@mtaap/mcp 0.2.12 → 0.4.1

package/dist/cli.js

@@ -30,7 +30,7 @@ var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 // package.json
 var package_default = {
   name: "@mtaap/mcp",
-  version: "0.2.11",
+  version: "0.4.1",
   description: "Model Context Protocol (MCP) server for AI agents to interact with Collab - the multi-tenant collaborative agent development platform",
   mcpName: "collab",
   scripts: {
@@ -39,7 +39,9 @@ var package_default = {
   main: "./dist/index.js",
   types: "./dist/index.d.ts",
   bin: {
-    "collab-mcp": "./dist/cli.js"
+    mcp: "./dist/cli.js",
+    "collab-mcp": "./dist/cli.js",
+    "collab-mcp-server": "./dist/server.js"
   },
   publishConfig: {
     access: "public"
@@ -70,11 +72,13 @@ var package_default = {
   },
   dependencies: {
     "@modelcontextprotocol/sdk": "^1.0.0",
+    express: "^5.0.1",
     zod: "^4.3.5"
   },
   devDependencies: {
     "@mtaap/config-typescript": "workspace:*",
     "@mtaap/core": "workspace:*",
+    "@types/express": "^5.0.0",
     "@types/node": "^22.0.0",
     tsup: "^8.5.1",
     typescript: "^5.4.0"
@@ -85,7 +89,7 @@ var package_default = {
 var VERSION = package_default.version;
 
 // src/index.ts
-var import_zod3 = require("zod");
+var import_zod4 = require("zod");
 
 // ../../packages/core/dist/constants/enums.js
 var TaskState;
@@ -172,12 +176,6 @@ var WebSocketEventType;
   WebSocketEventType2["TASK_DELETED"] = "task.deleted";
   WebSocketEventType2["MEMBER_JOINED"] = "member.joined";
 })(WebSocketEventType || (WebSocketEventType = {}));
-var AuthProvider;
-(function(AuthProvider2) {
-  AuthProvider2["CREDENTIALS"] = "credentials";
-  AuthProvider2["LDAP"] = "ldap";
-  AuthProvider2["SSO"] = "sso";
-})(AuthProvider || (AuthProvider = {}));
 var SubscriptionStatus;
 (function(SubscriptionStatus2) {
   SubscriptionStatus2["ACTIVE"] = "ACTIVE";
@@ -193,6 +191,12 @@ var EventType;
   EventType2["ACCESS"] = "ACCESS";
   EventType2["MODIFICATION"] = "MODIFICATION";
 })(EventType || (EventType = {}));
+var CreatedVia;
+(function(CreatedVia2) {
+  CreatedVia2["UI"] = "UI";
+  CreatedVia2["API_KEY"] = "API_KEY";
+  CreatedVia2["OAUTH"] = "OAUTH";
+})(CreatedVia || (CreatedVia = {}));
 
 // ../../packages/core/dist/constants/state-machine.js
 var VALID_TRANSITIONS = {
@@ -216,6 +220,62 @@ var VALID_TRANSITIONS = {
   [TaskState.DONE]: []
 };
 
+// ../../packages/core/dist/constants/oauth.js
+var OAuthScopes = {
+  /** Read-only access to MCP resources */
+  READ: "mcp:read",
+  /** Read and write access to MCP resources */
+  WRITE: "mcp:write",
+  /** Full administrative access */
+  ADMIN: "mcp:admin"
+};
+var VALID_OAUTH_SCOPES = [
+  OAuthScopes.READ,
+  OAuthScopes.WRITE,
+  OAuthScopes.ADMIN
+];
+var DEFAULT_OAUTH_SCOPES = `${OAuthScopes.READ} ${OAuthScopes.WRITE}`;
+var OAUTH_SCOPE_TO_PERMISSION = {
+  [OAuthScopes.READ]: ApiKeyPermission.READ,
+  [OAuthScopes.WRITE]: ApiKeyPermission.WRITE,
+  [OAuthScopes.ADMIN]: ApiKeyPermission.ADMIN
+};
+var PERMISSION_TO_OAUTH_SCOPE = {
+  [ApiKeyPermission.READ]: OAuthScopes.READ,
+  [ApiKeyPermission.WRITE]: OAuthScopes.WRITE,
+  [ApiKeyPermission.ADMIN]: OAuthScopes.ADMIN
+};
+var OAuthTokenLifetimes = {
+  /** Access token lifetime: 1 hour */
+  ACCESS_TOKEN_MS: 60 * 60 * 1e3,
+  /** Refresh token lifetime: 30 days */
+  REFRESH_TOKEN_MS: 30 * 24 * 60 * 60 * 1e3,
+  /** Authorization code lifetime: 10 minutes */
+  AUTHORIZATION_CODE_MS: 10 * 60 * 1e3
+};
+var OAuthGrantTypes = {
+  AUTHORIZATION_CODE: "authorization_code",
+  REFRESH_TOKEN: "refresh_token"
+};
+var SUPPORTED_GRANT_TYPES = [
+  OAuthGrantTypes.AUTHORIZATION_CODE,
+  OAuthGrantTypes.REFRESH_TOKEN
+];
+var OAuthResponseTypes = {
+  CODE: "code"
+};
+var OAuthCodeChallengeMethods = {
+  S256: "S256"
+};
+var OAuthRateLimits = {
+  /** /oauth/token: 30 requests per minute per client */
+  TOKEN_ENDPOINT: { limit: 30, windowMs: 60 * 1e3 },
+  /** /oauth/authorize: 10 requests per minute per user */
+  AUTHORIZE_ENDPOINT: { limit: 10, windowMs: 60 * 1e3 },
+  /** /oauth/register: 5 requests per minute per IP */
+  REGISTER_ENDPOINT: { limit: 5, windowMs: 60 * 1e3 }
+};
+
 // ../../packages/core/dist/config/deployment.js
 var config = {
   deploymentMode: process.env.DEPLOYMENT_MODE || "saas"
@@ -223,20 +283,24 @@ var config = {
 var isSaas = config.deploymentMode === "saas";
 var isOnPrem = config.deploymentMode === "onprem";
 
-// ../../packages/core/dist/version.js
-var VERSION2 = "0.1.0";
+// ../../packages/core/dist/versions.js
+var VERSIONS = {
+  core: "0.3.0",
+  web: "0.3.0",
+  mcp: "0.4.1"
+};
+var VERSION2 = VERSIONS.core;
 
 // ../../packages/core/dist/config/index.js
 var DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || "saas";
 var config2 = {
   version: VERSION2,
+  packages: VERSIONS,
   deploymentMode: DEPLOYMENT_MODE,
   billing: {
     enabled: DEPLOYMENT_MODE === "saas",
     revenuecat: {
-      publicKey: process.env.REVENUECAT_PUBLIC_API_KEY,
-      stripeKey: process.env.STRIPE_SECRET_KEY
-      // Required by RevenueCat Web Billing
+      publicKey: process.env.NEXT_PUBLIC_REVENUECAT_PUBLIC_KEY
     }
   },
   licensing: {
@@ -342,7 +406,6 @@ var OrganizationIdSchema = import_zod.z.string().regex(/^org_[a-zA-Z0-9]+$/);
 var OrganizationSchema = import_zod.z.object({
   id: OrganizationIdSchema,
   name: import_zod.z.string().min(1).max(255),
-  slug: import_zod.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/),
   logoUrl: import_zod.z.string().url().nullable(),
   accentColor: import_zod.z.string().regex(/^#[0-9A-Fa-f]{6}$/).nullable(),
   tenantName: import_zod.z.string().nullable(),
@@ -470,239 +533,375 @@ var ProjectCollaboratorSchema = import_zod.z.object({
 });
 
 // ../../packages/core/dist/validation/index.js
+var import_zod3 = require("zod");
+
+// ../../packages/core/dist/validation/oauth.js
 var import_zod2 = require("zod");
-var ListProjectsInputSchema = import_zod2.z.object({
-  workspaceType: import_zod2.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod2.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
-});
-var ListTasksInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().optional(),
-  state: import_zod2.z.nativeEnum(TaskState).optional(),
-  assigneeId: import_zod2.z.string().optional(),
-  includeArchived: import_zod2.z.boolean().optional()
-});
-var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
-var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
-var GetTaskInputSchema = import_zod2.z.object({
+var scopeString = import_zod2.z.string().optional().transform((val) => {
+  if (!val)
+    return void 0;
+  const scopes = val.split(" ").filter(Boolean);
+  const validScopes = scopes.filter((s) => VALID_OAUTH_SCOPES.includes(s));
+  return validScopes.length > 0 ? validScopes.join(" ") : void 0;
+});
+var redirectUri = import_zod2.z.string().url().refine((uri) => {
+  const url = new URL(uri);
+  return url.protocol === "https:" || url.hostname === "localhost" || url.hostname === "127.0.0.1";
+}, { message: "redirect_uri must use HTTPS or be localhost" });
+var codeVerifier = import_zod2.z.string().min(43).max(128).regex(/^[A-Za-z0-9._~-]+$/, "code_verifier must only contain unreserved characters");
+var codeChallenge = import_zod2.z.string().min(43).max(128).regex(/^[A-Za-z0-9_-]+$/, "code_challenge must be base64url encoded (no padding)");
+var DynamicClientRegistrationSchema = import_zod2.z.object({
+  redirect_uris: import_zod2.z.array(redirectUri).min(1),
+  client_name: import_zod2.z.string().min(1).max(255),
+  client_uri: import_zod2.z.string().url().optional(),
+  logo_uri: import_zod2.z.string().url().optional(),
+  // Accept lowercase OAuth spec values
+  grant_types: import_zod2.z.array(import_zod2.z.enum(["authorization_code", "refresh_token"])).default(["authorization_code", "refresh_token"]),
+  response_types: import_zod2.z.array(import_zod2.z.enum([OAuthResponseTypes.CODE])).default([OAuthResponseTypes.CODE]),
+  scope: scopeString,
+  // Accept lowercase OAuth spec values
+  token_endpoint_auth_method: import_zod2.z.enum(["none", "client_secret_post", "client_secret_basic"]).default("none")
+});
+var DynamicClientRegistrationResponseSchema = import_zod2.z.object({
+  client_id: import_zod2.z.string(),
+  client_secret: import_zod2.z.string().optional(),
+  client_id_issued_at: import_zod2.z.number(),
+  client_secret_expires_at: import_zod2.z.number().optional(),
+  redirect_uris: import_zod2.z.array(import_zod2.z.string()),
+  client_name: import_zod2.z.string(),
+  client_uri: import_zod2.z.string().optional(),
+  logo_uri: import_zod2.z.string().optional(),
+  grant_types: import_zod2.z.array(import_zod2.z.string()),
+  response_types: import_zod2.z.array(import_zod2.z.string()),
+  scope: import_zod2.z.string(),
+  token_endpoint_auth_method: import_zod2.z.string(),
+  registration_access_token: import_zod2.z.string().optional(),
+  registration_client_uri: import_zod2.z.string().optional()
+});
+var AuthorizationRequestSchema = import_zod2.z.object({
+  response_type: import_zod2.z.literal(OAuthResponseTypes.CODE),
+  client_id: import_zod2.z.string().min(1),
+  redirect_uri: redirectUri,
+  scope: scopeString,
+  state: import_zod2.z.string().max(255).optional(),
+  // PKCE is mandatory in OAuth 2.1
+  code_challenge: codeChallenge,
+  code_challenge_method: import_zod2.z.literal(OAuthCodeChallengeMethods.S256)
+});
+var TokenRequestAuthorizationCodeSchema = import_zod2.z.object({
+  grant_type: import_zod2.z.literal(OAuthGrantTypes.AUTHORIZATION_CODE),
+  code: import_zod2.z.string().min(1),
+  redirect_uri: redirectUri,
+  client_id: import_zod2.z.string().min(1),
+  // PKCE code verifier is mandatory
+  code_verifier: codeVerifier,
+  // Client secret is optional (for confidential clients)
+  client_secret: import_zod2.z.string().optional()
+});
+var TokenRequestRefreshTokenSchema = import_zod2.z.object({
+  grant_type: import_zod2.z.literal(OAuthGrantTypes.REFRESH_TOKEN),
+  refresh_token: import_zod2.z.string().min(1),
+  client_id: import_zod2.z.string().min(1),
+  // Optional: request reduced scope
+  scope: scopeString,
+  // Client secret is optional (for confidential clients)
+  client_secret: import_zod2.z.string().optional()
+});
+var TokenRequestSchema = import_zod2.z.discriminatedUnion("grant_type", [
+  TokenRequestAuthorizationCodeSchema,
+  TokenRequestRefreshTokenSchema
+]);
+var TokenResponseSchema = import_zod2.z.object({
+  access_token: import_zod2.z.string(),
+  token_type: import_zod2.z.literal("Bearer"),
+  expires_in: import_zod2.z.number(),
+  refresh_token: import_zod2.z.string().optional(),
+  scope: import_zod2.z.string()
+});
+var TokenRevocationRequestSchema = import_zod2.z.object({
+  token: import_zod2.z.string().min(1),
+  token_type_hint: import_zod2.z.enum(["access_token", "refresh_token"]).optional(),
+  client_id: import_zod2.z.string().min(1),
+  client_secret: import_zod2.z.string().optional()
+});
+var OAuthErrorResponseSchema = import_zod2.z.object({
+  error: import_zod2.z.string(),
+  error_description: import_zod2.z.string().optional(),
+  error_uri: import_zod2.z.string().url().optional(),
+  state: import_zod2.z.string().optional()
+});
+var AuthorizationServerMetadataSchema = import_zod2.z.object({
+  issuer: import_zod2.z.string().url(),
+  authorization_endpoint: import_zod2.z.string().url(),
+  token_endpoint: import_zod2.z.string().url(),
+  registration_endpoint: import_zod2.z.string().url().optional(),
+  revocation_endpoint: import_zod2.z.string().url().optional(),
+  scopes_supported: import_zod2.z.array(import_zod2.z.string()),
+  response_types_supported: import_zod2.z.array(import_zod2.z.string()),
+  grant_types_supported: import_zod2.z.array(import_zod2.z.string()),
+  token_endpoint_auth_methods_supported: import_zod2.z.array(import_zod2.z.string()),
+  code_challenge_methods_supported: import_zod2.z.array(import_zod2.z.string()),
+  service_documentation: import_zod2.z.string().url().optional()
+});
+var ProtectedResourceMetadataSchema = import_zod2.z.object({
+  resource: import_zod2.z.string().url(),
+  authorization_servers: import_zod2.z.array(import_zod2.z.string().url()),
+  scopes_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  bearer_methods_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  resource_signing_alg_values_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  resource_documentation: import_zod2.z.string().url().optional()
+});
+var InternalTokenValidationRequestSchema = import_zod2.z.object({
+  access_token: import_zod2.z.string().min(1)
+});
+var InternalTokenValidationResponseSchema = import_zod2.z.object({
+  valid: import_zod2.z.boolean(),
+  userId: import_zod2.z.string().optional(),
+  userEmail: import_zod2.z.string().optional(),
+  userName: import_zod2.z.string().optional(),
+  scope: import_zod2.z.string().optional(),
+  permissions: import_zod2.z.string().optional(),
+  clientId: import_zod2.z.string().optional(),
+  expiresAt: import_zod2.z.string().optional()
+});
+
+// ../../packages/core/dist/validation/index.js
+var ListProjectsInputSchema = import_zod3.z.object({
+  workspaceType: import_zod3.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
+});
+var ListTasksInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().optional(),
+  state: import_zod3.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod3.z.string().optional(),
+  includeArchived: import_zod3.z.boolean().optional()
+});
+var cuidOrPrefixedId = import_zod3.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod3.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
+var GetTaskInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId
 });
-var AssignTaskInputSchema = import_zod2.z.object({
+var AssignTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  expectedState: import_zod2.z.nativeEnum(TaskState).default(TaskState.TODO)
+  expectedState: import_zod3.z.nativeEnum(TaskState).default(TaskState.TODO)
 });
-var UpdateProgressInputSchema = import_zod2.z.object({
+var UpdateProgressInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  statusMessage: import_zod2.z.string().max(1e3).optional(),
-  completedCheckpointIds: import_zod2.z.array(import_zod2.z.string()).optional(),
-  currentCheckpointIndex: import_zod2.z.number().int().optional()
+  statusMessage: import_zod3.z.string().max(1e3).optional(),
+  completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional(),
+  currentCheckpointIndex: import_zod3.z.number().int().optional()
 });
-var CompleteTaskInputSchema = import_zod2.z.object({
+var CompleteTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  pullRequestTitle: import_zod2.z.string().min(1).max(300).optional(),
-  pullRequestBody: import_zod2.z.string().max(1e4).optional()
+  pullRequestTitle: import_zod3.z.string().min(1).max(300).optional(),
+  pullRequestBody: import_zod3.z.string().max(1e4).optional()
 });
-var ReportErrorInputSchema = import_zod2.z.object({
+var ReportErrorInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  errorType: import_zod2.z.nativeEnum(ErrorType),
-  errorMessage: import_zod2.z.string().min(1).max(1e3),
-  context: import_zod2.z.string().max(2e3).optional()
+  errorType: import_zod3.z.nativeEnum(ErrorType),
+  errorMessage: import_zod3.z.string().min(1).max(1e3),
+  context: import_zod3.z.string().max(2e3).optional()
 });
-var GetProjectContextInputSchema = import_zod2.z.object({
+var GetProjectContextInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId
 });
-var AddNoteInputSchema = import_zod2.z.object({
+var AddNoteInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  content: import_zod2.z.string().min(1).max(500)
+  content: import_zod3.z.string().min(1).max(500)
 });
-var AbandonTaskInputSchema = import_zod2.z.object({
+var AbandonTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  deleteBranch: import_zod2.z.boolean().optional()
+  deleteBranch: import_zod3.z.boolean().optional()
 });
-var RequestChangesInputSchema = import_zod2.z.object({
+var RequestChangesInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  reviewComments: import_zod2.z.string().min(1).max(5e3),
-  requestedChanges: import_zod2.z.array(import_zod2.z.string().min(1).max(500)).optional()
+  reviewComments: import_zod3.z.string().min(1).max(5e3),
+  requestedChanges: import_zod3.z.array(import_zod3.z.string().min(1).max(500)).optional()
 });
-var ApproveTaskInputSchema = import_zod2.z.object({
+var ApproveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  reviewComments: import_zod2.z.string().max(2e3).optional()
+  reviewComments: import_zod3.z.string().max(2e3).optional()
 });
-var ArchiveTaskInputSchema = import_zod2.z.object({
+var ArchiveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var UnarchiveTaskInputSchema = import_zod2.z.object({
+var UnarchiveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var CreatePersonalProjectInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  description: import_zod2.z.string().max(500).optional(),
-  repositoryUrl: import_zod2.z.string().url()
+var CreatePersonalProjectInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  description: import_zod3.z.string().max(500).optional(),
+  repositoryUrl: import_zod3.z.string().url()
 });
-var CheckActiveTaskInputSchema = import_zod2.z.object({});
-var CreateTaskMCPInputSchema = import_zod2.z.object({
+var CheckActiveTaskInputSchema = import_zod3.z.object({});
+var CreateTaskMCPInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   epicId: cuidOrPrefixedId.nullable().optional(),
-  title: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(5e3),
-  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    description: import_zod2.z.string().min(1).max(500)
+  title: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(5e3),
+  priority: import_zod3.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    description: import_zod3.z.string().min(1).max(500)
   })).min(1)
 });
-var CreateOrganizationInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(255),
-  slug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+var CreateOrganizationInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(255)
 });
-var UpdateOrganizationInputSchema = import_zod2.z.object({
+var UpdateOrganizationInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(255).optional(),
-  logoUrl: import_zod2.z.string().url().nullable().optional(),
-  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
-  tenantName: import_zod2.z.string().max(255).nullable().optional()
-});
-var CreateProjectInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  description: import_zod2.z.string().max(500).optional(),
-  type: import_zod2.z.nativeEnum(ProjectType),
-  repositoryUrl: import_zod2.z.string().url(),
-  baseBranch: import_zod2.z.string().default("develop").optional(),
-  tags: import_zod2.z.array(import_zod2.z.string()).default([])
-});
-var UpdateProjectInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().min(1).optional(),
-  name: import_zod2.z.string().min(1).max(100).optional(),
-  description: import_zod2.z.string().max(500).optional(),
-  repositoryUrl: import_zod2.z.string().url().optional(),
-  baseBranch: import_zod2.z.string().optional(),
-  tags: import_zod2.z.array(import_zod2.z.string()).optional(),
-  allowMemberArchive: import_zod2.z.boolean().optional()
-});
-var CreateEpicInputSchema = import_zod2.z.object({
+  name: import_zod3.z.string().min(1).max(255).optional(),
+  logoUrl: import_zod3.z.string().url().nullable().optional(),
+  accentColor: import_zod3.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod3.z.string().max(255).nullable().optional()
+});
+var CreateProjectInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  description: import_zod3.z.string().max(500).optional(),
+  type: import_zod3.z.nativeEnum(ProjectType),
+  repositoryUrl: import_zod3.z.string().url(),
+  baseBranch: import_zod3.z.string().default("develop").optional(),
+  tags: import_zod3.z.array(import_zod3.z.string()).default([])
+});
+var UpdateProjectInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().min(1).optional(),
+  name: import_zod3.z.string().min(1).max(100).optional(),
+  description: import_zod3.z.string().max(500).optional(),
+  repositoryUrl: import_zod3.z.string().url().optional(),
+  baseBranch: import_zod3.z.string().optional(),
+  tags: import_zod3.z.array(import_zod3.z.string()).optional(),
+  allowMemberArchive: import_zod3.z.boolean().optional()
+});
+var CreateEpicInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(2e3).optional()
-});
-var CreateTaskInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().min(1),
-  epicId: import_zod2.z.string().min(1).nullable().optional(),
-  title: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(5e3),
-  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    description: import_zod2.z.string().min(1).max(500)
+  name: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(2e3).optional()
+});
+var CreateTaskInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().min(1),
+  epicId: import_zod3.z.string().min(1).nullable().optional(),
+  title: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(5e3),
+  priority: import_zod3.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    description: import_zod3.z.string().min(1).max(500)
   })).min(1)
 });
-var UpdateTaskInputSchema = import_zod2.z.object({
-  taskId: import_zod2.z.string().min(1),
-  title: import_zod2.z.string().min(1).max(200).optional(),
-  description: import_zod2.z.string().max(5e3).optional(),
-  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
-  state: import_zod2.z.nativeEnum(TaskState).optional(),
-  assigneeId: import_zod2.z.string().nullable().optional(),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    id: import_zod2.z.string().optional(),
-    description: import_zod2.z.string().min(1).max(500),
-    completed: import_zod2.z.boolean().optional()
+var UpdateTaskInputSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  title: import_zod3.z.string().min(1).max(200).optional(),
+  description: import_zod3.z.string().max(5e3).optional(),
+  priority: import_zod3.z.nativeEnum(TaskPriority).optional(),
+  state: import_zod3.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod3.z.string().nullable().optional(),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    id: import_zod3.z.string().optional(),
+    description: import_zod3.z.string().min(1).max(500),
+    completed: import_zod3.z.boolean().optional()
   })).optional()
 });
-var AssignTaskWebappInputSchema = import_zod2.z.object({
-  taskId: import_zod2.z.string().min(1),
-  userId: import_zod2.z.string().min(1)
+var AssignTaskWebappInputSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  userId: import_zod3.z.string().min(1)
 });
-var CreateTagInputSchema = import_zod2.z.object({
+var CreateTagInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+  name: import_zod3.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
 });
-var UpdateTagInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+var UpdateTagInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
 });
-var UpdateOrganizationSettingsInputSchema = import_zod2.z.object({
+var UpdateOrganizationSettingsInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  ldapEnabled: import_zod2.z.boolean().optional(),
-  ldapUrl: import_zod2.z.string().url().nullable().optional(),
-  ldapBindDN: import_zod2.z.string().nullable().optional(),
-  ldapSearchBase: import_zod2.z.string().nullable().optional(),
-  deleteMergedBranches: import_zod2.z.boolean().optional(),
-  enforceConventionalCommits: import_zod2.z.boolean().optional(),
-  maxPersonalProjectsPerUser: import_zod2.z.number().int().min(0).optional(),
-  logoUrl: import_zod2.z.string().url().nullable().optional(),
-  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
-  tenantName: import_zod2.z.string().max(255).nullable().optional()
-});
-var InviteUserInputSchema = import_zod2.z.object({
+  ldapEnabled: import_zod3.z.boolean().optional(),
+  ldapUrl: import_zod3.z.string().url().nullable().optional(),
+  ldapBindDN: import_zod3.z.string().nullable().optional(),
+  ldapSearchBase: import_zod3.z.string().nullable().optional(),
+  deleteMergedBranches: import_zod3.z.boolean().optional(),
+  enforceConventionalCommits: import_zod3.z.boolean().optional(),
+  maxPersonalProjectsPerUser: import_zod3.z.number().int().min(0).optional(),
+  logoUrl: import_zod3.z.string().url().nullable().optional(),
+  accentColor: import_zod3.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod3.z.string().max(255).nullable().optional()
+});
+var InviteUserInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  email: import_zod2.z.string().email(),
-  role: import_zod2.z.nativeEnum(UserRole).default(UserRole.MEMBER),
-  tags: import_zod2.z.array(import_zod2.z.string()).default([])
+  email: import_zod3.z.string().email(),
+  role: import_zod3.z.nativeEnum(UserRole).default(UserRole.MEMBER),
+  tags: import_zod3.z.array(import_zod3.z.string()).default([])
 });
-var AssignUserTagsInputSchema = import_zod2.z.object({
+var AssignUserTagsInputSchema = import_zod3.z.object({
   userId: cuidOrPrefixedId,
-  tags: import_zod2.z.array(import_zod2.z.string()).min(0)
+  tags: import_zod3.z.array(import_zod3.z.string()).min(0)
 });
-var InviteCollaboratorInputSchema = import_zod2.z.object({
+var InviteCollaboratorInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  email: import_zod2.z.string().email()
+  email: import_zod3.z.string().email()
 });
-var PublishProjectInputSchema = import_zod2.z.object({
+var PublishProjectInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  transferOwnership: import_zod2.z.boolean().default(false),
-  tags: import_zod2.z.array(import_zod2.z.string()).min(1)
+  transferOwnership: import_zod3.z.boolean().default(false),
+  tags: import_zod3.z.array(import_zod3.z.string()).min(1)
+});
+var GenerateApiKeyInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  publicNickname: import_zod3.z.string().max(50).optional(),
+  expiresInDays: import_zod3.z.number().int().min(1).max(365).default(90),
+  permissions: import_zod3.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
 });
-var GenerateApiKeyInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  expiresInDays: import_zod2.z.number().int().min(1).max(365).default(90),
-  permissions: import_zod2.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
+var UpdateApiKeyInputSchema = import_zod3.z.object({
+  publicNickname: import_zod3.z.string().max(50).nullable().optional(),
+  scopedOrganizationId: import_zod3.z.string().optional().nullable(),
+  scopedProjectIds: import_zod3.z.array(import_zod3.z.string()).optional()
 });
-var RevokeApiKeyInputSchema = import_zod2.z.object({
+var RevokeApiKeyInputSchema = import_zod3.z.object({
   keyId: cuidOrPrefixedId
 });
-var LoginInputSchema = import_zod2.z.object({
-  email: import_zod2.z.string().email(),
-  password: import_zod2.z.string().min(8).max(255)
+var LoginInputSchema = import_zod3.z.object({
+  email: import_zod3.z.string().email(),
+  password: import_zod3.z.string().min(8).max(255)
 });
-var RegisterInputSchema = import_zod2.z.object({
-  email: import_zod2.z.string().email(),
-  password: import_zod2.z.string().min(8).max(255),
-  name: import_zod2.z.string().min(1).max(255),
-  organizationSlug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+var RegisterInputSchema = import_zod3.z.object({
+  email: import_zod3.z.string().email(),
+  password: import_zod3.z.string().min(8).max(255),
+  name: import_zod3.z.string().min(1).max(255)
 });
-var VerifyTaskInputSchema = import_zod2.z.object({
+var VerifyTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  approved: import_zod2.z.boolean(),
-  feedback: import_zod2.z.string().max(5e3).optional()
+  approved: import_zod3.z.boolean(),
+  feedback: import_zod3.z.string().max(5e3).optional()
 });
-var GetTaskPromptInputSchema = import_zod2.z.object({
+var GetTaskPromptInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var UpdateTaskMCPInputSchema = import_zod2.z.object({
+var UpdateTaskMCPInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  title: import_zod2.z.string().min(1).max(200).optional(),
-  description: import_zod2.z.string().max(5e3).optional(),
-  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    id: import_zod2.z.string().optional(),
-    description: import_zod2.z.string().min(1).max(500)
+  title: import_zod3.z.string().min(1).max(200).optional(),
+  description: import_zod3.z.string().max(5e3).optional(),
+  priority: import_zod3.z.nativeEnum(TaskPriority).optional(),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    id: import_zod3.z.string().optional(),
+    description: import_zod3.z.string().min(1).max(500)
   })).optional()
 });
-var ReportBranchInputSchema = import_zod2.z.object({
+var ReportBranchInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
   branchName: gitBranchName
 });
-var ReportPRInputSchema = import_zod2.z.object({
+var ReportPRInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  pullRequestUrl: import_zod2.z.string().url(),
-  pullRequestNumber: import_zod2.z.number().int().positive()
+  pullRequestUrl: import_zod3.z.string().url(),
+  pullRequestNumber: import_zod3.z.number().int().positive()
 });
 
 // ../../packages/core/dist/logging/metrics.js
@@ -783,23 +982,16 @@ function createHistogram(name, help, buckets = [5e-3, 0.01, 0.025, 0.05, 0.1, 0.
 var httpRequestsTotal = createCounter("mtaap_http_requests_total", "Total number of HTTP requests");
 var httpRequestDuration = createHistogram("mtaap_http_request_duration_seconds", "HTTP request duration in seconds");
 var activeUsers = createGauge("mtaap_active_users", "Number of active users");
-var tasksTotal = createCounter("mtaap_tasks_total", "Total number of tasks by state");
-var taskStateChanges = createCounter("mtaap_task_state_changes_total", "Total number of task state changes");
 var httpErrorsTotal = createCounter("mtaap_http_errors_total", "Total number of HTTP errors");
 var httpActiveConnections = createGauge("mtaap_http_active_connections", "Number of active HTTP connections");
 var newSignupsTotal = createCounter("mtaap_new_signups_total", "Total number of new user signups");
 var loginSuccessTotal = createCounter("mtaap_login_success_total", "Total number of successful logins");
 var loginFailureTotal = createCounter("mtaap_login_failure_total", "Total number of failed logins");
-var dbConnectionPoolActive = createGauge("mtaap_db_connection_pool_active", "Number of active database connections");
-var dbConnectionPoolIdle = createGauge("mtaap_db_connection_pool_idle", "Number of idle database connections");
-var dbConnectionPoolMax = createGauge("mtaap_db_connection_pool_max", "Maximum number of database connections");
 var dbQueryDuration = createHistogram("mtaap_db_query_duration_seconds", "Database query duration in seconds");
 var dbSlowQueriesTotal = createCounter("mtaap_db_slow_queries_total", "Total number of slow database queries (>1s)");
-var dbErrorsTotal = createCounter("mtaap_db_errors_total", "Total number of database errors");
 var tasksCreatedTotal = createCounter("mtaap_tasks_created_total", "Total number of tasks created");
 var tasksAssignedTotal = createCounter("mtaap_tasks_assigned_total", "Total number of tasks assigned");
 var tasksCompletedTotal = createCounter("mtaap_tasks_completed_total", "Total number of tasks completed");
-var tasksByState = createGauge("mtaap_tasks_by_state", "Number of tasks by state");
 
 // ../../packages/core/dist/logging/performance-monitor.js
 var MAX_SAMPLES = 1e3;
@@ -1021,12 +1213,17 @@ var ApiError = class extends Error {
 var MCPApiClient = class {
   baseUrl;
   apiKey;
+  oauthToken;
   timeout;
   debug;
   authContext = null;
   constructor(config3) {
+    if (!config3.apiKey && !config3.oauthToken) {
+      throw new Error("Either apiKey or oauthToken must be provided");
+    }
     this.baseUrl = config3.baseUrl.replace(/\/$/, "");
     this.apiKey = config3.apiKey;
+    this.oauthToken = config3.oauthToken;
     this.timeout = config3.timeout ?? DEFAULT_TIMEOUT;
     this.debug = config3.debug ?? false;
   }
@@ -1041,18 +1238,33 @@ var MCPApiClient = class {
       console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
     }
     try {
+      const headers = {
+        "Content-Type": "application/json"
+      };
+      if (this.oauthToken) {
+        headers["Authorization"] = `Bearer ${this.oauthToken}`;
+      } else if (this.apiKey) {
+        headers["X-API-Key"] = this.apiKey;
+      }
       const response = await fetch(url, {
         method,
-        headers: {
-          "Content-Type": "application/json",
-          "X-API-Key": this.apiKey
-        },
+        headers,
         body: body ? JSON.stringify(body) : void 0,
         signal: controller.signal
       });
       clearTimeout(timeoutId);
       const data = await response.json();
       if (!response.ok) {
+        if (response.status === 403 && data.code === "EMAIL_NOT_VERIFIED" && data.verificationUrl) {
+          throw new ApiError(
+            `${data.error}
+
+To verify your email, visit: ${data.verificationUrl}
+${data.hint ? `Hint: ${data.hint}` : ""}`,
+            "EMAIL_NOT_VERIFIED",
+            403
+          );
+        }
         throw new ApiError(
           data.error || "API request failed",
           data.code || "UNKNOWN_ERROR",
@@ -1315,7 +1527,7 @@ var PERMISSION_RANK = {
   ADMIN: 3
 };
 function assertApiKeyPermission(apiKey, required, toolName) {
-  const actualRank = PERMISSION_RANK[apiKey.permissions] ?? 0;
+  const actualRank = apiKey.permissions ? PERMISSION_RANK[apiKey.permissions] ?? 0 : 0;
   const requiredRank = PERMISSION_RANK[required] ?? 0;
   if (actualRank >= requiredRank) {
     return;
@@ -1366,14 +1578,16 @@ Task Creation & Verification:
 
