@lifeaitools/clauth 1.5.14 → 1.5.15

package/cli/commands/serve.js

@@ -2880,17 +2880,19 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
     // ── OAuth Discovery (RFC 9728 + RFC 8414) ──────────────
     if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
-      const base = oauthBase();
-      // Derive resource URL from the well-known path suffix
-      // /.well-known/oauth-protected-resource       → /mcp
-      // /.well-known/oauth-protected-resource/mcp   → /mcp
-      // /.well-known/oauth-protected-resource/gws   → /gws
-      // /.well-known/oauth-protected-resource/clauth → /clauth
+      // Only advertise OAuth for /mcp — /gws and /clauth are open (no OAuth).
+      // Advertising OAuth on open paths causes claude.ai to do an OAuth dance,
+      // get a token, then have no retry context (since the original 200 wasn't a 401).
       const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "") || "mcp";
-      const resourcePath = suffix === "sse" ? "mcp" : suffix;
+      if (suffix !== "mcp" && suffix !== "") {
+        // Path-specific OAuth metadata requested for a non-mcp path — 404 it
+        res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "not_found" }));
+      }
+      const base = oauthBase();
       res.writeHead(200, { "Content-Type": "application/json", ...CORS });
       return res.end(JSON.stringify({
-        resource: `${base}/${resourcePath}`,
+        resource: `${base}/mcp`,
         authorization_servers: [base],
         scopes_supported: ["mcp:tools"],
         bearer_methods_supported: ["header"],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.14",
+  "version": "1.5.15",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {