@kadoa/mcp 0.3.7 → 0.3.9-rc.1

package/README.md

@@ -4,7 +4,7 @@ Use [Kadoa](https://kadoa.com) from ChatGPT, Claude.ai, Claude Code, Cursor, and
 
 ## Remote Server (no install needed)
 
-A hosted MCP server is available at `https://mcp.kadoa.com/mcp`. Connect from any MCP client — no local install, no API key config. You sign in with your Kadoa account via OAuth.
+A hosted MCP server is available at `https://mcp.kadoa.com/mcp`. Connect from any MCP client — no local install needed. You sign in with your Kadoa account via OAuth.
 
 ### Claude Code
 
@@ -24,7 +24,7 @@ claude mcp add kadoa --transport http https://mcp.kadoa.com/mcp
 2. Enter the URL: `https://mcp.kadoa.com/mcp`
 3. Sign in with your Kadoa account via OAuth
 
-### Cursor (Remote)
+### Cursor
 
 Add to `.cursor/mcp.json`:
 
@@ -43,101 +43,6 @@ Add to `.cursor/mcp.json`:
 
 Point your client to `https://mcp.kadoa.com/mcp` with OAuth authentication.
 
----
-
-## Local Setup (stdio)
-
-If you prefer to run the MCP server locally (e.g., for development or to use your own API key), install via npx:
-
-### Claude Code
-
-```bash
-claude mcp add --transport stdio -e KADOA_API_KEY=tk-your_api_key kadoa -- npx -y @kadoa/mcp
-```
-
-Add `-s user` to enable for all projects. If you have the [Kadoa CLI](https://www.npmjs.com/package/@kadoa/cli) installed, you can skip the `-e` flag — just run `kadoa login` and the MCP will use your saved key automatically.
-
-### Claude Desktop
-
-Add to `~/.config/Claude/claude_desktop_config.json`:
-
-```json
-{
-  "mcpServers": {
-    "kadoa": {
-      "command": "npx",
-      "args": ["-y", "@kadoa/mcp"],
-      "env": {
-        "KADOA_API_KEY": "tk-your_api_key"
-      }
-    }
-  }
-}
-```
-
-Restart Claude Desktop.
-
-### Cursor
-
-Add to `.cursor/mcp.json`:
-
-```json
-{
-  "mcpServers": {
-    "kadoa": {
-      "command": "npx",
-      "args": ["-y", "@kadoa/mcp"],
-      "env": {
-        "KADOA_API_KEY": "tk-your_api_key"
-      }
-    }
-  }
-}
-```
-
-### Codex
-
-```bash
-codex mcp add kadoa -- npx -y @kadoa/mcp
-```
-
-Or add to `~/.codex/config.toml`:
-
-```toml
-[mcp_servers.kadoa]
-command = "npx"
-args = ["-y", "@kadoa/mcp"]
-
-[mcp_servers.kadoa.env]
-KADOA_API_KEY = "tk-your_api_key"
-```
-
-### Gemini CLI
-
-```bash
-gemini mcp add -t stdio kadoa npx -- -y @kadoa/mcp
-```
-
-Or add to `~/.gemini/settings.json`:
-
-```json
-{
-  "mcpServers": {
-    "kadoa": {
-      "command": "npx",
-      "args": ["-y", "@kadoa/mcp"],
-      "env": {
-        "KADOA_API_KEY": "tk-your_api_key"
-      }
-    }
-  }
-}
-```
-
-## Get Your API Key
-
-Get your API key from [kadoa.com/settings](https://kadoa.com/settings).
-
 ## Tools
 
 | Tool | Description |
@@ -214,14 +119,10 @@ delete_workflow for each, confirming before proceeding.
 
 ## Troubleshooting
 
-**"No API key found"**
-- Run `kadoa login` (requires `npm i -g @kadoa/cli`), or
-- Set `KADOA_API_KEY` in your MCP config or environment
-- API keys start with `tk-`
-
 **Claude says "I don't have access to Kadoa"**
 - Verify the MCP server is configured correctly
 - Restart your MCP client
+- Re-authenticate via OAuth if prompted
 
 ## Deploying the Remote Server
 
@@ -256,24 +157,15 @@ bun run build      # Build for distribution
 
 To develop and test against a local Kadoa backend (instead of the production API), point the MCP at your local `public-api` service using the `KADOA_PUBLIC_API_URI` environment variable.
 
-**Prerequisites:** the `public-api` service must be running locally (default port `12380`). You also need a local API key — check your backend seed data or API key table.
+**Prerequisites:** the `public-api` service must be running locally (default port `12380`).
 
 **Run the MCP server locally:**
 
 ```bash
-KADOA_PUBLIC_API_URI=http://localhost:12380 KADOA_API_KEY=tk-your_local_api_key bun src/index.ts
-```
-
-**Add as a local MCP in Claude Code** (alongside the remote one):
-
-```bash
-claude mcp add --transport stdio \
-  -e KADOA_PUBLIC_API_URI=http://localhost:12380 \
-  -e KADOA_API_KEY=tk-your_local_api_key \
-  kadoa-local -- bun /path/to/kadoa-mcp/src/index.ts
+KADOA_PUBLIC_API_URI=http://localhost:12380 bun run dev
 ```
 
-This registers a `kadoa-local` server that coexists with the production `kadoa` server, so you can use both without conflicts (`mcp__kadoa__*` for prod, `mcp__kadoa-local__*` for local).
+The server starts in HTTP mode. You authenticate via OAuth the same way as with the remote server.
 
 ## License
 

package/dist/index.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env bun
 // @bun
 import { createRequire } from "node:module";
 var __create = Object.create;
@@ -28800,102 +28800,6 @@ var init_mcp = __esm(() => {
   };
 });
 
-// node_modules/@modelcontextprotocol/sdk/dist/esm/shared/stdio.js
-class ReadBuffer {
-  append(chunk) {
-    this._buffer = this._buffer ? Buffer.concat([this._buffer, chunk]) : chunk;
-  }
-  readMessage() {
-    if (!this._buffer) {
-      return null;
-    }
-    const index = this._buffer.indexOf(`
-`);
-    if (index === -1) {
-      return null;
-    }
-    const line = this._buffer.toString("utf8", 0, index).replace(/\r$/, "");
-    this._buffer = this._buffer.subarray(index + 1);
-    return deserializeMessage(line);
-  }
-  clear() {
-    this._buffer = undefined;
-  }
-}
-function deserializeMessage(line) {
-  return JSONRPCMessageSchema.parse(JSON.parse(line));
-}
-function serializeMessage(message) {
-  return JSON.stringify(message) + `
-`;
-}
-var init_stdio = __esm(() => {
-  init_types2();
-});
-
-// node_modules/@modelcontextprotocol/sdk/dist/esm/server/stdio.js
-import process3 from "node:process";
-
-class StdioServerTransport {
-  constructor(_stdin = process3.stdin, _stdout = process3.stdout) {
-    this._stdin = _stdin;
-    this._stdout = _stdout;
-    this._readBuffer = new ReadBuffer;
-    this._started = false;
-    this._ondata = (chunk) => {
-      this._readBuffer.append(chunk);
-      this.processReadBuffer();
-    };
-    this._onerror = (error48) => {
-      this.onerror?.(error48);
-    };
-  }
-  async start() {
-    if (this._started) {
-      throw new Error("StdioServerTransport already started! If using Server class, note that connect() calls start() automatically.");
-    }
-    this._started = true;
-    this._stdin.on("data", this._ondata);
-    this._stdin.on("error", this._onerror);
-  }
-  processReadBuffer() {
-    while (true) {
-      try {
-        const message = this._readBuffer.readMessage();
-        if (message === null) {
-          break;
-        }
-        this.onmessage?.(message);
-      } catch (error48) {
-        this.onerror?.(error48);
-      }
-    }
-  }
-  async close() {
-    this._stdin.off("data", this._ondata);
-    this._stdin.off("error", this._onerror);
-    const remainingDataListeners = this._stdin.listenerCount("data");
-    if (remainingDataListeners === 0) {
-      this._stdin.pause();
-    }
-    this._readBuffer.clear();
-    this.onclose?.();
-  }
-  send(message) {
-    return new Promise((resolve) => {
-      const json2 = serializeMessage(message);
-      if (this._stdout.write(json2)) {
-        resolve();
-      } else {
-        this._stdout.once("drain", resolve);
-      }
-    });
-  }
-}
-var init_stdio2 = __esm(() => {
-  init_stdio();
-});
-
 // node_modules/axios/lib/helpers/bind.js
 function bind(fn, thisArg) {
   return function wrap() {
@@ -49043,83 +48947,47 @@ var init_dist2 = __esm(() => {
 });
 
 // src/client.ts
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { homedir } from "node:os";
-function getConfigPath() {
-  const home = process.env.HOME || homedir();
-  return join(home, ".kadoa", "config.json");
-}
-function loadConfig() {
-  const configFile = getConfigPath();
-  if (!existsSync(configFile))
-    return {};
-  try {
-    return JSON.parse(readFileSync(configFile, "utf-8"));
-  } catch {
-    return {};
-  }
-}
-function loadApiKeyFromConfig() {
-  return loadConfig().apiKey;
-}
-function resolveApiKey(apiKey) {
-  const key = apiKey || process.env.KADOA_API_KEY || loadApiKeyFromConfig();
-  if (!key) {
-    throw new Error("No API key found. Set KADOA_API_KEY env var or run 'kadoa login' (npm i -g @kadoa/cli).");
-  }
-  return key;
-}
 function createKadoaClient(auth) {
-  let client;
-  let teamId;
-  if (typeof auth === "object" && auth !== null) {
-    if ("jwt" in auth) {
-      client = new KadoaClient({ bearerToken: auth.jwt });
-      teamId = auth.teamId;
-    } else {
-      client = new KadoaClient({ apiKey: auth.apiKey });
-    }
-  } else {
-    client = new KadoaClient({ apiKey: resolveApiKey(auth) });
-  }
+  const client = new KadoaClient({ bearerToken: auth.jwt });
   client.axiosInstance.interceptors.request.use((config2) => {
     config2.headers["x-kadoa-source"] = "mcp";
-    if (teamId) {
-      config2.headers["x-team-id"] = teamId;
+    if (auth.teamId) {
+      config2.headers["x-team-id"] = auth.teamId;
     }
     return config2;
   });
   return client;
 }
-var ctxRefreshMutex;
+var refreshRawMutex, ctxRefreshMutex;
 var init_client = __esm(() => {
   init_dist2();
+  refreshRawMutex = new Map;
   ctxRefreshMutex = new WeakMap;
 });
 
 // src/client.ts
-import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname2, join as join2 } from "node:path";
-import { homedir as homedir2 } from "node:os";
-function getConfigPath2() {
-  const home = process.env.HOME || homedir2();
-  return join2(home, ".kadoa", "config.json");
-}
-function loadConfig2() {
-  const configFile = getConfigPath2();
-  if (!existsSync2(configFile))
-    return {};
-  try {
-    return JSON.parse(readFileSync2(configFile, "utf-8"));
-  } catch {
-    return {};
-  }
-}
-function saveConfig(config2) {
-  const configFile = getConfigPath2();
-  mkdirSync2(dirname2(configFile), { recursive: true });
-  writeFileSync2(configFile, JSON.stringify(config2, null, 2), "utf-8");
+var exports_client = {};
+__export(exports_client, {
+  refreshSupabaseJwtRaw: () => refreshSupabaseJwtRaw,
+  refreshSupabaseJwt: () => refreshSupabaseJwt,
+  isJwtExpired: () => isJwtExpired,
+  getValidJwt: () => getValidJwt,
+  decodeJwtClaims: () => decodeJwtClaims,
+  createKadoaClient: () => createKadoaClient2,
+  SessionExpiredError: () => SessionExpiredError,
+  KadoaSdkException: () => KadoaSdkException,
+  KadoaClient: () => KadoaClient
+});
+function createKadoaClient2(auth) {
+  const client = new KadoaClient({ bearerToken: auth.jwt });
+  client.axiosInstance.interceptors.request.use((config2) => {
+    config2.headers["x-kadoa-source"] = "mcp";
+    if (auth.teamId) {
+      config2.headers["x-team-id"] = auth.teamId;
+    }
+    return config2;
+  });
+  return client;
 }
 function decodeJwtClaims(jwt2) {
   try {
@@ -49142,36 +49010,57 @@ function isJwtExpired(jwt2) {
     return true;
   }
 }
-async function refreshSupabaseJwt(ctx) {
-  if (!ctx.supabaseRefreshToken) {
-    console.error("[JWT_REFRESH] No refresh token available, cannot refresh");
-    return;
+async function refreshSupabaseJwtRaw(supabaseRefreshToken) {
+  const inflight = refreshRawMutex2.get(supabaseRefreshToken);
+  if (inflight) {
+    console.error(`[JWT_REFRESH] DEDUP: reusing in-flight raw refresh`);
+    return inflight;
   }
+  const promise3 = _doRefreshRaw(supabaseRefreshToken).finally(() => {
+    refreshRawMutex2.delete(supabaseRefreshToken);
+  });
+  refreshRawMutex2.set(supabaseRefreshToken, promise3);
+  return promise3;
+}
+async function _doRefreshRaw(supabaseRefreshToken) {
   const supabaseUrl = process.env.SUPABASE_URL;
   if (!supabaseUrl) {
     console.error("[JWT_REFRESH] SUPABASE_URL not set, cannot refresh");
+    return null;
+  }
+  const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      apikey: process.env.SUPABASE_ANON_KEY
+    },
+    body: JSON.stringify({ refresh_token: supabaseRefreshToken })
+  });
+  if (res.ok) {
+    const data = await res.json();
+    return { jwt: data.access_token, refreshToken: data.refresh_token };
+  }
+  const body = await res.text().catch(() => "");
+  console.error(`[JWT_REFRESH] FAIL: Supabase returned ${res.status} (refreshToken=${supabaseRefreshToken.slice(0, 12)}...): ${body}`);
+  if (body.includes("session_expired") || body.includes("refresh_token_not_found") || body.includes("refresh_token_already_used")) {
+    throw new SessionExpiredError("Your Kadoa session has expired due to inactivity. Please reconnect to re-authenticate.");
+  }
+  return null;
+}
+async function refreshSupabaseJwt(ctx) {
+  if (!ctx.supabaseRefreshToken) {
+    console.error("[JWT_REFRESH] No refresh token available, cannot refresh");
     return;
   }
   try {
     const refreshToken = ctx.supabaseRefreshToken;
     console.error(`[JWT_REFRESH] Refreshing Supabase JWT (refreshToken=${refreshToken.slice(0, 12)}..., team=${ctx.teamId ?? "unknown"})`);
-    const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        apikey: process.env.SUPABASE_ANON_KEY
-      },
-      body: JSON.stringify({ refresh_token: refreshToken })
-    });
-    if (!res.ok) {
-      const body = await res.text().catch(() => "");
-      console.error(`[JWT_REFRESH] FAIL: Supabase returned ${res.status} (refreshToken=${refreshToken.slice(0, 12)}...): ${body}`);
+    const result = await refreshSupabaseJwtRaw(refreshToken);
+    if (!result)
       return;
-    }
-    const data = await res.json();
-    ctx.supabaseJwt = data.access_token;
-    ctx.supabaseRefreshToken = data.refresh_token;
-    ctx.client.setBearerToken(data.access_token);
+    ctx.supabaseJwt = result.jwt;
+    ctx.supabaseRefreshToken = result.refreshToken;
+    ctx.client.setBearerToken(result.jwt);
     try {
       await ctx.persist?.({
         supabaseJwt: ctx.supabaseJwt,
@@ -49181,9 +49070,11 @@ async function refreshSupabaseJwt(ctx) {
     } catch (e) {
       console.error("[JWT_REFRESH] WARN: persist failed, tokens updated in-memory only:", e);
     }
-    console.error(`[JWT_REFRESH] OK: token refreshed (team=${ctx.teamId ?? "unknown"}, newRefreshToken=${data.refresh_token.slice(0, 12)}...)`);
-    return data.access_token;
+    console.error(`[JWT_REFRESH] OK: token refreshed (team=${ctx.teamId ?? "unknown"}, newRefreshToken=${result.refreshToken.slice(0, 12)}...)`);
+    return result.jwt;
   } catch (error48) {
+    if (error48 instanceof SessionExpiredError)
+      throw error48;
     console.error("[JWT_REFRESH] FAIL: threw", error48);
     return;
   }
@@ -49204,9 +49095,16 @@ async function getValidJwt(ctx) {
   ctxRefreshMutex2.set(ctx, promise3);
   return promise3;
 }
-var ctxRefreshMutex2;
+var SessionExpiredError, refreshRawMutex2, ctxRefreshMutex2;
 var init_client2 = __esm(() => {
   init_dist2();
+  SessionExpiredError = class SessionExpiredError extends Error {
+    constructor(message) {
+      super(message ?? "Supabase session expired. Please re-authenticate.");
+      this.name = "SessionExpiredError";
+    }
+  };
+  refreshRawMutex2 = new Map;
   ctxRefreshMutex2 = new WeakMap;
 });
 
@@ -49265,7 +49163,7 @@ function classifyError(error48) {
           if (httpError.httpStatus === 403) {
             return `Access denied${status}. Your current team role may not have permission for this action. Use the whoami tool to check your role, or contact your team admin to request elevated access.`;
           }
-          return `Authentication failed${status}. Your Kadoa API key may be invalid or expired. Please check your KADOA_API_KEY or re-authenticate.`;
+          return `Authentication failed${status}. Please re-authenticate via OAuth.`;
         case "NOT_FOUND":
           return `Not found${status}. The workflow may have been deleted or the ID is incorrect.`;
         case "RATE_LIMITED":
@@ -49283,7 +49181,7 @@ function classifyError(error48) {
     }
     switch (code) {
       case "AUTH_ERROR":
-        return "Authentication failed. Your Kadoa API key may be invalid or expired. Please check your KADOA_API_KEY or re-authenticate.";
+        return "Authentication failed. Please re-authenticate via OAuth.";
       case "NOT_FOUND":
         return "Not found. The workflow may have been deleted or the ID is incorrect.";
       case "RATE_LIMITED":
@@ -49324,13 +49222,16 @@ function registerTools(server, ctx) {
         }
         return await handler(...args);
       } catch (error48) {
+        if (error48 instanceof SessionExpiredError) {
+          console.error(`[Tool Error] ${name}: session expired, user must re-authenticate`);
+          return errorResult("Your session has expired. Please reconnect the MCP server to re-authenticate.");
+        }
         let message = classifyError(error48);
         if (KadoaHttpException.isInstance(error48) && error48.httpStatus === 403) {
           try {
             const jwt2 = ctx.supabaseJwt;
             const teams = await ctx.client.listTeams(jwt2 ? { bearerToken: jwt2 } : undefined);
-            const config2 = loadConfig2();
-            const activeTeamId = ctx.teamId ?? config2.teamId ?? teams[0]?.id;
+            const activeTeamId = ctx.teamId ?? teams[0]?.id;
             const activeTeam = teams.find((t) => t.id === activeTeamId);
             if (activeTeam?.adminEmail) {
               message += ` Your team admin is ${activeTeam.adminEmail}.`;
@@ -49349,13 +49250,11 @@ function registerTools(server, ctx) {
   }, withErrorHandling("whoami", async () => {
     const jwt2 = await getValidJwt(ctx);
     const user = await ctx.client.user.getCurrentUser();
-    const authMethod = jwt2 ? "OAuth (JWT)" : "API Key";
     const teams = await ctx.client.listTeams(jwt2 ? { bearerToken: jwt2 } : undefined);
-    const config2 = loadConfig2();
-    const activeTeamId = ctx.teamId ?? config2.teamId ?? teams[0]?.id;
+    const activeTeamId = ctx.teamId ?? teams[0]?.id;
     return jsonResult({
       email: user.email,
-      authMethod,
+      authMethod: "OAuth",
       teams: teams.map((t) => ({
         name: t.name,
         memberRole: t.memberRole,
@@ -49999,8 +49898,7 @@ function registerTools(server, ctx) {
   }, withErrorHandling("team_list", async () => {
     const jwt2 = await getValidJwt(ctx);
     const teams = await ctx.client.listTeams(jwt2 ? { bearerToken: jwt2 } : undefined);
-    const config2 = loadConfig2();
-    const activeTeamId = ctx.teamId ?? config2.teamId ?? teams[0]?.id;
+    const activeTeamId = ctx.teamId ?? teams[0]?.id;
     return jsonResult({
       teams: teams.map((t) => ({
         id: t.id,
@@ -50020,9 +49918,6 @@ function registerTools(server, ctx) {
     annotations: { readOnlyHint: false, destructiveHint: false, idempotentHint: true }
   }, withErrorHandling("team_switch", async (args) => {
     const jwt2 = await getValidJwt(ctx);
-    if (!jwt2) {
-      return errorResult("Team switching requires OAuth authentication (HTTP mode). " + "In stdio mode, re-run with a different KADOA_API_KEY or use 'kadoa login' to authenticate via the CLI.");
-    }
     const teams = await ctx.client.listTeams({ bearerToken: jwt2 });
     const identifier = args.teamIdentifier;
     const match = teams.find((t) => t.id === identifier || t.name.toLowerCase() === identifier.toLowerCase());
@@ -50036,10 +49931,6 @@ function registerTools(server, ctx) {
     } catch (e) {
       console.error("[TEAM_SWITCH] WARN: persist failed:", e);
     }
-    const config2 = loadConfig2();
-    config2.teamId = match.id;
-    config2.teamName = match.name;
-    saveConfig(config2);
     return jsonResult({
       success: true,
       teamId: match.id,
@@ -54059,45 +53950,6 @@ function generatePKCE() {
   const challenge = createHash2("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
-async function refreshSupabaseToken(supabaseRefreshToken, context) {
-  const inflight = supabaseRefreshMutex.get(supabaseRefreshToken);
-  if (inflight) {
-    console.error(`[AUTH] REFRESH_DEDUP: reusing in-flight refresh (${context})`);
-    return inflight;
-  }
-  const promise3 = (async () => {
-    const supabaseUrl = process.env.SUPABASE_URL;
-    if (!supabaseUrl || !supabaseRefreshToken)
-      return null;
-    try {
-      const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          apikey: process.env.SUPABASE_ANON_KEY
-        },
-        body: JSON.stringify({ refresh_token: supabaseRefreshToken })
-      });
-      if (res.ok) {
-        const data = await res.json();
-        const newClaims = jwtClaims(data.access_token);
-        console.log(`[AUTH] REFRESH_OK: Supabase JWT refreshed (${context}, newEmail=${newClaims.email})`);
-        return { jwt: data.access_token, refreshToken: data.refresh_token };
-      }
-      const body = await res.text().catch(() => "");
-      console.error(`[AUTH] REFRESH_FAIL: Supabase returned ${res.status} (${context}): ${body.slice(0, 200)}`);
-      return null;
-    } catch (err) {
-      console.error(`[AUTH] REFRESH_FAIL: Supabase refresh threw (${context}):`, err);
-      return null;
-    }
-  })();
-  supabaseRefreshMutex.set(supabaseRefreshToken, promise3);
-  promise3.finally(() => {
-    supabaseRefreshMutex.delete(supabaseRefreshToken);
-  });
-  return promise3;
-}
 function jwtClaims(jwt2) {
   try {
     const payload = JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
@@ -54405,12 +54257,22 @@ class KadoaOAuthProvider {
     let { supabaseJwt, supabaseRefreshToken } = entry;
     const claims = jwtClaims(entry.supabaseJwt);
     const context = `email=${claims.email}, team=${entry.teamId}`;
-    const refreshed = await refreshSupabaseToken(supabaseRefreshToken, context);
-    if (refreshed) {
-      supabaseJwt = refreshed.jwt;
-      supabaseRefreshToken = refreshed.refreshToken;
-    } else {
-      console.error(`[AUTH] REFRESH_WARN: using stale Supabase JWT as fallback (${context})`);
+    try {
+      const { refreshSupabaseJwtRaw: refreshSupabaseJwtRaw2, SessionExpiredError: SessionExpiredError2 } = await Promise.resolve().then(() => (init_client2(), exports_client));
+      const refreshed = await refreshSupabaseJwtRaw2(supabaseRefreshToken);
+      if (refreshed) {
+        supabaseJwt = refreshed.jwt;
+        supabaseRefreshToken = refreshed.refreshToken;
+        console.error(`[AUTH] REFRESH_OK: Supabase JWT refreshed (${context})`);
+      } else {
+        console.error(`[AUTH] REFRESH_WARN: using stale Supabase JWT as fallback (${context})`);
+      }
+    } catch (error48) {
+      if (error48 instanceof Error && error48.name === "SessionExpiredError") {
+        console.error(`[AUTH] REFRESH_DEAD: session permanently expired (${context}): ${error48.message}`);
+        throw new InvalidTokenError("Supabase session expired. Please re-authenticate.");
+      }
+      console.error(`[AUTH] REFRESH_WARN: unexpected error, using stale JWT (${context}):`, error48);
     }
     const freshClaims = jwtClaims(supabaseJwt);
     const teamId = freshClaims.activeTeamId ?? entry.teamId;
@@ -54438,15 +54300,6 @@ class KadoaOAuthProvider {
     };
   }
   async verifyAccessToken(token) {
-    if (token.startsWith("tk-")) {
-      return {
-        token,
-        clientId: "direct-api-key",
-        scopes: [],
-        expiresAt: Math.floor(Date.now() / 1000) + 3600,
-        extra: { apiKey: token }
-      };
-    }
     const entry = await this.store.get("access_tokens", token);
     if (!entry) {
       const sessionCount = await this.store.size("access_tokens");
@@ -54546,7 +54399,7 @@ class KadoaOAuthProvider {
       codeChallenge: pending.params.codeChallenge,
       clientId: pending.client.client_id,
       redirectUri: pending.params.redirectUri,
-      expiresAt: Date.now() + 10 * 60 * 1000
+      expiresAt: Date.now() + 600000
     }, 600);
     const redirectUrl = new URL(pending.params.redirectUri);
     redirectUrl.searchParams.set("code", mcpCode);
@@ -54975,12 +54828,11 @@ function renderLoginPage(state, error48) {
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
-var TEAM_SELECTION_TTL, ACCESS_TOKEN_TTL, supabaseRefreshMutex;
+var TEAM_SELECTION_TTL, ACCESS_TOKEN_TTL;
 var init_auth2 = __esm(() => {
   init_errors4();
   TEAM_SELECTION_TTL = 10 * 60 * 1000;
   ACCESS_TOKEN_TTL = 7 * 24 * 3600;
-  supabaseRefreshMutex = new Map;
 });
 
 // src/redis-store.ts
@@ -55098,9 +54950,6 @@ function resolveAuth(req) {
     console.error("[AUTH_RESOLVE] FAIL: req.auth.extra is missing");
     return;
   }
-  if (typeof extra.apiKey === "string" && extra.apiKey.startsWith("tk-")) {
-    return { kind: "apiKey", apiKey: extra.apiKey };
-  }
   if (typeof extra.supabaseJwt === "string") {
     const claims = jwtClaims2(extra.supabaseJwt);
     const userId = claims.sub;
@@ -55118,7 +54967,6 @@ function resolveAuth(req) {
       }
     }
     return {
-      kind: "jwt",
       jwt: extra.supabaseJwt,
       refreshToken: extra.supabaseRefreshToken ?? "",
       teamId: extra.teamId ?? "",
@@ -55126,7 +54974,7 @@ function resolveAuth(req) {
       mcpToken: req.auth.token
     };
   }
-  console.error(`[AUTH_RESOLVE] FAIL: no apiKey or supabaseJwt in extra (keys: ${Object.keys(extra).join(", ")})`);
+  console.error(`[AUTH_RESOLVE] FAIL: no supabaseJwt in extra (keys: ${Object.keys(extra).join(", ")})`);
   return;
 }
 async function startHttpServer(options) {
@@ -55176,13 +55024,46 @@ async function startHttpServer(options) {
       });
       return;
     }
-    const identity = auth.kind === "jwt" ? `jwt:${auth.userId.slice(0, 8)}...:team=${auth.teamId.slice(0, 8)}...` : `apiKey:${auth.apiKey.slice(0, 12)}...`;
+    const identity = `jwt:${auth.userId.slice(0, 8)}...:team=${auth.teamId.slice(0, 8)}...`;
+    if (isJwtExpired(auth.jwt)) {
+      try {
+        const refreshed = await refreshSupabaseJwtRaw(auth.refreshToken);
+        if (refreshed) {
+          auth.jwt = refreshed.jwt;
+          auth.refreshToken = refreshed.refreshToken;
+          const entry = await store.get("access_tokens", auth.mcpToken);
+          if (entry) {
+            const remainingMs = entry.expiresAt - Date.now();
+            if (remainingMs > 0) {
+              await store.set("access_tokens", auth.mcpToken, {
+                ...entry,
+                supabaseJwt: refreshed.jwt,
+                supabaseRefreshToken: refreshed.refreshToken
+              }, Math.ceil(remainingMs / 1000));
+              console.error(`[PROACTIVE_REFRESH] OK: JWT refreshed on ${method} (${identity})`);
+            }
+          }
+        }
+      } catch (error48) {
+        if (error48 instanceof SessionExpiredError) {
+          console.error(`[PROACTIVE_REFRESH] Session dead on ${method} (${identity}): ${error48.message}`);
+          await store.del("access_tokens", auth.mcpToken);
+          res.status(401).json({
+            jsonrpc: "2.0",
+            error: { code: -32001, message: error48.message },
+            id: req.body?.id ?? null
+          });
+          return;
+        }
+        console.error(`[PROACTIVE_REFRESH] WARN: refresh failed on ${method}, continuing with stale JWT`, error48);
+      }
+    }
     try {
       console.error(`[MCP] POST method=${method} auth=${identity}`);
       const transport = new StreamableHTTPServerTransport({
         sessionIdGenerator: undefined
       });
-      const server = auth.kind === "jwt" ? createServer({
+      const server = createServer({
         jwt: auth.jwt,
         refreshToken: auth.refreshToken,
         teamId: auth.teamId,
@@ -55206,7 +55087,7 @@ async function startHttpServer(options) {
           }, ttlSeconds);
           console.error(`[PERSIST] OK: updated access token in store (token=${auth.mcpToken.slice(0, 12)}..., team=${state.teamId ?? "unchanged"}, ttl=${ttlSeconds}s)`);
         }
-      }) : createServer({ apiKey: auth.apiKey });
+      });
       await server.connect(transport);
       await transport.handleRequest(req, res, req.body);
     } catch (error48) {
@@ -55254,66 +55135,31 @@ var init_http2 = __esm(async () => {
   init_bearerAuth();
   init_auth2();
   init_redis_store();
+  init_client2();
   await init_src();
 });
 
 // src/index.ts
 function createServer(auth) {
-  let ctx;
-  if (typeof auth === "object" && auth !== null && "jwt" in auth) {
-    ctx = {
-      client: createKadoaClient({ jwt: auth.jwt, teamId: auth.teamId }),
-      supabaseJwt: auth.jwt,
-      supabaseRefreshToken: auth.refreshToken,
-      teamId: auth.teamId,
-      persist: auth.persist
-    };
-  } else if (typeof auth === "object" && auth !== null && "apiKey" in auth) {
-    ctx = {
-      client: createKadoaClient({ apiKey: auth.apiKey })
-    };
-  } else {
-    ctx = {
-      client: createKadoaClient(auth)
-    };
-  }
+  const ctx = {
+    client: createKadoaClient({ jwt: auth.jwt, teamId: auth.teamId }),
+    supabaseJwt: auth.jwt,
+    supabaseRefreshToken: auth.refreshToken,
+    teamId: auth.teamId,
+    persist: auth.persist
+  };
   const server = new McpServer({ name: "kadoa", version: "0.3.2" });
   registerTools(server, ctx);
   server.server.onerror = (error48) => console.error("[MCP Error]", error48);
   return server;
 }
-async function validateApiKey() {
-  const client = createKadoaClient();
-  try {
-    await client.workflow.list({ limit: 1 });
-  } catch (error48) {
-    if (KadoaSdkException.isInstance(error48) && error48.code === "AUTH_ERROR") {
-      console.error("Kadoa MCP: Invalid API key. Check KADOA_API_KEY or run 'kadoa login'.");
-      process.exit(1);
-    }
-  }
-}
 var init_src = __esm(async () => {
   init_mcp();
-  init_stdio2();
   init_client();
   init_tools();
   if (!process.env.VITEST && !process.env.BUN_TEST) {
-    const httpMode = process.argv.includes("--http") || process.env.MCP_HTTP === "1";
-    if (httpMode) {
-      const { startHttpServer: startHttpServer2 } = await init_http2().then(() => exports_http);
-      await startHttpServer2();
-    } else {
-      await validateApiKey();
-      const server = createServer();
-      const transport = new StdioServerTransport;
-      await server.connect(transport);
-      console.error("Kadoa MCP Server started");
-      process.on("SIGINT", async () => {
-        await server.close();
-        process.exit(0);
-      });
-    }
+    const { startHttpServer: startHttpServer2 } = await init_http2().then(() => exports_http);
+    await startHttpServer2();
   }
 });
 await init_src();

package/package.json

@@ -1,12 +1,9 @@
 {
   "name": "@kadoa/mcp",
-  "version": "0.3.7",
+  "version": "0.3.9-rc.1",
   "description": "Kadoa MCP Server — manage workflows from Claude Desktop, Cursor, and other MCP clients",
   "type": "module",
   "main": "dist/index.js",
-  "bin": {
-    "kadoa-mcp": "dist/index.js"
-  },
   "publishConfig": {
     "access": "public"
   },
@@ -18,8 +15,7 @@
     "lint": "bunx biome check",
     "lint:fix": "bunx biome check --write",
     "dev": "bun src/index.ts",
-    "dev:http": "MCP_HTTP=1 bun src/index.ts",
-    "build": "bun build src/index.ts --outdir=dist --target=node --external express --external ioredis && node -e \"const f='dist/index.js';require('fs').writeFileSync(f,require('fs').readFileSync(f,'utf8').replace('#!/usr/bin/env bun','#!/usr/bin/env node'))\"",
+    "build": "bun build src/index.ts --outdir=dist --target=node --external express --external ioredis",
     "check-types": "tsc --noEmit",
     "test": "BUN_TEST=1 bun test",
     "test:unit": "BUN_TEST=1 bun test tests/unit --timeout=120000",