 Standard Task Workflow:
   list_projects -> get_project_context -> list_tasks(state=TODO) -> get_task -> get_task_prompt (TODO)
-  -> assign_task (returns suggested branch name)
-  -> git checkout -b <branchName> (local git command)
-  -> git push -u origin <branchName> (local git command)
-  -> report_branch (tell server about the branch)
+  -> assign_task (returns suggested branch name and worktree path)
+  -> git worktree add <worktreePath> -b <branchName> <baseBranch>
+  -> cd <worktreePath>
   -> [update_progress...]
+  -> git push -u origin <branchName>
+  -> report_branch (tell server about the branch)
   -> complete_task (returns PR suggestions)
   -> gh pr create (local gh command)
   -> report_pr (tell server about the PR)
+  -> git worktree remove <worktreePath>
 
 Resume Workflow:
   check_active_task -> (if active) get_task -> get_task_prompt (IN_PROGRESS) -> update_progress -> complete_task
@@ -1389,10 +1603,14 @@ Error Recovery:
   (abandon_task returns IN_PROGRESS tasks to TODO state)
 
 GIT OPERATIONS NOTE:
-  The agent handles all git operations locally. After assign_task returns a suggested branch name,
-  the agent creates the branch with git, pushes it, and reports it via report_branch.
-  After complete_task returns PR suggestions, the agent creates the PR with gh, and reports it via report_pr.
-  This eliminates the need for GitHub tokens on the server.
+  The agent handles all git operations locally using git worktrees for isolation.
+  After assign_task returns a suggested branch name and worktree path:
+  1. Create worktree: git worktree add <worktreePath> -b <branchName> <baseBranch>
+  2. Work in worktree directory: cd <worktreePath>
+  3. After completing work, push and call report_branch
+  4. After complete_task, create PR with gh and call report_pr
+  5. Clean up worktree: git worktree remove <worktreePath>
+  Worktrees enable parallel task execution without git conflicts.
 
 TASK STATE FLOW:
   DRAFT -> TODO -> IN_PROGRESS -> REVIEW -> DONE
@@ -1412,7 +1630,7 @@ CONSTRAINTS:
 - Always check_active_task before starting new work
 - Call update_progress frequently to checkpoint
 - Agent must have git/gh CLI configured for local git operations`;
-async function createMCPServer() {
+function initializeMCPServer(apiClient, authContext) {
   const server = new import_mcp.McpServer(
     {
       name: "collab",
@@ -1422,16 +1640,6 @@ async function createMCPServer() {
       instructions: COLLAB_SERVER_INSTRUCTIONS
     }
   );
-  const apiClient = createApiClientFromEnv();
-  let authContext;
-  try {
-    authContext = await apiClient.authenticate();
-  } catch (error) {
-    if (error instanceof ApiError) {
-      throw new Error(`Authentication failed: ${error.message}`);
-    }
-    throw error;
-  }
   const mockApiKey = {
     permissions: authContext.permissions.includes("ADMIN") ? ApiKeyPermission.ADMIN : authContext.permissions.includes("WRITE") ? ApiKeyPermission.WRITE : ApiKeyPermission.READ
   };
@@ -1440,7 +1648,7 @@ async function createMCPServer() {
     {
       description: "Discover all accessible projects. Use first to find project IDs. Filter by TEAM, PERSONAL, or ALL workspaces.",
       inputSchema: {
-        workspaceType: import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
+        workspaceType: import_zod4.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
       }
     },
     async (args) => {
@@ -1470,10 +1678,10 @@ async function createMCPServer() {
     {
       description: "Query tasks with filters. Use state=TODO for assignable tasks, state=REVIEW for pending reviews.",
       inputSchema: {
-        projectId: import_zod3.z.string().optional().describe("Filter by project ID"),
-        state: import_zod3.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
-        assigneeId: import_zod3.z.string().optional().describe("Filter by assignee ID"),
-        includeArchived: import_zod3.z.boolean().optional().describe("Include archived tasks (default: false)")
+        projectId: import_zod4.z.string().optional().describe("Filter by project ID"),
+        state: import_zod4.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
+        assigneeId: import_zod4.z.string().optional().describe("Filter by assignee ID"),
+        includeArchived: import_zod4.z.boolean().optional().describe("Include archived tasks (default: false)")
       }
     },
     async (args) => {
@@ -1504,7 +1712,7 @@ async function createMCPServer() {
     {
       description: "Get complete task details with acceptance criteria and notes. Call before assign_task to understand requirements.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID to retrieve")
+        taskId: import_zod4.z.string().describe("The task ID to retrieve")
       }
     },
     async (args) => {
@@ -1528,11 +1736,11 @@ async function createMCPServer() {
   server.registerTool(
     "assign_task",
     {
-      description: "Atomically claim a task and create git branch. Race-safe - fails if already assigned. Task must be TODO.",
+      description: "Atomically claim a task. Race-safe - fails if already assigned. Task must be TODO. Returns suggested branch name and worktree path for isolated parallel development.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to assign"),
-        expectedState: import_zod3.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to assign"),
+        expectedState: import_zod4.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
       }
     },
     async (args) => {
@@ -1566,10 +1774,10 @@ async function createMCPServer() {
     {
       description: "Report progress and checkpoint work. Call frequently during execution. Marks acceptance criteria complete.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID to update"),
-        statusMessage: import_zod3.z.string().optional().describe("Status message (max 1000 chars)"),
-        completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional().describe("Array of completed checkpoint IDs"),
-        currentCheckpointIndex: import_zod3.z.number().optional().describe("Current checkpoint index")
+        taskId: import_zod4.z.string().describe("The task ID to update"),
+        statusMessage: import_zod4.z.string().optional().describe("Status message (max 1000 chars)"),
+        completedCheckpointIds: import_zod4.z.array(import_zod4.z.string()).optional().describe("Array of completed checkpoint IDs"),
+        currentCheckpointIndex: import_zod4.z.number().optional().describe("Current checkpoint index")
       }
     },
     async (args) => {
@@ -1603,10 +1811,10 @@ async function createMCPServer() {
     {
       description: "Prepare task for PR creation. Returns PR suggestions. After creating PR locally, call report_pr to transition to REVIEW. Requires IN_PROGRESS state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to complete"),
-        pullRequestTitle: import_zod3.z.string().optional().describe("PR title (max 300 chars)"),
-        pullRequestBody: import_zod3.z.string().optional().describe("PR body/description (max 10000 chars)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to complete"),
+        pullRequestTitle: import_zod4.z.string().optional().describe("PR title (max 300 chars)"),
+        pullRequestBody: import_zod4.z.string().optional().describe("PR body/description (max 10000 chars)")
       }
     },
     async (args) => {
@@ -1663,10 +1871,10 @@ async function createMCPServer() {
     {
       description: "Report unrecoverable errors (BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR). Consider abandon_task after.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID"),
-        errorType: import_zod3.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
-        errorMessage: import_zod3.z.string().describe("Error message (max 1000 chars)"),
-        context: import_zod3.z.string().optional().describe("Additional context (max 2000 chars)")
+        taskId: import_zod4.z.string().describe("The task ID"),
+        errorType: import_zod4.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
+        errorMessage: import_zod4.z.string().describe("Error message (max 1000 chars)"),
+        context: import_zod4.z.string().optional().describe("Additional context (max 2000 chars)")
       }
     },
     async (args) => {
@@ -1701,7 +1909,7 @@ async function createMCPServer() {
     {
       description: "Load project README, tech stack, and coding conventions. Call after selecting project.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID")
+        projectId: import_zod4.z.string().describe("The project ID")
       }
     },
     async (args) => {
@@ -1731,8 +1939,8 @@ async function createMCPServer() {
     {
       description: "Document implementation decisions. Notes persist for future reference and handoff.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID"),
-        content: import_zod3.z.string().describe("Note content (max 500 chars)")
+        taskId: import_zod4.z.string().describe("The task ID"),
+        content: import_zod4.z.string().describe("Note content (max 500 chars)")
       }
     },
     async (args) => {
@@ -1761,9 +1969,9 @@ async function createMCPServer() {
     {
       description: "Release task assignment and optionally clean up branch. Task returns to TODO. Use after errors.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to abandon"),
-        deleteBranch: import_zod3.z.boolean().optional().describe("Whether to delete the associated branch")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to abandon"),
+        deleteBranch: import_zod4.z.boolean().optional().describe("Whether to delete the associated branch")
       }
     },
     async (args) => {
@@ -1797,9 +2005,9 @@ async function createMCPServer() {
     {
       description: "Report a branch created by the agent. Call after using git to create and push a branch. Task must be IN_PROGRESS.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID"),
-        branchName: import_zod3.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID"),
+        branchName: import_zod4.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
       }
     },
     async (args) => {
@@ -1833,10 +2041,10 @@ async function createMCPServer() {
     {
       description: "Report a PR created by the agent. Call after using gh pr create. Transitions task to REVIEW state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID"),
-        pullRequestUrl: import_zod3.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
-        pullRequestNumber: import_zod3.z.number().describe("PR number (e.g., 123)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID"),
+        pullRequestUrl: import_zod4.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
+        pullRequestNumber: import_zod4.z.number().describe("PR number (e.g., 123)")
       }
     },
     async (args) => {
@@ -1871,8 +2079,8 @@ async function createMCPServer() {
     {
       description: "Soft-delete a task. Hidden but restorable via unarchive_task.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to archive")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to archive")
       }
     },
     async (args) => {
@@ -1905,8 +2113,8 @@ async function createMCPServer() {
     {
       description: "Restore previously archived task to original state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to restore")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to restore")
       }
     },
     async (args) => {
@@ -1939,9 +2147,9 @@ async function createMCPServer() {
     {
       description: "Create new project in personal workspace linked to GitHub repository.",
       inputSchema: {
-        name: import_zod3.z.string().describe("Project name (max 100 chars)"),
-        description: import_zod3.z.string().optional().describe("Project description (max 500 chars)"),
-        repositoryUrl: import_zod3.z.string().describe("GitHub repository URL")
+        name: import_zod4.z.string().describe("Project name (max 100 chars)"),
+        description: import_zod4.z.string().optional().describe("Project description (max 500 chars)"),
+        repositoryUrl: import_zod4.z.string().describe("GitHub repository URL")
       }
     },
     async (args) => {
@@ -1975,14 +2183,14 @@ async function createMCPServer() {
     {
       description: "Create task with title, description, acceptance criteria. Starts in DRAFT. Priority: LOW/MEDIUM/HIGH/CRITICAL.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID to create the task in"),
-        epicId: import_zod3.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
-        title: import_zod3.z.string().describe("Task title (max 200 chars)"),
-        description: import_zod3.z.string().describe("Task description (max 5000 chars)"),
-        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
-        acceptanceCriteria: import_zod3.z.array(
-          import_zod3.z.object({
-            description: import_zod3.z.string().describe("Acceptance criterion description (max 500 chars)")
+        projectId: import_zod4.z.string().describe("The project ID to create the task in"),
+        epicId: import_zod4.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
+        title: import_zod4.z.string().describe("Task title (max 200 chars)"),
+        description: import_zod4.z.string().describe("Task description (max 5000 chars)"),
+        priority: import_zod4.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
+        acceptanceCriteria: import_zod4.z.array(
+          import_zod4.z.object({
+            description: import_zod4.z.string().describe("Acceptance criterion description (max 500 chars)")
           })
         ).describe("Array of acceptance criteria (at least 1 required)")
       }
@@ -2021,10 +2229,10 @@ async function createMCPServer() {
     {
       description: "Return task from REVIEW to IN_PROGRESS with feedback. Original assignee addresses changes.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to review"),
-        reviewComments: import_zod3.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
-        requestedChanges: import_zod3.z.array(import_zod3.z.string()).optional().describe("List of specific changes requested")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to review"),
+        reviewComments: import_zod4.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
+        requestedChanges: import_zod4.z.array(import_zod4.z.string()).optional().describe("List of specific changes requested")
       }
     },
     async (args) => {
@@ -2059,9 +2267,9 @@ async function createMCPServer() {
     {
       description: "Approve completed work and mark DONE. Only for REVIEW state tasks.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to approve"),
-        reviewComments: import_zod3.z.string().optional().describe("Optional approval comments (max 2000 chars)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to approve"),
+        reviewComments: import_zod4.z.string().optional().describe("Optional approval comments (max 2000 chars)")
       }
     },
     async (args) => {
@@ -2095,10 +2303,10 @@ async function createMCPServer() {
     {
       description: "Verify a DRAFT task and move it to TODO state. Requires task to pass programmatic validation (title 10+ chars, description 50+ chars, each criterion 20+ chars). If approved=false, stores feedback with NEEDS_REVISION status.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to verify"),
-        approved: import_zod3.z.boolean().describe("Whether to approve the task"),
-        feedback: import_zod3.z.string().optional().describe("Feedback for the task (required if not approved)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to verify"),
+        approved: import_zod4.z.boolean().describe("Whether to approve the task"),
+        feedback: import_zod4.z.string().optional().describe("Feedback for the task (required if not approved)")
       }
     },
     async (args) => {
@@ -2129,8 +2337,8 @@ async function createMCPServer() {
     {
       description: "Get state-appropriate prompt for a task. Returns verify prompt for DRAFT, assignment prompt for TODO, or continue prompt for IN_PROGRESS tasks.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID")
       }
     },
     async (args) => {
@@ -2163,15 +2371,15 @@ async function createMCPServer() {
     {
       description: "Update task details (title, description, priority, acceptanceCriteria). Only works for DRAFT and TODO states. If task is in TODO state, it reverts to DRAFT and requires re-verification.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to update"),
-        title: import_zod3.z.string().optional().describe("New task title"),
-        description: import_zod3.z.string().optional().describe("New task description"),
-        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
-        acceptanceCriteria: import_zod3.z.array(
-          import_zod3.z.object({
-            id: import_zod3.z.string().optional().describe("Existing criterion ID (for updates)"),
-            description: import_zod3.z.string().describe("Criterion description")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to update"),
+        title: import_zod4.z.string().optional().describe("New task title"),
+        description: import_zod4.z.string().optional().describe("New task description"),
+        priority: import_zod4.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
+        acceptanceCriteria: import_zod4.z.array(
+          import_zod4.z.object({
+            id: import_zod4.z.string().optional().describe("Existing criterion ID (for updates)"),
+            description: import_zod4.z.string().describe("Criterion description")
           })
         ).optional().describe("New acceptance criteria (replaces existing)")
       }
@@ -2227,9 +2435,26 @@ async function createMCPServer() {
       };
     }
   );
-  const transport = new import_stdio.StdioServerTransport();
+  return server;
+}
+async function connectMCPServer(server, transport) {
   await server.connect(transport);
 }
+async function createMCPServer() {
+  const apiClient = createApiClientFromEnv();
+  let authContext;
+  try {
+    authContext = await apiClient.authenticate();
+  } catch (error) {
+    if (error instanceof ApiError) {
+      throw new Error(`Authentication failed: ${error.message}`);
+    }
+    throw error;
+  }
+  const server = initializeMCPServer(apiClient, authContext);
+  const transport = new import_stdio.StdioServerTransport();
+  await connectMCPServer(server, transport);
+}
 function handleApiError(error) {
   if (error instanceof ApiError) {
     return {
@@ -2262,11 +2487,12 @@ function handleApiError(error) {
     isError: true
   };
 }
-var ActiveTaskSchema = import_zod3.z.object({
-  taskId: import_zod3.z.string().min(1),
-  projectId: import_zod3.z.string().min(1),
-  branchName: import_zod3.z.string().optional(),
-  startedAt: import_zod3.z.string().optional()
+var ActiveTaskSchema = import_zod4.z.object({
+  taskId: import_zod4.z.string().min(1),
+  projectId: import_zod4.z.string().min(1),
+  branchName: import_zod4.z.string().optional(),
+  worktreePath: import_zod4.z.string().optional(),
+  startedAt: import_zod4.z.string().optional()
 });
 async function checkActiveTask() {
   const fs = await import("fs");
@@ -2364,7 +2590,7 @@ Example mcp.json configuration:
   "mcpServers": {
     "collab": {
       "command": "npx",
-      "args": ["@mtaap/mcp"],
+      "args": ["-p", "@mtaap/mcp", "collab-mcp"],
       "env": {
         "COLLAB_API_KEY": "collab_your_api_key_here",
         "COLLAB_BASE_URL": "https://collab.mtaap.de"
@@ -2399,7 +2625,7 @@ function validateEnvironment() {
   "mcpServers": {
     "collab": {
       "command": "npx",
-      "args": ["@mtaap/mcp"],
+      "args": ["-p", "@mtaap/mcp", "collab-mcp"],
       "env": {
         "COLLAB_API_KEY": "collab_your_api_key_here",
         "COLLAB_BASE_URL": "https://collab.mtaap.de"
@@ -2419,15 +2645,17 @@ function validateEnvironment() {
 async function checkConnectivity() {
   const baseUrl = process.env.COLLAB_BASE_URL;
   console.error(`[collab-mcp] Checking connectivity to ${baseUrl}...`);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 1e4);
   try {
     const response = await fetch(`${baseUrl}/api/mcp/auth`, {
       method: "GET",
       headers: {
         "X-API-Key": process.env.COLLAB_API_KEY
       },
-      signal: AbortSignal.timeout(1e4)
-      // 10 second timeout
+      signal: controller.signal
     });
+    clearTimeout(timeoutId);
     if (!response.ok) {
       const data = await response.json().catch(() => ({}));
       if (response.status === 401) {
@@ -2439,7 +2667,8 @@ async function checkConnectivity() {
     }
     console.error("[collab-mcp] Connected successfully");
   } catch (error) {
-    if (error instanceof Error && error.name === "TimeoutError") {
+    clearTimeout(timeoutId);
+    if (error instanceof Error && error.name === "AbortError") {
       console.error(`[collab-mcp] Error: Connection timed out to ${baseUrl}`);
     } else {
       console.error(`[collab-mcp] Error: Could not connect to ${baseUrl}`);