@loopops/mcp-server 2.8.0 → 2.9.0

package/dist/api-client.js

@@ -256,6 +256,63 @@ function persistRotatedRefreshToken(newToken) {
         }
     }
 }
+/**
+ * Build a useful error message when Okta rejects our refresh token. The
+ * generic answer ("token may be revoked or idle-expired") is the last
+ * resort — first we check whether settings.json is pointing at the wrong
+ * tenant or client, which is a much more common cause and one the user
+ * cannot diagnose from the bare 400.
+ *
+ * The Loop API exposes the tenant it actually authenticates against at
+ * `GET /api/mcp/tenant-info` (added 2026-04-29 alongside the
+ * trial-2194356 → integrator-4680962 migration). If that endpoint
+ * disagrees with our env vars, we report exactly which key is wrong and
+ * the one-shot fix command. Older webapp deployments will 404 the
+ * endpoint — we silently fall through to the generic message.
+ */
+async function diagnoseRefreshFailure(status, body) {
+    const head = `Okta refresh failed (HTTP ${status}). Detail: ${body.slice(0, 300)}`;
+    const generic = "Your refresh token may be revoked or idle-expired. Re-run " +
+        "`npx @loopops/mcp-cli@latest login` (the `@latest` pin bypasses the " +
+        "npx cache, which can serve a stale cli with old tenant defaults for " +
+        "up to 24h after a publish).";
+    if (!apiUrl)
+        return `${head}\n\n${generic}`;
+    try {
+        const apiBase = new URL(apiUrl).origin;
+        const tenantInfoUrl = `${apiBase}/api/mcp/tenant-info`;
+        const probe = await doFetch(tenantInfoUrl, { method: "GET", headers: { accept: "application/json" } }, 5_000);
+        if (!probe.ok)
+            return `${head}\n\n${generic}`;
+        const live = (await probe.json());
+        const issuerMismatch = !!live.issuer && live.issuer !== oktaIssuer;
+        const clientMismatch = !!live.clientId && live.clientId !== oktaClientId;
+        if (!issuerMismatch && !clientMismatch)
+            return `${head}\n\n${generic}`;
+        const lines = [
+            head,
+            "",
+            "DIAGNOSIS: your MCP config points at a tenant the Loop API does not recognise.",
+        ];
+        if (issuerMismatch) {
+            lines.push(`  OKTA_ISSUER on disk:    ${oktaIssuer}`);
+            lines.push(`  OKTA_ISSUER expected:   ${live.issuer}`);
+        }
+        if (clientMismatch) {
+            lines.push(`  OKTA_CLIENT_ID on disk:  ${oktaClientId}`);
+            lines.push(`  OKTA_CLIENT_ID expected: ${live.clientId}`);
+        }
+        lines.push("");
+        lines.push("Fix: `npx @loopops/mcp-cli@latest login`. The `@latest` pin is " +
+            "important — without it, npx may serve a cached older cli that " +
+            "writes the same wrong defaults right back to disk.");
+        return lines.join("\n");
+    }
+    catch {
+        // Network blip, DNS failure, or older webapp without the endpoint.
+        return `${head}\n\n${generic}`;
+    }
+}
 /**
  * Mint a fresh access token via Okta's /token endpoint. Updates the
  * in-memory cache AND (if Okta rotated the refresh token) persists the
@@ -298,7 +355,8 @@ async function refreshAccessTokenOnce() {
         }, DEFAULT_TIMEOUT_MS);
         if (!response.ok) {
             const body = await response.text().catch(() => "<unreadable>");
-            throw new OktaRefreshError(`Okta refresh failed (HTTP ${response.status}). Your refresh token may be revoked or idle-expired. Re-run \`npx @loopops/mcp-cli login\`. Detail: ${body.slice(0, 300)}`);
+            const diagnosis = await diagnoseRefreshFailure(response.status, body);
+            throw new OktaRefreshError(diagnosis);
         }
         const tokens = (await response.json());
         cachedAccessToken = tokens.access_token;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@loopops/mcp-server",
-  "version": "2.8.0",
+  "version": "2.9.0",
   "description": "Loop Operations MCP Server — AI skills for RevOps",
   "license": "UNLICENSED",
   "type": "module",