefreshMutex.get(supabaseRefreshToken);
-  if (inflight) {
-    console.error(`[AUTH] REFRESH_DEDUP: reusing in-flight refresh (${context})`);
-    return inflight;
-  }
-  const promise3 = (async () => {
-    const supabaseUrl = process.env.SUPABASE_URL;
-    if (!supabaseUrl || !supabaseRefreshToken)
-      return null;
-    try {
-      const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          apikey: process.env.SUPABASE_ANON_KEY
-        },
-        body: JSON.stringify({ refresh_token: supabaseRefreshToken })
-      });
-      if (res.ok) {
-        const data = await res.json();
-        const newClaims = jwtClaims(data.access_token);
-        console.log(`[AUTH] REFRESH_OK: Supabase JWT refreshed (${context}, newEmail=${newClaims.email})`);
-        return { jwt: data.access_token, refreshToken: data.refresh_token };
-      }
-      const body = await res.text().catch(() => "");
-      console.error(`[AUTH] REFRESH_FAIL: Supabase returned ${res.status} (${context}): ${body.slice(0, 200)}`);
-      return null;
-    } catch (err) {
-      console.error(`[AUTH] REFRESH_FAIL: Supabase refresh threw (${context}):`, err);
-      return null;
-    }
-  })();
-  supabaseRefreshMutex.set(supabaseRefreshToken, promise3);
-  promise3.finally(() => {
-    supabaseRefreshMutex.delete(supabaseRefreshToken);
-  });
-  return promise3;
-}
 function jwtClaims(jwt2) {
   try {
     const payload = JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
@@ -54454,12 +54527,22 @@ class KadoaOAuthProvider {
     let { supabaseJwt, supabaseRefreshToken } = entry;
     const claims = jwtClaims(entry.supabaseJwt);
     const context = `email=${claims.email}, team=${entry.teamId}`;
-    const refreshed = await refreshSupabaseToken(supabaseRefreshToken, context);
-    if (refreshed) {
-      supabaseJwt = refreshed.jwt;
-      supabaseRefreshToken = refreshed.refreshToken;
-    } else {
-      console.error(`[AUTH] REFRESH_WARN: using stale Supabase JWT as fallback (${context})`);
+    try {
+      const { refreshSupabaseJwtRaw: refreshSupabaseJwtRaw2, SessionExpiredError: SessionExpiredError2 } = await Promise.resolve().then(() => (init_client2(), exports_client));
+      const refreshed = await refreshSupabaseJwtRaw2(supabaseRefreshToken);
+      if (refreshed) {
+        supabaseJwt = refreshed.jwt;
+        supabaseRefreshToken = refreshed.refreshToken;
+        console.error(`[AUTH] REFRESH_OK: Supabase JWT refreshed (${context})`);
+      } else {
+        console.error(`[AUTH] REFRESH_WARN: using stale Supabase JWT as fallback (${context})`);
+      }
+    } catch (error48) {
+      if (error48 instanceof Error && error48.name === "SessionExpiredError") {
+        console.error(`[AUTH] REFRESH_DEAD: session permanently expired (${context}): ${error48.message}`);
+        throw new InvalidTokenError("Supabase session expired. Please re-authenticate.");
+      }
+      console.error(`[AUTH] REFRESH_WARN: unexpected error, using stale JWT (${context}):`, error48);
     }
     const freshClaims = jwtClaims(supabaseJwt);
     const teamId = freshClaims.activeTeamId ?? entry.teamId;
@@ -54586,7 +54669,7 @@ class KadoaOAuthProvider {
       codeChallenge: pending.params.codeChallenge,
       clientId: pending.client.client_id,
       redirectUri: pending.params.redirectUri,
-      expiresAt: Date.now() + 10 * 60 * 1000
+      expiresAt: Date.now() + 600000
     }, 600);
     const redirectUrl = new URL(pending.params.redirectUri);
     redirectUrl.searchParams.set("code", mcpCode);
@@ -55015,12 +55098,11 @@ function renderLoginPage(state, error48) {
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
-var TEAM_SELECTION_TTL, ACCESS_TOKEN_TTL, supabaseRefreshMutex;
+var TEAM_SELECTION_TTL, ACCESS_TOKEN_TTL;
 var init_auth2 = __esm(() => {
   init_errors4();
   TEAM_SELECTION_TTL = 10 * 60 * 1000;
   ACCESS_TOKEN_TTL = 7 * 24 * 3600;
-  supabaseRefreshMutex = new Map;
 });
 
 // src/redis-store.ts
@@ -55213,6 +55295,39 @@ async function startHttpServer(options) {
       return;
     }
     const identity = `jwt:${auth.userId.slice(0, 8)}...:team=${auth.teamId.slice(0, 8)}...`;
+    if (isJwtExpired(auth.jwt)) {
+      try {
+        const refreshed = await refreshSupabaseJwtRaw(auth.refreshToken);
+        if (refreshed) {
+          auth.jwt = refreshed.jwt;
+          auth.refreshToken = refreshed.refreshToken;
+          const entry = await store.get("access_tokens", auth.mcpToken);
+          if (entry) {
+            const remainingMs = entry.expiresAt - Date.now();
+            if (remainingMs > 0) {
+              await store.set("access_tokens", auth.mcpToken, {
+                ...entry,
+                supabaseJwt: refreshed.jwt,
+                supabaseRefreshToken: refreshed.refreshToken
+              }, Math.ceil(remainingMs / 1000));
+              console.error(`[PROACTIVE_REFRESH] OK: JWT refreshed on ${method} (${identity})`);
+            }
+          }
+        }
+      } catch (error48) {
+        if (error48 instanceof SessionExpiredError) {
+          console.error(`[PROACTIVE_REFRESH] Session dead on ${method} (${identity}): ${error48.message}`);
+          await store.del("access_tokens", auth.mcpToken);
+          res.status(401).json({
+            jsonrpc: "2.0",
+            error: { code: -32001, message: error48.message },
+            id: req.body?.id ?? null
+          });
+          return;
+        }
+        console.error(`[PROACTIVE_REFRESH] WARN: refresh failed on ${method}, continuing with stale JWT`, error48);
+      }
+    }
     try {
       console.error(`[MCP] POST method=${method} auth=${identity}`);
       const transport = new StreamableHTTPServerTransport({
@@ -55290,6 +55405,7 @@ var init_http2 = __esm(async () => {
   init_bearerAuth();
   init_auth2();
   init_redis_store();
+  init_client2();
   await init_src();
 });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kadoa/mcp",
-  "version": "0.3.10-rc.1",
+  "version": "0.3.10-rc.3",
   "description": "Kadoa MCP Server — manage workflows from Claude Desktop, Cursor, and other MCP clients",
   "type": "module",
   "main": "dist/index.js",
@@ -24,7 +24,7 @@
     "prepublishOnly": "bun run check-types && bun run test:unit && bun run build"
   },
   "dependencies": {
-    "@kadoa/node-sdk": "^0.24.2",
+    "@kadoa/node-sdk": "^0.23.0",
     "@modelcontextprotocol/sdk": "^1.26.0",
     "express": "^5.2.1",
     "ioredis": "^5.6.1",