@lifeaitools/clauth 1.5.22 → 1.5.24

package/cli/commands/serve.js

@@ -847,10 +847,15 @@ function dashboardHtml(port, whitelist, isStaged = false) {
     <div class="mcp-setup-title">claude.ai MCP Integration</div>
     <div class="oauth-fields">
       <div class="mcp-row">
-        <span class="mcp-label">URL</span>
+        <span class="mcp-label">Clauth</span>
         <span class="mcp-val" id="mcp-url">—</span>
         <button class="mcp-copy" onclick="copyMcp('mcp-url')">copy</button>
       </div>
+      <div class="mcp-row">
+        <span class="mcp-label">GWS</span>
+        <span class="mcp-val" id="mcp-gws-url">—</span>
+        <button class="mcp-copy" onclick="copyMcp('mcp-gws-url')">copy</button>
+      </div>
       <div class="mcp-row">
         <span class="mcp-label">Client ID</span>
         <span class="mcp-val" id="mcp-client-id">—</span>
@@ -862,7 +867,10 @@ function dashboardHtml(port, whitelist, isStaged = false) {
         <button class="mcp-copy" onclick="copyMcp('mcp-client-secret')">copy</button>
       </div>
     </div>
-    <div style="font-size:.72rem;color:#64748b;margin-top:4px">Paste these into <a href="https://claude.ai/settings/integrations" target="_blank" style="color:#60a5fa">claude.ai Settings → Integrations</a></div>
+    <div style="display:flex;align-items:center;gap:8px;margin-top:6px">
+      <div style="font-size:.72rem;color:#64748b">Paste into <a href="https://claude.ai/settings/integrations" target="_blank" style="color:#60a5fa">claude.ai → Integrations</a></div>
+      <button class="mcp-copy" onclick="rollMcpCreds()" style="font-size:.7rem">Roll Credentials</button>
+    </div>
   </div>
 
   <div class="wizard-panel" id="wizard-panel">
@@ -1939,10 +1947,12 @@ async function toggleMcpSetup() {
     try {
       const m = await fetch(BASE + "/mcp-setup").then(r => r.json());
       document.getElementById("mcp-url").textContent = m.url || "(tunnel not running)";
+      document.getElementById("mcp-gws-url").textContent = m.gwsUrl || "(tunnel not running)";
       document.getElementById("mcp-client-id").textContent = m.clientId || "—";
       document.getElementById("mcp-client-secret").textContent = m.clientSecret || "—";
     } catch {
       document.getElementById("mcp-url").textContent = "(error fetching)";
+      document.getElementById("mcp-gws-url").textContent = "(error fetching)";
     }
   }
 }
@@ -1958,6 +1968,17 @@ function copyMcp(elId) {
   }).catch(() => {});
 }
 
+async function rollMcpCreds() {
+  if (!confirm("Roll MCP credentials? You will need to re-add connectors in claude.ai with the new credentials.")) return;
+  try {
+    const resp = await fetch(BASE + "/roll-mcp-creds", { method: "POST" }).then(r => r.json());
+    if (resp.client_id) {
+      document.getElementById("mcp-client-id").textContent = resp.client_id;
+      document.getElementById("mcp-client-secret").textContent = resp.client_secret;
+    }
+  } catch(e) { alert("Failed: " + e.message); }
+}
+
 // ── Tunnel Setup Wizard ─────────────────────
 let wizStep = null;
 let wizData = {};
@@ -2309,18 +2330,24 @@ async function wizRunCreateTunnel() {
 // Step: MCP setup in claude.ai
 async function wizShowMcpSetup(hostname) {
   wizStep = "mcp_setup";
-  const sseUrl = \`https://\${hostname}/sse\`;
+  const clauthUrl = \`https://\${hostname}/clauth\`;
+  const gwsUrl = \`https://\${hostname}/gws\`;
 
   const mcpData = await apiFetch("/mcp-setup");
 
   renderWizBody(\`
-    <div class="wiz-desc">Add clauth as an MCP server in claude.ai settings. Paste these values:</div>
+    <div class="wiz-desc">Add two MCP connectors in claude.ai — one for Clauth, one for GWS:</div>
     <div style="display:flex;flex-direction:column;gap:8px;margin-top:10px">
       <div class="mcp-row">
-        <span class="mcp-label">URL</span>
-        <span class="mcp-val" id="wiz-mcp-url">\${sseUrl}</span>
+        <span class="mcp-label">Clauth URL</span>
+        <span class="mcp-val" id="wiz-mcp-url">\${clauthUrl}</span>
         <button class="mcp-copy" onclick="wizCopy('wiz-mcp-url',this)">copy</button>
       </div>
+      <div class="mcp-row">
+        <span class="mcp-label">GWS URL</span>
+        <span class="mcp-val" id="wiz-mcp-gws">\${gwsUrl}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-gws',this)">copy</button>
+      </div>
       <div class="mcp-row">
         <span class="mcp-label">Client ID</span>
         <span class="mcp-val" id="wiz-mcp-cid">\${mcpData?.clientId || '(unlock required)'}</span>
@@ -2335,13 +2362,28 @@ async function wizShowMcpSetup(hostname) {
     <div style="margin-top:10px;font-size:.78rem;color:#64748b">
       Paste into <a class="wiz-link" href="https://claude.ai/settings/integrations" target="_blank">claude.ai → Settings → Integrations</a>
     </div>
+    <div style="margin-top:8px;font-size:.78rem;color:#64748b">
+      Same Client ID/Secret for both connectors.
+    </div>
   \`, [], [
     \`<button class="btn-wiz-primary" onclick="window.open('https://claude.ai/settings/integrations','_blank');wizShowTest()">I've Added It — Test Now</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizRollCreds()">Roll Credentials</button>\`,
     \`<button class="btn-wiz-secondary" onclick="wizShowTest()">Skip Test</button>\`,
     \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Done</button>\`
   ]);
 }
 
