@leadbay/mcp 0.20.1 → 0.21.0

package/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog — @leadbay/mcp
 
+## 0.21.0 — 2026-06-16
+
+- **Hosted MCP now triggers OAuth sign-in in Claude Desktop / ChatGPT** (remote custom connectors): the Fly endpoint was not an OAuth-compliant resource server, so a remote client had nothing to discover, never prompted the user to sign in, and then surfaced a host-side "needs auth / token expired" state even though the user never had a token. The server now implements the MCP authorization spec (RFC 9728): it serves OAuth 2.0 Protected Resource Metadata at `/.well-known/oauth-protected-resource[/<resource>]` and answers an unauthenticated (or invalid/expired) `POST /mcp` with `401` + `WWW-Authenticate: Bearer ... resource_metadata="…"`. The client discovers the Leadbay authorization server (the existing regional backend used by `login --oauth`) and runs the browser sign-in. Tool requests auto-probe both regions, so a valid token routes correctly and a stale one re-prompts instead of erroring.
+- **Region-pinned connector URLs**: OAuth discovery runs before sign-in and Leadbay tokens are region-scoped, so the region is encoded in the URL. US accounts use `https://leadbay-mcp-prod.fly.dev/mcp`; FR accounts use `https://leadbay-mcp-prod.fly.dev/fr/mcp`. The path only selects which authorization server the sign-in prompt points at. Permissive CORS + an `OPTIONS` preflight are served on the discovery and MCP endpoints for browser-based remote clients. README's remote-client section updated to document Claude Desktop and the per-region URLs.
+
 ## 0.20.1 — 2026-06-15
 
 - **Triage board stays the first next-step option on a poor-fit batch** (`leadbay_daily_check_in`): when today's batch is an ICP mismatch (every lead AI-scored off-profile), the agent was demoting the interactive triage board below "refine audience" in the NEXT STEPS widget — the plain ordering rule kept losing to the agent's own leverage judgment ("the whole batch is junk, so lead with fixing the lens"). The workflow contract requires the named artifact to be the FIRST option. The ordering rule now holds the triage board at position 1 even on a mismatched batch; the mismatch is surfaced in the prose nudge and offered as a *later* "refine the lens" option, never by displacing the artifact. Verified 5/5/5/5 across 3 consecutive eval runs on an all-off-ICP batch (the exact case that defeated the weaker rule).

package/README.md

@@ -290,21 +290,23 @@ Leadbay connection OK.
   AI credits:    420 / 1000
 ```
 
-### ChatGPT Desktop / remote-MCP clients
+### Claude Desktop / ChatGPT / remote-MCP clients
 
-Leadbay runs a hosted MCP server that any remote-MCP client can connect to without a local install:
+Leadbay runs a hosted MCP server that any remote-MCP client can connect to without a local install. Pick the URL for your account's region:
 
 ```
-https://leadbay-mcp-prod.fly.dev/mcp
+https://leadbay-mcp-prod.fly.dev/mcp       # US accounts
+https://leadbay-mcp-prod.fly.dev/fr/mcp    # FR accounts
 ```
 
-**ChatGPT Desktop**: open Settings → Apps → Add app → paste the URL above.
+- **Claude Desktop**: Settings → Connectors → Add custom connector → paste the URL.
+- **ChatGPT Desktop**: Settings → Apps → Add app → paste the URL.
 
-The server authenticates each request from the `Authorization: Bearer <token>` header your client sends automatically once you sign in via ChatGPT's OAuth prompt. No token to copy-paste, no local Node install needed.
+On first connect the client runs the Leadbay OAuth sign-in (the server advertises OAuth 2.0 Protected Resource Metadata per RFC 9728 and challenges unauthenticated requests with `401 + WWW-Authenticate`). Sign in once in the browser; the client stores the token and sends it as `Authorization: Bearer <token>` on every request. No token to copy-paste, no local Node install needed.
 
-**Updates are automatic** — the hosted server is always running the latest published release. You never need to update a config file or restart anything on your side.
+The region is encoded in the URL because OAuth discovery happens before sign-in and Leadbay tokens are region-scoped — a US account uses `/mcp`, a FR account uses `/fr/mcp`. If the sign-in prompt never appears, you're on an old build of the hosted server (pre-0.21.0); it auto-updates on release.
 
-If your client requires a region header, add `X-Leadbay-Region: us` or `X-Leadbay-Region: fr` to match your Leadbay account's region.
+**Updates are automatic** — the hosted server is always running the latest published release. You never need to update a config file or restart anything on your side.
 
 ## 4. Example prompts that work
 

package/dist/bin.js

@@ -25928,7 +25928,7 @@ var OAUTH_BASE_URLS = {
     fr: "https://staging.api.leadbay.app"
   }
 };
-var VERSION = "0.20.1";
+var VERSION = "0.21.0";
 var HELP = `
 leadbay-mcp ${VERSION} \u2014 Leadbay Model Context Protocol server
 

package/dist/http-server.js

@@ -7,6 +7,9 @@ var __export = (target, all) => {
 
 // src/http-server.ts
 import { randomUUID as randomUUID4 } from "crypto";
+import { realpathSync } from "fs";
+import { basename } from "path";
+import { fileURLToPath } from "url";
 import { Hono } from "hono";
 import { bodyLimit } from "hono/body-limit";
 import { serve } from "@hono/node-server";
@@ -22424,6 +22427,25 @@ async function resolveClientFromToken(token, opts = {}) {
     };
   }
 }
+function regionAuthServer(region) {
+  return region === "fr" ? REGIONS.fr : REGIONS.us;
+}
+function protectedResourceMetadata(opts) {
+  return {
+    resource: opts.resourceUrl,
+    authorization_servers: [regionAuthServer(opts.region)],
+    bearer_methods_supported: ["header"]
+  };
+}
+function buildWwwAuthenticate(opts) {
+  const parts = ['Bearer realm="mcp"'];
+  if (opts.authState === "expired") {
+    parts.push('error="invalid_token"');
+    parts.push('error_description="The access token is invalid or has expired"');
+  }
+  parts.push(`resource_metadata="${opts.resourceMetadataUrl}"`);
+  return parts.join(", ");
+}
 
 // src/env.ts
 function parseWriteEnv(env = process.env) {
@@ -22439,7 +22461,7 @@ function parseWriteEnv(env = process.env) {
 }
 
 // src/http-server.ts
-var VERSION = true ? "0.20.1" : "0.0.0-dev";
+var VERSION = true ? "0.21.0" : "0.0.0-dev";
 var PORT = Number(process.env.PORT ?? 8080);
 var HOST = process.env.HOST ?? "0.0.0.0";
 var sseSessions = /* @__PURE__ */ new Map();
@@ -22461,29 +22483,76 @@ function extractBearer(authHeader) {
   const m = /^Bearer\s+(.+)$/i.exec(authHeader);
   return m ? m[1].trim() : void 0;
 }
-function extractRegion(headerValue) {
-  if (headerValue === "us" || headerValue === "fr") return headerValue;
-  return void 0;
-}
-async function buildServerForRequest(token, region) {
-  const resolved = await resolveClientFromToken(token, { region });
+function buildServerFromClient(client) {
   const includeWrite = parseWriteEnv();
   const includeAdvanced = process.env.LEADBAY_MCP_ADVANCED === "1";
-  return buildServer(resolved.client, {
-    version: VERSION,
-    includeWrite,
-    includeAdvanced
-  });
+  return buildServer(client, { version: VERSION, includeWrite, includeAdvanced });
+}
+var PRM_PREFIX = "/.well-known/oauth-protected-resource";
+var RESOURCE_PATHS = ["/mcp", "/fr/mcp", "/sse", "/fr/sse"];
+function regionForResourcePath(resourcePath) {
+  return /^\/fr(\/|$)/.test(resourcePath) ? "fr" : "us";
+}
+function requestOrigin(c) {
+  const url = new URL(c.req.url);
+  const proto = c.req.header("x-forwarded-proto") ?? url.protocol.replace(/:$/, "");
+  const host = c.req.header("host") ?? url.host;
+  return `${proto}://${host}`;
+}
+function applyCors(c) {
+  c.header("Access-Control-Allow-Origin", "*");
+  c.header("Access-Control-Expose-Headers", "WWW-Authenticate");
+}
+function servePrm(c, resourcePath) {
+  applyCors(c);
+  c.header("Cache-Control", "public, max-age=3600");
+  return c.json(
+    protectedResourceMetadata({
+      resourceUrl: `${requestOrigin(c)}${resourcePath}`,
+      region: regionForResourcePath(resourcePath)
+    })
+  );
+}
+function sendChallenge(c, resourcePath, authState) {
+  const resourceMetadataUrl = `${requestOrigin(c)}${PRM_PREFIX}${resourcePath}`;
+  applyCors(c);
+  c.header("WWW-Authenticate", buildWwwAuthenticate({ resourceMetadataUrl, authState }));
+  return c.json(
+    {
+      error: authState === "expired" ? "invalid_token" : "unauthorized",
+      error_description: authState === "expired" ? "Access token is invalid or expired. Sign in with Leadbay again." : "Authentication required. Sign in with Leadbay."
+    },
+    401
+  );
 }
 var app = new Hono();
 app.get("/healthz", (c) => c.json({ ok: true, version: VERSION }));
+app.get(PRM_PREFIX, (c) => servePrm(c, "/mcp"));
+app.get(`${PRM_PREFIX}/*`, (c) => {
+  const suffix = c.req.path.slice(PRM_PREFIX.length);
+  const resourcePath = RESOURCE_PATHS.includes(suffix) ? suffix : "/mcp";
+  return servePrm(c, resourcePath);
+});
+app.options("*", (c) => {
+  applyCors(c);
+  c.header("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  c.header(
+    "Access-Control-Allow-Headers",
+    "Authorization, Content-Type, Mcp-Protocol-Version, Mcp-Session-Id"
+  );
+  return c.body(null, 204);
+});
 var MCP_BODY_LIMIT = bodyLimit({ maxSize: 1 * 1024 * 1024 });
 app.use("/mcp", MCP_BODY_LIMIT);
+app.use("/fr/mcp", MCP_BODY_LIMIT);
 app.use("/messages", MCP_BODY_LIMIT);
-app.all("/mcp", async (c) => {
+async function handleStreamable(c, resourcePath) {
   const token = extractBearer(c.req.header("authorization"));
-  const region = extractRegion(c.req.header("x-leadbay-region"));
-  const server = await buildServerForRequest(token, region);
+  const resolved = await resolveClientFromToken(token);
+  if (resolved.authState === "missing" || resolved.authState === "expired") {
+    return sendChallenge(c, resourcePath, resolved.authState);
+  }
+  const server = buildServerFromClient(resolved.client);
   const transport = new StreamableHTTPServerTransport({
     sessionIdGenerator: void 0,
     // Return JSON responses instead of SSE so non-SSE clients (e.g. Codex) work.
@@ -22519,13 +22588,18 @@ app.all("/mcp", async (c) => {
     server.close().catch(() => {
     });
   }
-});
-app.get("/sse", async (c) => {
+}
+app.all("/mcp", (c) => handleStreamable(c, "/mcp"));
+app.all("/fr/mcp", (c) => handleStreamable(c, "/fr/mcp"));
+async function handleSse(c, resourcePath) {
   const token = extractBearer(c.req.header("authorization"));
-  const region = extractRegion(c.req.header("x-leadbay-region"));
+  const resolved = await resolveClientFromToken(token);
+  if (resolved.authState === "missing" || resolved.authState === "expired") {
+    return sendChallenge(c, resourcePath, resolved.authState);
+  }
   const env = c.env;
   const transport = new SSEServerTransport("/messages", env.outgoing);
-  const server = await buildServerForRequest(token, region);
+  const server = buildServerFromClient(resolved.client);
   await server.connect(transport);
   const sessionId = transport.sessionId;
   sseSessions.set(sessionId, { transport, server, createdAt: Date.now() });
@@ -22535,7 +22609,9 @@ app.get("/sse", async (c) => {
     });
   };
   return new Response(null, { headers: { "x-hono-already-sent": "1" } });
-});
+}
+app.get("/sse", (c) => handleSse(c, "/sse"));
+app.get("/fr/sse", (c) => handleSse(c, "/fr/sse"));
 app.post("/messages", async (c) => {
   const sessionId = c.req.query("sessionId");
   if (!sessionId) {
@@ -22550,10 +22626,26 @@ app.post("/messages", async (c) => {
   await session.transport.handlePostMessage(env.incoming, env.outgoing, body);
   return new Response(null, { headers: { "x-hono-already-sent": "1" } });
 });
-var _boot = randomUUID4();
-serve({ fetch: app.fetch, port: PORT, hostname: HOST }, (info) => {
-  process.stderr.write(
-    `leadbay-mcp-http ${VERSION} listening on http://${info.address}:${info.port} (boot=${_boot})
+var isEntrypoint = (() => {
+  try {
+    const entry = process.argv[1];
+    if (!entry) return false;
+    const entryName = basename(entry).toLowerCase();
+    if (entryName !== "http-server.js" && entryName !== "leadbay-mcp-http") return false;
+    return realpathSync(fileURLToPath(import.meta.url)) === realpathSync(entry);
+  } catch {
+    return false;
+  }
+})();
+if (isEntrypoint) {
+  const _boot = randomUUID4();
+  serve({ fetch: app.fetch, port: PORT, hostname: HOST }, (info) => {
+    process.stderr.write(
+      `leadbay-mcp-http ${VERSION} listening on http://${info.address}:${info.port} (boot=${_boot})
 `
-  );
-});
+    );
+  });
+}
+export {
+  app
+};

package/dist/installer-electron.js

@@ -1466,7 +1466,7 @@ var init_installer_gui = __esm({
     init_install_dxt();
     init_install_shared();
     init_oauth();
-    VERSION = "0.20.1";
+    VERSION = "0.21.0";
     PORT = Number(process.env.LEADBAY_INSTALLER_PORT ?? 0);
     sessions = /* @__PURE__ */ new Map();
     OAUTH_BASE_URLS = {

package/dist/installer-gui.js

@@ -873,7 +873,7 @@ async function oauthLogin(opts) {
 }
 
 // installer/installer-gui.ts
-var VERSION = "0.20.1";
+var VERSION = "0.21.0";
 var PORT = Number(process.env.LEADBAY_INSTALLER_PORT ?? 0);
 var sessions = /* @__PURE__ */ new Map();
 var OAUTH_BASE_URLS = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@leadbay/mcp",
-  "version": "0.20.1",
+  "version": "0.21.0",
   "mcpName": "io.github.leadbay/leadbay-mcp",
   "description": "Model Context Protocol (MCP) server for Leadbay — AI lead discovery, qualification, and enrichment for Claude Desktop, Cursor, and Claude Code.",
   "type": "module",