@lifeaitools/clauth 1.5.63 → 1.5.65

package/cli/commands/serve.js

@@ -2560,18 +2560,27 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   let tunnelStatus = "not_started"; // "not_started" | "not_configured" | "starting" | "live" | "error" | "missing_cloudflared"
 
   // ── OAuth provider (self-contained for claude.ai MCP) ──────
-  const oauthClients = new Map();   // client_id → { redirect_uris, client_name, token_endpoint_auth_method }
   const oauthCodes = new Map();     // code → { client_id, redirect_uri, code_challenge, expires }
 
-  // Persist tokens + credentials to disk so daemon restarts don't invalidate sessions
-  const TOKENS_FILE = path.join(os.tmpdir(), "clauth-oauth-tokens.json");
+  // Persist tokens + clients to disk so daemon restarts don't invalidate sessions
+  const TOKENS_FILE  = path.join(os.tmpdir(), "clauth-oauth-tokens.json");
+  const CLIENTS_FILE = path.join(os.tmpdir(), "clauth-oauth-clients.json");
+
   function loadTokens() {
     try { return new Set(JSON.parse(fs.readFileSync(TOKENS_FILE, "utf8"))); } catch { return new Set(); }
   }
   function saveTokens(set) {
     try { fs.writeFileSync(TOKENS_FILE, JSON.stringify([...set])); } catch {}
   }
-  const oauthTokens = loadTokens(); // active access tokens — persisted across restarts
+  function loadClients() {
+    try { return new Map(JSON.parse(fs.readFileSync(CLIENTS_FILE, "utf8"))); } catch { return new Map(); }
+  }
+  function saveClients(map) {
+    try { fs.writeFileSync(CLIENTS_FILE, JSON.stringify([...map])); } catch {}
+  }
+
+  const oauthTokens  = loadTokens();  // active access tokens — persisted across restarts
+  const oauthClients = loadClients(); // registered OAuth clients — persisted across restarts
 
   function oauthBase() { return tunnelUrl || `http://127.0.0.1:${port}`; }
   function sha256base64url(str) { return crypto.createHash("sha256").update(str).digest("base64url"); }
@@ -2993,6 +3002,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
         token_endpoint_auth_method: "none",  // PUBLIC CLIENT
       };
       oauthClients.set(clientId, client);
+      saveClients(oauthClients);
       const logMsg = `[${new Date().toISOString()}] OAuth: registered public client ${clientId} (${client.client_name})\n`;
       try { fs.appendFileSync(LOG_FILE, logMsg); } catch {}
       res.writeHead(201, { "Content-Type": "application/json", "Cache-Control": "no-store", ...CORS });
@@ -3242,6 +3252,12 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
 
     // ── MCP SSE transport — /sse and namespaced paths ────
     // GET /sse|/gws|/clauth — open SSE stream, receive endpoint event
+    // Remote clients (claude.ai) use Streamable HTTP (POST only) — return 404 on GET
+    // so claude.ai knows to POST directly rather than trying SSE transport.
+    if (method === "GET" && isMcpPath && req._clauthRemote) {
+      res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+      return res.end(JSON.stringify({ error: "Use POST for Streamable HTTP transport" }));
+    }
     if (method === "GET" && (reqPath === "/sse" || isMcpPath)) {
       const sessionId = `ses_${++sseCounter}_${Date.now()}`;
 
@@ -3578,6 +3594,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       if (lockedGuard(res)) return;
       // Clear all dynamic clients and tokens
       oauthClients.clear();
+      saveClients(oauthClients);
       oauthTokens.clear();
       saveTokens(oauthTokens);
       const logMsg = `[${new Date().toISOString()}] OAuth: rolled credentials — all clients and tokens invalidated\n`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.5.63",
+  "version": "1.5.65",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {