npm - @kadoa/mcp - Versions diffs - 0.5.4 → 0.5.7 - Mend

@kadoa/mcp 0.5.4 → 0.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -85,6 +85,17 @@ Claude checks the run status with get_workflow, then calls fetch_data
 to retrieve the extracted records and display them as a table.
 ```
+### Create a workflow from a template
+```
+> You: Use my "Product Scraper" template to scrape https://example-shop.com.
+Claude calls list_templates to find the matching template, then
+create_workflow with `templateId` and `urls` only — the prompt and
+schema are inherited from the template version. Returns the workflow
+ID for follow-up with get_workflow or fetch_data.
+```
 ### Update a workflow and re-run
 ```

package/dist/index.js CHANGED Viewed

@@ -14552,7 +14552,7 @@ function finalize(ctx, schema) {
     result.$schema = "http://json-schema.org/draft-07/schema#";
   } else if (ctx.target === "draft-04") {
     result.$schema = "http://json-schema.org/draft-04/schema#";
-  } else if (ctx.target === "openapi-3.0") {} else {}
+  } else if (ctx.target === "openapi-3.0") {}
   if (ctx.external?.uri) {
     const id = ctx.external.registry.get(schema)?.id;
     if (!id)
@@ -14817,7 +14817,7 @@ var formatMap, stringProcessor = (schema, ctx, _json, _params) => {
     if (val === undefined) {
       if (ctx.unrepresentable === "throw") {
         throw new Error("Literal `undefined` cannot be represented in JSON Schema");
-      } else {}
+      }
     } else if (typeof val === "bigint") {
       if (ctx.unrepresentable === "throw") {
         throw new Error("BigInt literals cannot be represented in JSON Schema");
@@ -44498,9 +44498,9 @@ function createClientDomains(params) {
   const dataFetcherService = new DataFetcherService(client.apis.workflows);
   const channelsService = new NotificationChannelsService(client.apis.notifications, userService);
   const settingsService = new NotificationSettingsService(client.apis.notifications);
-  const workflowsCoreService = new WorkflowsCoreService(client.apis.workflows);
   const schemasService = new SchemasService(client);
   const templatesService = new TemplatesService(client);
+  const workflowsCoreService = new WorkflowsCoreService(client.apis.workflows, templatesService);
   const variablesService = new VariablesService(client);
   const channelSetupService = new NotificationSetupService(channelsService, settingsService);
   const coreService = new ValidationCoreService(client);
@@ -48714,7 +48714,7 @@ var import_debug, __require2, ChangeDifferenceType, KadoaErrorCode, _KadoaSdkExc
     }));
     return channels;
   }
-}, PUBLIC_API_URI, WSS_API_URI, REALTIME_API_URI, SDK_VERSION = "0.32.0", SDK_NAME = "kadoa-node-sdk", SDK_LANGUAGE = "node", debug6, isDrainControlMessage = (message) => message.type === "control.draining", isRealtimeEvent = (message) => message.type !== "heartbeat" && message.type !== "control.draining", _Realtime = class _Realtime2 {
+}, PUBLIC_API_URI, WSS_API_URI, REALTIME_API_URI, SDK_VERSION = "0.33.0", SDK_NAME = "kadoa-node-sdk", SDK_LANGUAGE = "node", debug6, isDrainControlMessage = (message) => message.type === "control.draining", isRealtimeEvent = (message) => message.type !== "heartbeat" && message.type !== "control.draining", _Realtime = class _Realtime2 {
   constructor(config2) {
     this.drainingSockets = /* @__PURE__ */ new Set;
     this.lastHeartbeat = Date.now();
@@ -49443,36 +49443,82 @@ var import_debug, __require2, ChangeDifferenceType, KadoaErrorCode, _KadoaSdkExc
     });
   }
 }, JobStateEnum, TERMINAL_JOB_STATES, TERMINAL_RUN_STATES2, debug9, WorkflowsCoreService = class {
-  constructor(workflowsApi) {
+  constructor(workflowsApi, templatesService) {
     this.workflowsApi = workflowsApi;
+    this.templatesService = templatesService;
   }
   async create(input) {
     validateAdditionalData(input.additionalData);
-    if (!input.userPrompt) {
+    const isFromTemplate = input.templateId != null;
+    if (isFromTemplate) {
+      const conflicting = [];
+      if (input.userPrompt != null)
+        conflicting.push("userPrompt");
+      if (input.entity != null)
+        conflicting.push("entity");
+      if (input.fields != null)
+        conflicting.push("fields");
+      if (input.schemaId != null)
+        conflicting.push("schemaId");
+      if (input.monitoring != null)
+        conflicting.push("monitoring");
+      if (input.navigationMode != null)
+        conflicting.push("navigationMode");
+      if (conflicting.length > 0) {
+        throw new KadoaSdkException(`Fields are defined by the template and cannot be supplied when creating from a template: ${conflicting.join(", ")}`, {
+          code: "VALIDATION_ERROR",
+          details: { conflicting }
+        });
+      }
+    } else if (!input.userPrompt) {
       throw new KadoaSdkException("userPrompt is required to create a workflow", {
         code: "VALIDATION_ERROR",
         details: { urls: input.urls }
       });
     }
     const domainName = new URL(input.urls[0]).hostname;
-    const request = {
-      urls: input.urls,
-      name: input.name ?? domainName,
-      description: input.description,
-      userPrompt: input.userPrompt,
-      navigationMode: "agentic-navigation",
-      schemaId: input.schemaId,
-      ...input.entity != null && { entity: input.entity },
-      fields: input.fields,
-      bypassPreview: input.bypassPreview ?? true,
-      tags: input.tags,
-      interval: input.interval,
-      monitoring: input.monitoring,
-      location: input.location,
-      schedules: input.schedules,
-      additionalData: input.additionalData,
-      limit: input.limit
-    };
+    let request;
+    if (isFromTemplate) {
+      const templateId = input.templateId;
+      const templateVersion = input.templateVersion ?? await this.resolveLatestVersion(templateId);
+      request = {
+        urls: input.urls,
+        templateId,
+        templateVersion,
+        ...input.name != null && { name: input.name },
+        ...input.description != null && { description: input.description },
+        ...input.tags != null && { tags: input.tags },
+        ...input.interval != null && { interval: input.interval },
+        ...input.schedules != null && { schedules: input.schedules },
+        ...input.location != null && { location: input.location },
+        ...input.bypassPreview != null && {
+          bypassPreview: input.bypassPreview
+        },
+        ...input.additionalData != null && {
+          additionalData: input.additionalData
+        },
+        ...input.limit != null && { limit: input.limit }
+      };
+    } else {
+      request = {
+        urls: input.urls,
+        name: input.name ?? domainName,
+        description: input.description,
+        userPrompt: input.userPrompt,
+        navigationMode: "agentic-navigation",
+        schemaId: input.schemaId,
+        ...input.entity != null && { entity: input.entity },
+        fields: input.fields,
+        bypassPreview: input.bypassPreview ?? true,
+        tags: input.tags,
+        interval: input.interval,
+        monitoring: input.monitoring,
+        location: input.location,
+        schedules: input.schedules,
+        additionalData: input.additionalData,
+        limit: input.limit
+      };
+    }
     const response = await this.workflowsApi.v4WorkflowsPost({
       publicWorkflowCreateRequest: request
     });
@@ -49487,6 +49533,23 @@ var import_debug, __require2, ChangeDifferenceType, KadoaErrorCode, _KadoaSdkExc
     }
     return { id: workflowId };
   }
+  async resolveLatestVersion(templateId) {
+    if (!this.templatesService) {
+      throw new KadoaSdkException("TemplatesService is required to resolve a template's latest version. Pass `templateVersion` explicitly or construct WorkflowsCoreService with a TemplatesService.", {
+        code: "INTERNAL_ERROR",
+        details: { templateId }
+      });
+    }
+    const template = await this.templatesService.get(templateId);
+    const latest = template.latestVersion;
+    if (latest == null) {
+      throw new KadoaSdkException(`Template ${templateId} has no published versions; supply templateVersion explicitly or publish a version first.`, {
+        code: "VALIDATION_ERROR",
+        details: { templateId }
+      });
+    }
+    return latest;
+  }
   async get(id) {
     const response = await this.workflowsApi.v4WorkflowsWorkflowIdGet({
       workflowId: id
@@ -50848,7 +50911,7 @@ function registerTools(server, ctx) {
     urls: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string()).min(1)).optional().describe("Starting URLs for the workflow (array of strings). Also accepts a single URL string.")
   };
   const extractionInputShape = {
-    prompt: exports_external.string().describe('Natural language description of what to extract (e.g., "Extract product prices and names")'),
+    prompt: exports_external.string().optional().describe('Natural language description of what to extract (e.g., "Extract product prices and names"). Required unless templateId is provided.'),
     name: exports_external.string().optional().describe("Optional name for the workflow"),
     entity: exports_external.string().optional().describe("Entity name for extraction (e.g., 'Product', 'Job Posting')"),
     schema: exports_external.preprocess(coerceArray(), exports_external.array(exports_external.object(SchemaFieldShape))).optional().describe("Extraction schema fields. If omitted, the AI agent auto-detects the schema.")
@@ -50953,10 +51016,12 @@ function registerTools(server, ctx) {
 ` + "Create a data extraction workflow using agentic navigation. Supports one-time or scheduled runs. " + "If entity and schema are provided, they guide the extraction; otherwise the AI agent auto-detects the schema from the page. " + "The workflow runs asynchronously and may take several minutes. Do NOT poll or sleep-wait for completion. " + `Return the workflow ID to the user and let them check back later with get_workflow or fetch_data.
-` + "NOTE: This tool is for one-time or scheduled extraction ONLY. " + "For continuous real-time monitoring (watching a page for changes and alerting), use the create_realtime_monitor tool instead.",
+` + "PREFER TEMPLATES: If the user's request matches an existing template, instantiate it via `templateId` instead of writing a fresh prompt/schema. " + "Use `list_templates` to discover available templates and `get_template` to inspect schemas before deciding. " + "When `templateId` is set, only `urls` is required — `prompt`, `entity`, and `schema` must NOT be supplied; they are inherited from the template version.\n\n" + "NOTE: This tool is for one-time or scheduled extraction ONLY. " + "For continuous real-time monitoring (watching a page for changes and alerting), use the create_realtime_monitor tool instead.",
     inputSchema: strictSchema({
       ...extractionInputShape,
       ...urlInputShape,
+      templateId: exports_external.string().optional().describe("Instantiate this workflow from a published template. When set, only 'urls' is required — prompt/entity/schema must NOT be supplied; they are inherited from the template version. Discover templates via list_templates."),
+      templateVersion: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Specific published template version (integer) to instantiate. Defaults to the latest published version when templateId is set."),
       description: exports_external.string().max(500).optional().describe("Description of what this workflow does (max 500 characters)"),
       tags: exports_external.preprocess(coerceArray(true), exports_external.array(exports_external.string())).optional().describe("Tags for organizing workflows"),
       limit: exports_external.preprocess(coerceNumber(), exports_external.number()).optional().describe("Maximum number of records to extract per run. Useful for limiting scope or cost control."),
@@ -50991,32 +51056,62 @@ function registerTools(server, ctx) {
     if (args.updateInterval === "CUSTOM" && (!args.schedules || args.schedules.length === 0)) {
       return errorResult("updateInterval='CUSTOM' requires at least one cron expression in the 'schedules' field (e.g. '0 8 * * 2' for Tuesdays at 8am UTC).");
     }
-    let builder = ctx.client.extract({
-      urls,
-      name: args.name || "Untitled Workflow",
-      userPrompt: args.prompt,
-      extraction: buildExtraction(args),
-      interval: args.updateInterval,
-      description: args.description,
-      schedules: args.schedules
-    });
     const n = args.notifications;
-    const hasNotifications = n && (n.email || n.webhook || n.slack || n.websocket);
-    if (hasNotifications) {
-      builder = builder.withNotifications({
-        events: ["workflow_data_change"],
-        channels: buildNotificationChannels(n)
+    const hasNotifications = !!(n && (n.email || n.webhook || n.slack || n.websocket));
+    let workflowId;
+    if (args.templateId) {
+      if (args.prompt || args.entity || args.schema) {
+        return errorResult("When 'templateId' is set, 'prompt', 'entity', and 'schema' must NOT be supplied — they are inherited from the template version.");
+      }
+      const { id } = await ctx.client.workflow.create({
+        urls,
+        name: args.name || "Untitled Workflow",
+        description: args.description,
+        interval: args.updateInterval,
+        schedules: args.schedules,
+        tags: args.tags && args.tags.length > 0 ? args.tags : undefined,
+        limit: args.limit,
+        templateId: args.templateId,
+        templateVersion: args.templateVersion
       });
-    }
-    const workflow = await builder.create();
-    const needsUpdate = args.limit !== undefined || args.tags && args.tags.length > 0;
-    if (needsUpdate) {
-      const updates = {};
-      if (args.limit !== undefined)
-        updates.limit = args.limit;
-      if (args.tags && args.tags.length > 0)
-        updates.tags = args.tags;
-      await ctx.client.workflow.update(workflow.workflowId, updates);
+      workflowId = id;
+      if (hasNotifications) {
+        await ctx.client.notification.configure({
+          workflowId,
+          events: ["workflow_data_change"],
+          channels: buildNotificationChannels(n)
+        });
+      }
+    } else {
+      if (!args.prompt) {
+        return errorResult("'prompt' is required unless 'templateId' is provided.");
+      }
+      let builder = ctx.client.extract({
+        urls,
+        name: args.name || "Untitled Workflow",
+        userPrompt: args.prompt,
+        extraction: buildExtraction(args),
+        interval: args.updateInterval,
+        description: args.description,
+        schedules: args.schedules
+      });
+      if (hasNotifications) {
+        builder = builder.withNotifications({
+          events: ["workflow_data_change"],
+          channels: buildNotificationChannels(n)
+        });
+      }
+      const workflow = await builder.create();
+      workflowId = workflow.workflowId;
+      const needsUpdate = args.limit !== undefined || args.tags && args.tags.length > 0;
+      if (needsUpdate) {
+        const updates = {};
+        if (args.limit !== undefined)
+          updates.limit = args.limit;
+        if (args.tags && args.tags.length > 0)
+          updates.tags = args.tags;
+        await ctx.client.workflow.update(workflowId, updates);
+      }
     }
     const enabledChannels = await describeNotifications(n);
     let message = "Workflow created successfully. The AI agent will start extracting data automatically.";
@@ -51026,8 +51121,8 @@ function registerTools(server, ctx) {
     message += " Use fetch_data to retrieve the latest extracted results.";
     return jsonResult({
       success: true,
-      workflowId: workflow.workflowId,
-      dashboardUrl: workflowDashboardUrl(workflow.workflowId),
+      workflowId,
+      dashboardUrl: workflowDashboardUrl(workflowId),
       message
     });
   }));
@@ -51987,7 +52082,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@kadoa/mcp",
-    version: "0.5.4",
+    version: "0.5.7",
     description: "Kadoa MCP Server — manage workflows from Claude Desktop, Cursor, and other MCP clients",
     type: "module",
     main: "dist/index.js",
@@ -52011,7 +52106,7 @@ var init_package = __esm(() => {
       prepublishOnly: "bun run check-types && bun run test:unit && bun run build"
     },
     dependencies: {
-      "@kadoa/node-sdk": "^0.32.0",
+      "@kadoa/node-sdk": "^0.33.0",
       "@modelcontextprotocol/sdk": "^1.26.0",
       express: "^5.2.1",
       ioredis: "^5.6.1",
@@ -56029,10 +56124,6 @@ function generatePKCE() {
   const challenge = createHash2("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
-function kadoaAuthUrl() {
-  const raw = process.env.KADOA_AUTH_URL || "https://auth.kadoa.com";
-  return raw.replace(/\/+$/, "");
-}
 function jwtClaims(jwt2) {
   try {
     const payload = JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
@@ -56045,6 +56136,76 @@ function jwtClaims(jwt2) {
     return {};
   }
 }
+async function exchangeSupabaseCode(code, codeVerifier) {
+  const supabaseUrl = process.env.SUPABASE_URL;
+  if (!supabaseUrl)
+    throw new Error("SUPABASE_URL is not configured");
+  const res = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=pkce`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      apikey: process.env.SUPABASE_ANON_KEY
+    },
+    body: JSON.stringify({ auth_code: code, code_verifier: codeVerifier })
+  });
+  if (!res.ok) {
+    const body = await res.text();
+    throw new Error(`Supabase token exchange failed (${res.status}): ${body}`);
+  }
+  const data = await res.json();
+  return { accessToken: data.access_token, refreshToken: data.refresh_token };
+}
+async function fetchUserTeams(supabaseJwt) {
+  const kadoaApiUrl = process.env.KADOA_PUBLIC_API_URI || "https://api.kadoa.com";
+  const userRes = await fetch(`${kadoaApiUrl}/v4/user`, {
+    headers: { Authorization: `Bearer ${supabaseJwt}` }
+  });
+  if (!userRes.ok) {
+    const body = await userRes.text();
+    throw new Error(`Kadoa /v4/user failed (${userRes.status}): ${body}`);
+  }
+  const userData = await userRes.json();
+  if (!userData.teams?.length) {
+    throw new Error("User has no teams");
+  }
+  return userData.teams.map((t) => ({
+    id: t.id,
+    name: t.name,
+    memberRole: t.memberRole
+  }));
+}
+async function setActiveTeamAndRefresh(jwt2, refreshToken, teamId) {
+  const kadoaApiUrl = process.env.KADOA_PUBLIC_API_URI || "https://api.kadoa.com";
+  const supabaseUrl = process.env.SUPABASE_URL;
+  if (!supabaseUrl)
+    throw new Error("SUPABASE_URL is not configured");
+  const setRes = await fetch(`${kadoaApiUrl}/v5/auth/active-team`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${jwt2}`
+    },
+    body: JSON.stringify({ teamId })
+  });
+  if (!setRes.ok) {
+    const body = await setRes.text();
+    throw new Error(`POST /v5/auth/active-team failed (${setRes.status}): ${body}`);
+  }
+  const refreshRes = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=refresh_token`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      apikey: process.env.SUPABASE_ANON_KEY
+    },
+    body: JSON.stringify({ refresh_token: refreshToken })
+  });
+  if (!refreshRes.ok) {
+    const body = await refreshRes.text();
+    throw new Error(`Supabase token refresh failed (${refreshRes.status}): ${body}`);
+  }
+  const data = await refreshRes.json();
+  return { jwt: data.access_token, refreshToken: data.refresh_token };
+}
 class KadoaOAuthProvider {
   store;
@@ -56070,23 +56231,151 @@ class KadoaOAuthProvider {
     };
   }
   async authorize(client, params, res) {
+    const supabaseUrl = process.env.SUPABASE_URL;
     const serverUrl = process.env.MCP_SERVER_URL;
-    if (!serverUrl)
-      throw new Error("MCP_SERVER_URL must be configured");
+    if (!supabaseUrl || !serverUrl) {
+      throw new Error("SUPABASE_URL and MCP_SERVER_URL must be configured");
+    }
     const state = randomToken();
     const { verifier, challenge } = generatePKCE();
     await this.store.set("pending_auths", state, {
       client,
       params,
-      mcpVerifier: verifier
+      supabaseCodeVerifier: verifier
     }, 600);
-    const authUrl = new URL(`${kadoaAuthUrl()}/login`);
-    authUrl.searchParams.set("callback_url", `${serverUrl}/auth/callback`);
-    authUrl.searchParams.set("state", state);
-    authUrl.searchParams.set("code_challenge", challenge);
+    res.type("html").send(renderLoginPage(state));
+  }
+  async handleGoogleLogin(req, res) {
+    const { state } = req.body;
+    const pending = await this.store.get("pending_auths", state);
+    if (!pending) {
+      res.status(400).send("Unknown or expired state parameter");
+      return;
+    }
+    const supabaseUrl = process.env.SUPABASE_URL;
+    const serverUrl = process.env.MCP_SERVER_URL;
+    if (!supabaseUrl || !serverUrl) {
+      res.status(500).send("Server misconfigured");
+      return;
+    }
+    const redirectTo = `${serverUrl}/auth/callback?mcp_state=${state}`;
+    const authUrl = new URL(`${supabaseUrl}/auth/v1/authorize`);
+    authUrl.searchParams.set("provider", "google");
+    authUrl.searchParams.set("redirect_to", redirectTo);
+    authUrl.searchParams.set("code_challenge", pending.supabaseCodeVerifier ? createHash2("sha256").update(pending.supabaseCodeVerifier).digest("base64url") : "");
     authUrl.searchParams.set("code_challenge_method", "S256");
     res.redirect(authUrl.toString());
   }
+  async handleEmailPasswordLogin(req, res) {
+    const { state, email: email3, password } = req.body;
+    if (!state || !email3 || !password) {
+      res.status(400).send("Missing required fields");
+      return;
+    }
+    const pending = await this.store.get("pending_auths", state);
+    if (!pending) {
+      res.status(400).type("html").send(renderLoginPage(state, "Session expired — please try again"));
+      return;
+    }
+    const supabaseUrl = process.env.SUPABASE_URL;
+    if (!supabaseUrl) {
+      res.status(500).send("Server misconfigured");
+      return;
+    }
+    try {
+      const tokenRes = await fetch(`${supabaseUrl}/auth/v1/token?grant_type=password`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          apikey: process.env.SUPABASE_ANON_KEY
+        },
+        body: JSON.stringify({ email: email3, password })
+      });
+      if (!tokenRes.ok) {
+        const body = await tokenRes.json().catch(() => ({ error_description: "Authentication failed" }));
+        const message = body.error_description || body.msg || "Invalid email or password";
+        res.type("html").send(renderLoginPage(state, message));
+        return;
+      }
+      const data = await tokenRes.json();
+      await this.store.del("pending_auths", state);
+      await this.completeAuthWithTokens(pending, res, data.access_token, data.refresh_token);
+    } catch (error48) {
+      console.error("Email/password login error:", error48);
+      res.type("html").send(renderLoginPage(state, "An unexpected error occurred"));
+    }
+  }
+  async handleSSOLogin(req, res) {
+    const { state, email: email3 } = req.body;
+    if (!state || !email3) {
+      res.status(400).send("Missing required fields");
+      return;
+    }
+    const pending = await this.store.get("pending_auths", state);
+    if (!pending) {
+      res.status(400).type("html").send(renderLoginPage(state, "Session expired — please try again"));
+      return;
+    }
+    const supabaseUrl = process.env.SUPABASE_URL;
+    const serverUrl = process.env.MCP_SERVER_URL;
+    if (!supabaseUrl || !serverUrl) {
+      res.status(500).send("Server misconfigured");
+      return;
+    }
+    const domain2 = email3.includes("@") ? email3.split("@").pop() : email3;
+    try {
+      const ssoRes = await fetch(`${supabaseUrl}/auth/v1/sso`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          apikey: process.env.SUPABASE_ANON_KEY
+        },
+        body: JSON.stringify({
+          domain: domain2,
+          redirect_to: `${serverUrl}/auth/callback?mcp_state=${state}`,
+          skip_http_redirect: true,
+          code_challenge: createHash2("sha256").update(pending.supabaseCodeVerifier).digest("base64url"),
+          code_challenge_method: "s256"
+        })
+      });
+      if (!ssoRes.ok) {
+        const body = await ssoRes.json().catch(() => ({}));
+        const message = body.error_description || body.msg || body.message || "No SSO provider configured for this domain";
+        res.type("html").send(renderLoginPage(state, message));
+        return;
+      }
+      const data = await ssoRes.json();
+      if (!data.url) {
+        res.type("html").send(renderLoginPage(state, "No SSO provider configured for this domain"));
+        return;
+      }
+      res.redirect(data.url);
+    } catch (error48) {
+      console.error("SSO login error:", error48);
+      res.type("html").send(renderLoginPage(state, "An unexpected error occurred"));
+    }
+  }
+  async completeAuthWithTokens(pending, res, supabaseJwt, supabaseRefreshToken) {
+    const teams = await fetchUserTeams(supabaseJwt);
+    if (teams.length === 1) {
+      const refreshed = await setActiveTeamAndRefresh(supabaseJwt, supabaseRefreshToken, teams[0].id);
+      await this.completeAuthFlow(pending, res, {
+        jwt: refreshed.jwt,
+        refreshToken: refreshed.refreshToken,
+        teamId: teams[0].id
+      });
+      return;
+    }
+    const selectionToken = randomToken();
+    await this.store.set("pending_team_selections", selectionToken, {
+      supabaseJwt,
+      supabaseRefreshToken,
+      teams,
+      pending,
+      expiresAt: Date.now() + TEAM_SELECTION_TTL
+    }, 600);
+    res.type("html").send(renderTeamSelectionPage(teams, selectionToken));
+  }
   async challengeForAuthorizationCode(_client, authorizationCode) {
     const entry = await this.store.get("auth_codes", authorizationCode);
     if (!entry)
@@ -56211,9 +56500,9 @@ class KadoaOAuthProvider {
     };
   }
   async handleAuthCallback(req, res) {
-    const { code, state } = req.query;
+    const { code, mcp_state: state } = req.query;
     if (!code || !state) {
-      res.status(400).send("Missing code or state parameter");
+      res.status(400).send("Missing code or mcp_state parameter");
       return;
     }
     const pending = await this.store.get("pending_auths", state);
@@ -56223,28 +56512,10 @@ class KadoaOAuthProvider {
     }
     await this.store.del("pending_auths", state);
     try {
-      const tokenRes = await fetch(`${kadoaAuthUrl()}/api/token`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ code, code_verifier: pending.mcpVerifier })
-      });
-      if (!tokenRes.ok) {
-        const body = await tokenRes.text().catch(() => "");
-        throw new Error(`auth.kadoa.com /api/token failed (${tokenRes.status}): ${body}`);
-      }
-      const data = await tokenRes.json();
-      if (typeof data?.access_token !== "string" || typeof data?.refresh_token !== "string" || typeof data?.team_id !== "string") {
-        throw new Error("auth.kadoa.com /api/token returned malformed response");
-      }
-      const claims = jwtClaims(data.access_token);
-      console.error(`[AUTH] CALLBACK_OK: tokens received (email=${claims.email}, team=${data.team_id})`);
-      await this.completeAuthFlow(pending, res, {
-        jwt: data.access_token,
-        refreshToken: data.refresh_token,
-        teamId: data.team_id
-      });
+      const supabaseTokens = await exchangeSupabaseCode(code, pending.supabaseCodeVerifier);
+      await this.completeAuthWithTokens(pending, res, supabaseTokens.accessToken, supabaseTokens.refreshToken);
     } catch (error48) {
-      console.error("[AUTH] CALLBACK_FAIL:", error48);
+      console.error("Auth callback error:", error48);
       const redirectUrl = new URL(pending.params.redirectUri);
       redirectUrl.searchParams.set("error", "server_error");
       redirectUrl.searchParams.set("error_description", error48 instanceof Error ? error48.message : "Authentication failed");
@@ -56254,6 +56525,45 @@ class KadoaOAuthProvider {
       res.redirect(redirectUrl.toString());
     }
   }
+  async handleTeamSelection(req, res) {
+    const { token, teamId } = req.body;
+    if (!token || !teamId) {
+      res.status(400).send("Missing token or teamId");
+      return;
+    }
+    const entry = await this.store.get("pending_team_selections", token);
+    if (!entry) {
+      res.status(400).send("Unknown or expired team selection token");
+      return;
+    }
+    if (entry.expiresAt < Date.now()) {
+      await this.store.del("pending_team_selections", token);
+      res.status(400).send("Team selection expired — please log in again");
+      return;
+    }
+    if (!entry.teams.some((t) => t.id === teamId)) {
+      res.status(403).send("Invalid team selection");
+      return;
+    }
+    await this.store.del("pending_team_selections", token);
+    try {
+      const refreshed = await setActiveTeamAndRefresh(entry.supabaseJwt, entry.supabaseRefreshToken, teamId);
+      await this.completeAuthFlow(entry.pending, res, {
+        jwt: refreshed.jwt,
+        refreshToken: refreshed.refreshToken,
+        teamId
+      });
+    } catch (error48) {
+      console.error("Team selection error:", error48);
+      const redirectUrl = new URL(entry.pending.params.redirectUri);
+      redirectUrl.searchParams.set("error", "server_error");
+      redirectUrl.searchParams.set("error_description", error48 instanceof Error ? error48.message : "Failed to set active team");
+      if (entry.pending.params.state) {
+        redirectUrl.searchParams.set("state", entry.pending.params.state);
+      }
+      res.redirect(redirectUrl.toString());
+    }
+  }
   async completeAuthFlow(pending, res, credentials) {
     const mcpCode = randomToken();
     await this.store.set("auth_codes", mcpCode, {
@@ -56273,9 +56583,429 @@ class KadoaOAuthProvider {
     res.redirect(redirectUrl.toString());
   }
 }
-var ACCESS_TOKEN_TTL;
+function renderTeamSelectionPage(teams, selectionToken) {
+  const teamButtons = teams.map((t) => `
+      <button type="submit" name="teamId" value="${t.id}" class="team-btn">
+        <span class="team-name">${escapeHtml(t.name)}</span>
+        ${t.memberRole ? `<span class="team-role">${escapeHtml(t.memberRole.toLowerCase())}</span>` : ""}
+      </button>`).join(`
+`);
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Select Team - Kadoa</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: oklch(1 0 0);
+      color: oklch(0.17 0.02 228);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .container {
+      width: 100%;
+      max-width: 420px;
+      padding: 2rem;
+    }
+    .logo {
+      text-align: center;
+      margin-bottom: 2rem;
+    }
+    h1 {
+      font-size: 1.25rem;
+      font-weight: 600;
+      text-align: center;
+      margin-bottom: 0.5rem;
+      color: oklch(0.17 0.02 228);
+    }
+    .subtitle {
+      text-align: center;
+      color: oklch(0.56 0.02 228);
+      font-size: 0.875rem;
+      margin-bottom: 1.5rem;
+    }
+    .team-btn {
+      width: 100%;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      padding: 0.875rem 1rem;
+      margin-bottom: 0.5rem;
+      background: oklch(1 0 0);
+      border: 1px solid oklch(0.5 0.02 228 / 0.4);
+      border-radius: 0.3rem;
+      color: oklch(0.17 0.02 228);
+      font-size: 15px;
+      cursor: pointer;
+      transition: background 0.15s, border-color 0.15s, box-shadow 0.15s;
+      box-shadow: 0px 1px 1px 0px oklch(0.68 0.01 60.13 / 0.11);
+    }
+    .team-btn:hover {
+      background: oklch(0.96 0 286);
+      border-color: oklch(0.7 0.18 42);
+    }
+    .team-btn:active {
+      background: oklch(0.72 0.23 54 / 0.13);
+    }
+    .team-name { font-weight: 500; }
+    .team-role {
+      font-size: 13px;
+      color: oklch(0.56 0.02 228 / 0.67);
+      text-transform: capitalize;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      <svg width="108" height="32" viewBox="0 0 108 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+        <g clip-path="url(#clip0)">
+          <path d="M4.5 27V20.0059C4.49955 18.6288 3.38499 17.5105 2.00781 17.5059L-0.00585938 17.5V14.5L2.00781 14.4941C3.38499 14.4895 4.49955 13.3712 4.5 11.9941V5C4.5 2.51472 6.51472 0.5 9 0.5H12V3.5H9C8.17157 3.5 7.5 4.17157 7.5 5V11.9941C7.49977 13.5757 6.82719 14.9966 5.75781 16C6.82719 17.0034 7.49977 18.4243 7.5 20.0059V27C7.5 27.8284 8.17157 28.5 9 28.5H12V31.5H9C6.51472 31.5 4.5 29.4853 4.5 27Z" fill="#FD7412"/>
+          <path d="M103.5 27V20.0059C103.5 18.6288 104.615 17.5105 105.992 17.5059L108.006 17.5V14.5L105.992 14.4941C104.615 14.4895 103.5 13.3712 103.5 11.9941V5C103.5 2.51472 101.485 0.5 99 0.5H96V3.5H99C99.8284 3.5 100.5 4.17157 100.5 5V11.9941C100.5 13.5757 101.173 14.9966 102.242 16C101.173 17.0034 100.5 18.4243 100.5 20.0059V27C100.5 27.8284 99.8284 28.5 99 28.5H96V31.5H99C101.485 31.5 103.5 29.4853 103.5 27Z" fill="#FD7412"/>
+          <path d="M85.2346 26.308C84.0026 26.308 82.92 26.0093 81.9866 25.412C81.0533 24.8147 80.3253 23.9653 79.8026 22.864C79.28 21.7627 79.0186 20.4373 79.0186 18.888C79.0186 17.3573 79.28 16.0413 79.8026 14.94C80.3253 13.8387 81.0533 12.9987 81.9866 12.42C82.92 11.8227 84.0026 11.524 85.2346 11.524C86.3733 11.524 87.3906 11.804 88.2866 12.364C89.2013 12.9053 89.7986 13.6427 90.0786 14.576H89.7706L90.1066 11.804H94.1666C94.1106 12.42 94.0546 13.0453 93.9986 13.68C93.9613 14.296 93.9426 14.9027 93.9426 15.5V26H89.7426L89.7146 23.34H90.0506C89.752 24.236 89.1546 24.9547 88.2586 25.496C87.3626 26.0373 86.3546 26.308 85.2346 26.308ZM86.5226 23.116C87.4933 23.116 88.2773 22.7707 88.8746 22.08C89.472 21.3893 89.7706 20.3253 89.7706 18.888C89.7706 17.4507 89.472 16.396 88.8746 15.724C88.2773 15.052 87.4933 14.716 86.5226 14.716C85.552 14.716 84.768 15.052 84.1706 15.724C83.5733 16.396 83.2746 17.4507 83.2746 18.888C83.2746 20.3253 83.564 21.3893 84.1426 22.08C84.74 22.7707 85.5333 23.116 86.5226 23.116Z" fill="#18181B"/>
+          <path d="M70.1002 26.308C68.5882 26.308 67.2722 26.0093 66.1522 25.412C65.0509 24.796 64.1922 23.9373 63.5762 22.836C62.9789 21.7347 62.6802 20.4187 62.6802 18.888C62.6802 17.376 62.9789 16.0693 63.5762 14.968C64.1922 13.8667 65.0509 13.0173 66.1522 12.42C67.2722 11.8227 68.5882 11.524 70.1002 11.524C71.6122 11.524 72.9282 11.8227 74.0482 12.42C75.1682 13.0173 76.0269 13.8667 76.6242 14.968C77.2402 16.0693 77.5482 17.376 77.5482 18.888C77.5482 20.4187 77.2402 21.7347 76.6242 22.836C76.0269 23.9373 75.1682 24.796 74.0482 25.412C72.9282 26.0093 71.6122 26.308 70.1002 26.308ZM70.1002 23.116C71.0709 23.116 71.8362 22.7707 72.3962 22.08C72.9749 21.3893 73.2642 20.3253 73.2642 18.888C73.2642 17.4507 72.9749 16.396 72.3962 15.724C71.8362 15.052 71.0709 14.716 70.1002 14.716C69.1295 14.716 68.3549 15.052 67.7762 15.724C67.2162 16.396 66.9362 17.4507 66.9362 18.888C66.9362 20.3253 67.2162 21.3893 67.7762 22.08C68.3549 22.7707 69.1295 23.116 70.1002 23.116Z" fill="#18181B"/>
+          <path d="M51.8208 26.308C50.5888 26.308 49.4968 26.0093 48.5448 25.412C47.6115 24.8147 46.8741 23.9653 46.3328 22.864C45.8101 21.7627 45.5488 20.4373 45.5488 18.888C45.5488 17.3573 45.8101 16.0413 46.3328 14.94C46.8555 13.8387 47.5928 12.9987 48.5448 12.42C49.4968 11.8227 50.5888 11.524 51.8208 11.524C52.9408 11.524 53.9395 11.7947 54.8168 12.336C55.7128 12.8587 56.3101 13.568 56.6088 14.464H56.2448V5.392H60.4728V26H56.3008V23.228H56.6648C56.3661 24.1613 55.7688 24.908 54.8728 25.468C53.9768 26.028 52.9595 26.308 51.8208 26.308ZM53.0808 23.116C54.0515 23.116 54.8355 22.7707 55.4328 22.08C56.0301 21.3893 56.3288 20.3253 56.3288 18.888C56.3288 17.4507 56.0301 16.396 55.4328 15.724C54.8355 15.052 54.0515 14.716 53.0808 14.716C52.1101 14.716 51.3168 15.052 50.7008 15.724C50.1035 16.396 49.8048 17.4507 49.8048 18.888C49.8048 20.3253 50.1035 21.3893 50.7008 22.08C51.3168 22.7707 52.1101 23.116 53.0808 23.116Z" fill="#18181B"/>
+          <path d="M34.6334 26.308C33.4014 26.308 32.3187 26.0093 31.3854 25.412C30.4521 24.8147 29.7241 23.9653 29.2014 22.864C28.6787 21.7627 28.4174 20.4373 28.4174 18.888C28.4174 17.3573 28.6787 16.0413 29.2014 14.94C29.7241 13.8387 30.4521 12.9987 31.3854 12.42C32.3187 11.8227 33.4014 11.524 34.6334 11.524C35.7721 11.524 36.7894 11.804 37.6854 12.364C38.6001 12.9053 39.1974 13.6427 39.4774 14.576H39.1694L39.5054 11.804H43.5654C43.5094 12.42 43.4534 13.0453 43.3974 13.68C43.3601 14.296 43.3414 14.9027 43.3414 15.5V26H39.1414L39.1134 23.34H39.4494C39.1507 24.236 38.5534 24.9547 37.6574 25.496C36.7614 26.0373 35.7534 26.308 34.6334 26.308ZM35.9214 23.116C36.8921 23.116 37.6761 22.7707 38.2734 22.08C38.8707 21.3893 39.1694 20.3253 39.1694 18.888C39.1694 17.4507 38.8707 16.396 38.2734 15.724C37.6761 15.052 36.8921 14.716 35.9214 14.716C34.9507 14.716 34.1667 15.052 33.5694 15.724C32.9721 16.396 32.6734 17.4507 32.6734 18.888C32.6734 20.3253 32.9627 21.3893 33.5414 22.08C34.1387 22.7707 34.9321 23.116 35.9214 23.116Z" fill="#18181B"/>
+          <path d="M13.736 26V5.392H17.964V17.712H18.02L23.284 11.804H28.324L21.52 19.364V17.824L28.688 26H23.508L18.02 19.84H17.964V26H13.736Z" fill="#18181B"/>
+        </g>
+        <defs><clipPath id="clip0"><rect width="108" height="32" fill="white"/></clipPath></defs>
+      </svg>
+    </div>
+    <h1>Select a team</h1>
+    <p class="subtitle">Choose which team to connect with this MCP session</p>
+    <form method="POST" action="/team-select">
+      <input type="hidden" name="token" value="${selectionToken}" />
+      ${teamButtons}
+    </form>
+  </div>
+</body>
+</html>`;
+}
+function renderLoginPage(state, error48) {
+  const errorHtml = error48 ? `<div class="error">${escapeHtml(error48)}</div>` : "";
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Sign In - Kadoa</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      background: hsl(0 0% 98%);
+      color: #18181b;
+      min-height: 100dvh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background-image: radial-gradient(circle, #d4d4d8 1px, transparent 1px);
+      background-size: 24px 24px;
+      background-position: center top;
+    }
+    .card {
+      width: 100%;
+      max-width: 460px;
+      background: #fff;
+      padding: 1rem;
+      display: flex;
+      flex-direction: column;
+      gap: 1rem;
+      min-height: 100dvh;
+    }
+    @media (min-width: 768px) {
+      .card { padding: 3rem; min-height: auto; border-left: 1px solid #e0e1e5; border-right: 1px solid #e0e1e5; }
+    }
+    .logo { display: grid; place-content: center; }
+    h1 {
+      font-size: 20px;
+      font-weight: 600;
+      text-align: center;
+      color: #18181b;
+    }
+    .spacer { height: 0; }
+    @media (min-width: 768px) { .spacer { height: 3rem; } }
+    .error {
+      background: #fef2f2;
+      color: #991b1b;
+      border: 1px solid #fecaca;
+      border-radius: 4px;
+      padding: 0.6rem 0.875rem;
+      font-size: 15px;
+    }
+    /* Buttons — matching KUI default + primary looks */
+    .btn {
+      width: 100%;
+      padding: 0.6em 1em;
+      border-radius: 4px;
+      font-size: 16px;
+      font-weight: 500;
+      cursor: pointer;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      gap: 0.5rem;
+      transition: background 0.15s, border-color 0.15s;
+      text-decoration: none;
+    }
+    .btn-default {
+      background: #fff;
+      color: #18181b;
+      border: 1px solid #d4d4d8;
+      box-shadow: inset 0 -3px 0 0 rgba(0,0,0,0.03), 0 1px 0px 1px rgba(255,255,255,0.5), 0 -1px 0px 1px rgba(0,0,0,0.02);
+    }
+    .btn-default:hover {
+      background: rgba(113,113,122,0.1);
+    }
+    .btn-primary {
+      background: hsl(212 70% 27%);
+      color: #fff;
+      border: 1px solid hsl(214 70% 23%);
+      box-shadow: inset 0 2px 0 0 rgba(56,189,248,0.2), 0 -1px 0px 1px rgba(0,0,0,0.02);
+    }
+    .btn-primary:hover {
+      background: hsl(212 70% 33%);
+    }
+    /* OR divider */
+    .line-or {
+      display: flex;
+      align-items: center;
+      gap: 0.5rem;
+      font-weight: 500;
+      color: rgba(24,24,27,0.6);
+      font-size: 14px;
+      margin: 0.5rem 0;
+    }
+    .line-or hr {
+      flex: 1;
+      border: none;
+      border-top: 1px solid rgba(113,113,122,0.15);
+    }
+    /* Form inputs — matching KUI input style */
+    label {
+      display: block;
+      font-size: 16px;
+      font-weight: 500;
+      margin-bottom: 0.25rem;
+      color: #18181b;
+    }
+    input[type="email"], input[type="password"] {
+      width: 100%;
+      padding: 0.35em 0.5em;
+      border: 1px solid #d4d4d8;
+      border-radius: 4px;
+      font-size: 18px;
+      font-family: inherit;
+      color: #18181b;
+      background: #fff;
+      outline: none;
+      box-shadow: inset 0 3px 0 0 rgba(0,0,0,0.025);
+      transition: border-color 0.15s;
+      caret-color: hsl(25 98% 53%);
+    }
+    input[type="email"]:hover, input[type="password"]:hover {
+      border-color: hsl(31 99% 72%);
+    }
+    input[type="email"]:focus, input[type="password"]:focus {
+      border-color: hsl(25 98% 53%);
+      box-shadow: inset 0 3px 0 0 rgba(0,0,0,0.025), 0 0 0 2px rgba(249,115,22,0.2);
+    }
+    .field { margin-bottom: 0.75rem; }
+    hr.separator {
+      border: none;
+      border-top: 1px solid rgba(113,113,122,0.15);
+      margin: 0.5rem 0;
+    }
+    .google-icon { width: 18px; height: 18px; }
+    .key-icon { width: 16px; height: 16px; }
+    /* Tabs for email/SSO — keep simple, same visual weight */
+    .tabs {
+      display: none;
+    }
+    .tab-content { display: none; }
+    .tab-content.active { display: block; }
+    .tab-switch {
+      text-align: center;
+      margin-top: 0.25rem;
+    }
+    .tab-switch a {
+      font-size: 15px;
+      color: #18181b;
+      text-decoration: underline;
+      text-decoration-color: rgba(251,146,60,0.5);
+      text-underline-offset: 2px;
+      cursor: pointer;
+    }
+    .tab-switch a:hover {
+      background: rgba(251,146,60,0.1);
+      border-radius: 2px;
+    }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <!-- Logo {k} -->
+    <div class="logo">
+      <svg width="40" height="40" viewBox="0 0 40 40" fill="none" xmlns="http://www.w3.org/2000/svg">
+        <path opacity="0.15" d="M25.3196 6.25H14.6804C14.6804 7.49264 13.6596 8.5 12.4005 8.5C11.3808 8.5 10.8312 8.67478 10.5466 8.82497C10.3001 8.95506 10.147 9.11941 10.0189 9.38005C9.85482 9.7141 9.74438 10.1712 9.68281 10.8152C9.62136 11.458 9.61405 12.2133 9.61405 13.125L9.61416 13.3731C9.61532 14.9118 9.61694 17.0733 8.75235 18.8332C8.55109 19.2428 8.30266 19.6357 8 20C8.30266 20.3643 8.55109 20.7572 8.75235 21.1668C9.61694 22.9267 9.61532 25.0882 9.61416 26.6269L9.61405 26.875C9.61405 27.7867 9.62136 28.542 9.68281 29.1848C9.74438 29.8288 9.85482 30.2859 10.0189 30.6199C10.147 30.8806 10.3001 31.0449 10.5466 31.175C10.8312 31.3252 11.3808 31.5 12.4005 31.5C13.6596 31.5 14.6804 32.5074 14.6804 33.75H25.3196C25.3196 32.5074 26.3404 31.5 27.5995 31.5C28.6192 31.5 29.1688 31.3252 29.4534 31.175C29.6999 31.0449 29.853 30.8806 29.9811 30.6199C30.1452 30.2859 30.2556 29.8288 30.3172 29.1848C30.3786 28.542 30.386 27.7867 30.386 26.875L30.3858 26.6269C30.3847 25.0882 30.3831 22.9267 31.2477 21.1668C31.4489 20.7572 31.6973 20.3643 32 20C31.6973 19.6357 31.4489 19.2428 31.2477 18.8332C30.3831 17.0733 30.3847 14.9118 30.3858 13.3731L30.386 13.125C30.386 12.2133 30.3786 11.458 30.3172 10.8152C30.2556 10.1712 30.1452 9.7141 29.9811 9.38005C29.853 9.11941 29.6999 8.95506 29.4534 8.82497C29.1688 8.67478 28.6192 8.5 27.5995 8.5C26.3404 8.5 25.3196 7.49264 25.3196 6.25Z" fill="#fd7412"/>
+        <path d="M12.5 6.25C2.5 6.25 12.5 20 2.5 20C12.5 20 2.5 33.75 12.5 33.75" stroke="#fd7412" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.8"/>
+        <path d="M16 10V29" stroke="#18181B" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.8"/>
+        <path d="M27.5 6.25C37.5 6.25 27.5 20 37.5 20C27.5 20 37.5 33.75 27.5 33.75" stroke="#fd7412" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.8"/>
+        <path d="M16 23L25 18" stroke="#18181B" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.8"/>
+        <path d="M25 29L16 23" stroke="#18181B" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.8"/>
+      </svg>
+    </div>
+    <!-- Heading -->
+    <h1>Sign in to Kadoa</h1>
+    <div class="spacer"></div>
+    ${errorHtml}
+    <!-- Continue with Google -->
+    <form method="POST" action="/auth/google">
+      <input type="hidden" name="state" value="${escapeHtml(state)}" />
+      <button type="submit" class="btn btn-default">
+        <svg class="google-icon" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+          <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 0 1-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z" fill="#4285F4"/>
+          <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" fill="#34A853"/>
+          <path d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" fill="#FBBC05"/>
+          <path d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" fill="#EA4335"/>
+        </svg>
+        Continue with Google
+      </button>
+    </form>
+    <!-- Continue with SSO -->
+    <div id="sso-button-wrapper">
+      <form method="POST" action="/auth/sso" id="sso-direct-form" style="display:none">
+        <input type="hidden" name="state" value="${escapeHtml(state)}" />
+        <input type="hidden" name="email" id="sso-email-hidden" />
+      </form>
+      <button type="button" class="btn btn-default" id="sso-toggle-btn">
+        <svg class="key-icon" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+          <path d="M10 1a5 5 0 0 0-4.546 7.066l-4.161 4.16a.5.5 0 0 0-.146.354V14.5a.5.5 0 0 0 .5.5h2a.5.5 0 0 0 .5-.5V14h1a.5.5 0 0 0 .5-.5v-1h1a.5.5 0 0 0 .354-.146l.94-.94A5 5 0 1 0 10 1zm1.5 4a1.5 1.5 0 1 1 0-3 1.5 1.5 0 0 1 0 3z" fill="currentColor"/>
+        </svg>
+        Continue with SSO
+      </button>
+    </div>
+    <!-- OR divider -->
+    <div class="line-or">
+      <hr />
+      OR
+      <hr />
+    </div>
+    <!-- Email + Password form -->
+    <div class="tab-content active" id="tab-email">
+      <form method="POST" action="/auth/login">
+        <input type="hidden" name="state" value="${escapeHtml(state)}" />
+        <div class="field">
+          <label for="email">Sign in with email:</label>
+          <input type="email" id="email" name="email" required autocomplete="email" />
+        </div>
+        <div class="field">
+          <label for="password">Your password:</label>
+          <input type="password" id="password" name="password" required autocomplete="current-password" />
+        </div>
+        <button type="submit" class="btn btn-primary">Continue</button>
+      </form>
+    </div>
+    <!-- SSO form (shown when "Continue with SSO" is clicked) -->
+    <div class="tab-content" id="tab-sso">
+      <form method="POST" action="/auth/sso">
+        <input type="hidden" name="state" value="${escapeHtml(state)}" />
+        <div class="field">
+          <label for="sso-email">Work email:</label>
+          <input type="email" id="sso-email" name="email" required autocomplete="email" />
+        </div>
+        <button type="submit" class="btn btn-primary">Continue with SSO</button>
+      </form>
+      <div class="tab-switch">
+        <a id="back-to-email">Sign in with email instead</a>
+      </div>
+    </div>
+    <div style="flex:1"></div>
+    <script>
+      var ssoBtn = document.getElementById('sso-toggle-btn');
+      var tabEmail = document.getElementById('tab-email');
+      var tabSso = document.getElementById('tab-sso');
+      var ssoWrapper = document.getElementById('sso-button-wrapper');
+      var lineOr = document.querySelector('.line-or');
+      var backLink = document.getElementById('back-to-email');
+      ssoBtn.addEventListener('click', function() {
+        tabEmail.classList.remove('active');
+        tabSso.classList.add('active');
+        ssoWrapper.style.display = 'none';
+        lineOr.style.display = 'none';
+        document.getElementById('sso-email').focus();
+      });
+      backLink.addEventListener('click', function() {
+        tabSso.classList.remove('active');
+        tabEmail.classList.add('active');
+        ssoWrapper.style.display = '';
+        lineOr.style.display = '';
+      });
+    </script>
+  </div>
+</body>
+</html>`;
+}
+function escapeHtml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+var TEAM_SELECTION_TTL, ACCESS_TOKEN_TTL;
 var init_auth2 = __esm(() => {
   init_errors4();
+  TEAM_SELECTION_TTL = 10 * 60 * 1000;
   ACCESS_TOKEN_TTL = 7 * 24 * 3600;
 });
@@ -56380,6 +57110,7 @@ var exports_http = {};
 __export(exports_http, {
   startHttpServer: () => startHttpServer
 });
+import express8 from "express";
 function jwtClaims2(jwt2) {
   try {
     return JSON.parse(Buffer.from(jwt2.split(".")[1], "base64url").toString());
@@ -56436,6 +57167,18 @@ async function startHttpServer(options) {
   app.get("/auth/callback", (req, res) => {
     provider.handleAuthCallback(req, res);
   });
+  app.post("/auth/google", express8.urlencoded({ extended: false }), (req, res) => {
+    provider.handleGoogleLogin(req, res);
+  });
+  app.post("/auth/login", express8.urlencoded({ extended: false }), (req, res) => {
+    provider.handleEmailPasswordLogin(req, res);
+  });
+  app.post("/auth/sso", express8.urlencoded({ extended: false }), (req, res) => {
+    provider.handleSSOLogin(req, res);
+  });
+  app.post("/team-select", express8.urlencoded({ extended: false }), (req, res) => {
+    provider.handleTeamSelection(req, res);
+  });
   app.get("/health", (_req, res) => {
     res.json({
       status: "ok",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kadoa/mcp",
-  "version": "0.5.4",
+  "version": "0.5.7",
   "description": "Kadoa MCP Server — manage workflows from Claude Desktop, Cursor, and other MCP clients",
   "type": "module",
   "main": "dist/index.js",
@@ -24,7 +24,7 @@
     "prepublishOnly": "bun run check-types && bun run test:unit && bun run build"
   },
   "dependencies": {
-    "@kadoa/node-sdk": "^0.32.0",
+    "@kadoa/node-sdk": "^0.33.0",
     "@modelcontextprotocol/sdk": "^1.26.0",
     "express": "^5.2.1",
     "ioredis": "^5.6.1",