+async function wizRollCreds() {
+  if (!confirm("Roll MCP credentials? Existing claude.ai connectors will need to be re-added with the new credentials.")) return;
+  try {
+    const resp = await apiFetch("/roll-mcp-creds", { method: "POST" });
+    if (resp?.client_id) {
+      document.getElementById("wiz-mcp-cid").textContent = resp.client_id;
+      document.getElementById("wiz-mcp-sec").textContent = resp.client_secret;
+    }
+  } catch(e) { alert("Failed to roll credentials: " + e.message); }
+}
+
 function wizCopy(elId, btn) {
   const val = document.getElementById(elId)?.textContent?.trim();
   if (!val) return;
@@ -2531,8 +2573,8 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     return creds;
   }
   const stableCreds = loadOrCreateCreds();
-  const OAUTH_CLIENT_ID = stableCreds.client_id;
-  const OAUTH_CLIENT_SECRET = stableCreds.client_secret;
+  let OAUTH_CLIENT_ID = stableCreds.client_id;
+  let OAUTH_CLIENT_SECRET = stableCreds.client_secret;
   oauthClients.set(OAUTH_CLIENT_ID, {
     client_id: OAUTH_CLIENT_ID, client_secret: OAUTH_CLIENT_SECRET,
     client_name: "claude.ai", redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
@@ -2901,7 +2943,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     if (reqPath.startsWith("/.well-known/oauth-protected-resource")) {
       const base = oauthBase();
       const suffix = reqPath.replace("/.well-known/oauth-protected-resource", "").replace(/^\//, "");
-      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/sse";
+      const resourcePath = suffix && ["/gws", "/clauth", "/mcp", "/sse"].includes("/" + suffix) ? "/" + suffix : "/clauth";
       res.writeHead(200, { "Content-Type": "application/json", ...CORS });
       return res.end(JSON.stringify({
         resource: `${base}${resourcePath}`,
@@ -3327,13 +3369,42 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
     // GET /mcp-setup — OAuth credentials for claude.ai MCP setup (localhost only)
     if (method === "GET" && reqPath === "/mcp-setup") {
+      const base = tunnelUrl && tunnelUrl.startsWith("http") ? tunnelUrl : null;
       return ok(res, {
-        url: tunnelUrl && tunnelUrl.startsWith("http") ? `${tunnelUrl}/mcp` : null,
+        url: base ? `${base}/clauth` : null,
+        gwsUrl: base ? `${base}/gws` : null,
         clientId: OAUTH_CLIENT_ID,
         clientSecret: OAUTH_CLIENT_SECRET,
       });
     }
 
+    // POST /roll-mcp-creds — generate new client ID/secret, invalidate all tokens
+    if (method === "POST" && reqPath === "/roll-mcp-creds") {
+      if (lockedGuard(res)) return;
+      const newId = crypto.randomBytes(16).toString("hex");
+      const newSecret = crypto.randomBytes(32).toString("hex");
+      // Update in-memory
+      oauthClients.delete(OAUTH_CLIENT_ID);
+      OAUTH_CLIENT_ID = newId;
+      OAUTH_CLIENT_SECRET = newSecret;
+      stableCreds.client_id = newId;
+      stableCreds.client_secret = newSecret;
+      try { fs.writeFileSync(CREDS_FILE, JSON.stringify(stableCreds)); } catch {}
+      // Register new client
+      oauthClients.set(newId, {
+        client_id: newId, client_secret: newSecret,
+        client_name: "claude.ai", redirect_uris: ["https://claude.ai/api/mcp/auth_callback"],
+        grant_types: ["authorization_code"], response_types: ["code"],
+        token_endpoint_auth_method: "client_secret_post",
+      });
+      // Invalidate all existing tokens
+      oauthTokens.clear();
+      saveTokens(oauthTokens);
+      const logMsg = `[${new Date().toISOString()}] OAuth: rolled credentials — new client ${newId.slice(0,8)}…, all tokens invalidated\n`;
+      try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
+      return ok(res, { client_id: newId, client_secret: newSecret, tokens_invalidated: true });
+    }
+
     // POST /tunnel — start or stop tunnel manually (action in body)
     if (method === "POST" && reqPath === "/tunnel") {
       if (lockedGuard(res)) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.22",
+  "version": "1.5.24",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {