@mtaap/mcp 0.2.13 → 0.4.1

package/dist/server.js

@@ -36,7 +36,7 @@ var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 // package.json
 var package_default = {
   name: "@mtaap/mcp",
-  version: "0.2.12",
+  version: "0.4.1",
   description: "Model Context Protocol (MCP) server for AI agents to interact with Collab - the multi-tenant collaborative agent development platform",
   mcpName: "collab",
   scripts: {
@@ -45,6 +45,7 @@ var package_default = {
   main: "./dist/index.js",
   types: "./dist/index.d.ts",
   bin: {
+    mcp: "./dist/cli.js",
     "collab-mcp": "./dist/cli.js",
     "collab-mcp-server": "./dist/server.js"
   },
@@ -94,7 +95,7 @@ var package_default = {
 var VERSION = package_default.version;
 
 // src/index.ts
-var import_zod3 = require("zod");
+var import_zod4 = require("zod");
 
 // ../../packages/core/dist/constants/enums.js
 var TaskState;
@@ -181,12 +182,6 @@ var WebSocketEventType;
   WebSocketEventType2["TASK_DELETED"] = "task.deleted";
   WebSocketEventType2["MEMBER_JOINED"] = "member.joined";
 })(WebSocketEventType || (WebSocketEventType = {}));
-var AuthProvider;
-(function(AuthProvider2) {
-  AuthProvider2["CREDENTIALS"] = "credentials";
-  AuthProvider2["LDAP"] = "ldap";
-  AuthProvider2["SSO"] = "sso";
-})(AuthProvider || (AuthProvider = {}));
 var SubscriptionStatus;
 (function(SubscriptionStatus2) {
   SubscriptionStatus2["ACTIVE"] = "ACTIVE";
@@ -202,6 +197,12 @@ var EventType;
   EventType2["ACCESS"] = "ACCESS";
   EventType2["MODIFICATION"] = "MODIFICATION";
 })(EventType || (EventType = {}));
+var CreatedVia;
+(function(CreatedVia2) {
+  CreatedVia2["UI"] = "UI";
+  CreatedVia2["API_KEY"] = "API_KEY";
+  CreatedVia2["OAUTH"] = "OAUTH";
+})(CreatedVia || (CreatedVia = {}));
 
 // ../../packages/core/dist/constants/state-machine.js
 var VALID_TRANSITIONS = {
@@ -225,6 +226,62 @@ var VALID_TRANSITIONS = {
   [TaskState.DONE]: []
 };
 
+// ../../packages/core/dist/constants/oauth.js
+var OAuthScopes = {
+  /** Read-only access to MCP resources */
+  READ: "mcp:read",
+  /** Read and write access to MCP resources */
+  WRITE: "mcp:write",
+  /** Full administrative access */
+  ADMIN: "mcp:admin"
+};
+var VALID_OAUTH_SCOPES = [
+  OAuthScopes.READ,
+  OAuthScopes.WRITE,
+  OAuthScopes.ADMIN
+];
+var DEFAULT_OAUTH_SCOPES = `${OAuthScopes.READ} ${OAuthScopes.WRITE}`;
+var OAUTH_SCOPE_TO_PERMISSION = {
+  [OAuthScopes.READ]: ApiKeyPermission.READ,
+  [OAuthScopes.WRITE]: ApiKeyPermission.WRITE,
+  [OAuthScopes.ADMIN]: ApiKeyPermission.ADMIN
+};
+var PERMISSION_TO_OAUTH_SCOPE = {
+  [ApiKeyPermission.READ]: OAuthScopes.READ,
+  [ApiKeyPermission.WRITE]: OAuthScopes.WRITE,
+  [ApiKeyPermission.ADMIN]: OAuthScopes.ADMIN
+};
+var OAuthTokenLifetimes = {
+  /** Access token lifetime: 1 hour */
+  ACCESS_TOKEN_MS: 60 * 60 * 1e3,
+  /** Refresh token lifetime: 30 days */
+  REFRESH_TOKEN_MS: 30 * 24 * 60 * 60 * 1e3,
+  /** Authorization code lifetime: 10 minutes */
+  AUTHORIZATION_CODE_MS: 10 * 60 * 1e3
+};
+var OAuthGrantTypes = {
+  AUTHORIZATION_CODE: "authorization_code",
+  REFRESH_TOKEN: "refresh_token"
+};
+var SUPPORTED_GRANT_TYPES = [
+  OAuthGrantTypes.AUTHORIZATION_CODE,
+  OAuthGrantTypes.REFRESH_TOKEN
+];
+var OAuthResponseTypes = {
+  CODE: "code"
+};
+var OAuthCodeChallengeMethods = {
+  S256: "S256"
+};
+var OAuthRateLimits = {
+  /** /oauth/token: 30 requests per minute per client */
+  TOKEN_ENDPOINT: { limit: 30, windowMs: 60 * 1e3 },
+  /** /oauth/authorize: 10 requests per minute per user */
+  AUTHORIZE_ENDPOINT: { limit: 10, windowMs: 60 * 1e3 },
+  /** /oauth/register: 5 requests per minute per IP */
+  REGISTER_ENDPOINT: { limit: 5, windowMs: 60 * 1e3 }
+};
+
 // ../../packages/core/dist/config/deployment.js
 var config = {
   deploymentMode: process.env.DEPLOYMENT_MODE || "saas"
@@ -232,20 +289,24 @@ var config = {
 var isSaas = config.deploymentMode === "saas";
 var isOnPrem = config.deploymentMode === "onprem";
 
-// ../../packages/core/dist/version.js
-var VERSION2 = "0.1.0";
+// ../../packages/core/dist/versions.js
+var VERSIONS = {
+  core: "0.3.0",
+  web: "0.3.0",
+  mcp: "0.4.1"
+};
+var VERSION2 = VERSIONS.core;
 
 // ../../packages/core/dist/config/index.js
 var DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || "saas";
 var config2 = {
   version: VERSION2,
+  packages: VERSIONS,
   deploymentMode: DEPLOYMENT_MODE,
   billing: {
     enabled: DEPLOYMENT_MODE === "saas",
     revenuecat: {
-      publicKey: process.env.REVENUECAT_PUBLIC_API_KEY,
-      stripeKey: process.env.STRIPE_SECRET_KEY
-      // Required by RevenueCat Web Billing
+      publicKey: process.env.NEXT_PUBLIC_REVENUECAT_PUBLIC_KEY
     }
   },
   licensing: {
@@ -351,7 +412,6 @@ var OrganizationIdSchema = import_zod.z.string().regex(/^org_[a-zA-Z0-9]+$/);
 var OrganizationSchema = import_zod.z.object({
   id: OrganizationIdSchema,
   name: import_zod.z.string().min(1).max(255),
-  slug: import_zod.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/),
   logoUrl: import_zod.z.string().url().nullable(),
   accentColor: import_zod.z.string().regex(/^#[0-9A-Fa-f]{6}$/).nullable(),
   tenantName: import_zod.z.string().nullable(),
@@ -479,239 +539,375 @@ var ProjectCollaboratorSchema = import_zod.z.object({
 });
 
 // ../../packages/core/dist/validation/index.js
+var import_zod3 = require("zod");
+
+// ../../packages/core/dist/validation/oauth.js
 var import_zod2 = require("zod");
-var ListProjectsInputSchema = import_zod2.z.object({
-  workspaceType: import_zod2.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod2.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
-});
-var ListTasksInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().optional(),
-  state: import_zod2.z.nativeEnum(TaskState).optional(),
-  assigneeId: import_zod2.z.string().optional(),
-  includeArchived: import_zod2.z.boolean().optional()
-});
-var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
-var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
-var GetTaskInputSchema = import_zod2.z.object({
+var scopeString = import_zod2.z.string().optional().transform((val) => {
+  if (!val)
+    return void 0;
+  const scopes = val.split(" ").filter(Boolean);
+  const validScopes = scopes.filter((s) => VALID_OAUTH_SCOPES.includes(s));
+  return validScopes.length > 0 ? validScopes.join(" ") : void 0;
+});
+var redirectUri = import_zod2.z.string().url().refine((uri) => {
+  const url = new URL(uri);
+  return url.protocol === "https:" || url.hostname === "localhost" || url.hostname === "127.0.0.1";
+}, { message: "redirect_uri must use HTTPS or be localhost" });
+var codeVerifier = import_zod2.z.string().min(43).max(128).regex(/^[A-Za-z0-9._~-]+$/, "code_verifier must only contain unreserved characters");
+var codeChallenge = import_zod2.z.string().min(43).max(128).regex(/^[A-Za-z0-9_-]+$/, "code_challenge must be base64url encoded (no padding)");
+var DynamicClientRegistrationSchema = import_zod2.z.object({
+  redirect_uris: import_zod2.z.array(redirectUri).min(1),
+  client_name: import_zod2.z.string().min(1).max(255),
+  client_uri: import_zod2.z.string().url().optional(),
+  logo_uri: import_zod2.z.string().url().optional(),
+  // Accept lowercase OAuth spec values
+  grant_types: import_zod2.z.array(import_zod2.z.enum(["authorization_code", "refresh_token"])).default(["authorization_code", "refresh_token"]),
+  response_types: import_zod2.z.array(import_zod2.z.enum([OAuthResponseTypes.CODE])).default([OAuthResponseTypes.CODE]),
+  scope: scopeString,
+  // Accept lowercase OAuth spec values
+  token_endpoint_auth_method: import_zod2.z.enum(["none", "client_secret_post", "client_secret_basic"]).default("none")
+});
+var DynamicClientRegistrationResponseSchema = import_zod2.z.object({
+  client_id: import_zod2.z.string(),
+  client_secret: import_zod2.z.string().optional(),
+  client_id_issued_at: import_zod2.z.number(),
+  client_secret_expires_at: import_zod2.z.number().optional(),
+  redirect_uris: import_zod2.z.array(import_zod2.z.string()),
+  client_name: import_zod2.z.string(),
+  client_uri: import_zod2.z.string().optional(),
+  logo_uri: import_zod2.z.string().optional(),
+  grant_types: import_zod2.z.array(import_zod2.z.string()),
+  response_types: import_zod2.z.array(import_zod2.z.string()),
+  scope: import_zod2.z.string(),
+  token_endpoint_auth_method: import_zod2.z.string(),
+  registration_access_token: import_zod2.z.string().optional(),
+  registration_client_uri: import_zod2.z.string().optional()
+});
+var AuthorizationRequestSchema = import_zod2.z.object({
+  response_type: import_zod2.z.literal(OAuthResponseTypes.CODE),
+  client_id: import_zod2.z.string().min(1),
+  redirect_uri: redirectUri,
+  scope: scopeString,
+  state: import_zod2.z.string().max(255).optional(),
+  // PKCE is mandatory in OAuth 2.1
+  code_challenge: codeChallenge,
+  code_challenge_method: import_zod2.z.literal(OAuthCodeChallengeMethods.S256)
+});
+var TokenRequestAuthorizationCodeSchema = import_zod2.z.object({
+  grant_type: import_zod2.z.literal(OAuthGrantTypes.AUTHORIZATION_CODE),
+  code: import_zod2.z.string().min(1),
+  redirect_uri: redirectUri,
+  client_id: import_zod2.z.string().min(1),
+  // PKCE code verifier is mandatory
+  code_verifier: codeVerifier,
+  // Client secret is optional (for confidential clients)
+  client_secret: import_zod2.z.string().optional()
+});
+var TokenRequestRefreshTokenSchema = import_zod2.z.object({
+  grant_type: import_zod2.z.literal(OAuthGrantTypes.REFRESH_TOKEN),
+  refresh_token: import_zod2.z.string().min(1),
+  client_id: import_zod2.z.string().min(1),
+  // Optional: request reduced scope
+  scope: scopeString,
+  // Client secret is optional (for confidential clients)
+  client_secret: import_zod2.z.string().optional()
+});
+var TokenRequestSchema = import_zod2.z.discriminatedUnion("grant_type", [
+  TokenRequestAuthorizationCodeSchema,
+  TokenRequestRefreshTokenSchema
+]);
+var TokenResponseSchema = import_zod2.z.object({
+  access_token: import_zod2.z.string(),
+  token_type: import_zod2.z.literal("Bearer"),
+  expires_in: import_zod2.z.number(),
+  refresh_token: import_zod2.z.string().optional(),
+  scope: import_zod2.z.string()
+});
+var TokenRevocationRequestSchema = import_zod2.z.object({
+  token: import_zod2.z.string().min(1),
+  token_type_hint: import_zod2.z.enum(["access_token", "refresh_token"]).optional(),
+  client_id: import_zod2.z.string().min(1),
+  client_secret: import_zod2.z.string().optional()
+});
+var OAuthErrorResponseSchema = import_zod2.z.object({
+  error: import_zod2.z.string(),
+  error_description: import_zod2.z.string().optional(),
+  error_uri: import_zod2.z.string().url().optional(),
+  state: import_zod2.z.string().optional()
+});
+var AuthorizationServerMetadataSchema = import_zod2.z.object({
+  issuer: import_zod2.z.string().url(),
+  authorization_endpoint: import_zod2.z.string().url(),
+  token_endpoint: import_zod2.z.string().url(),
+  registration_endpoint: import_zod2.z.string().url().optional(),
+  revocation_endpoint: import_zod2.z.string().url().optional(),
+  scopes_supported: import_zod2.z.array(import_zod2.z.string()),
+  response_types_supported: import_zod2.z.array(import_zod2.z.string()),
+  grant_types_supported: import_zod2.z.array(import_zod2.z.string()),
+  token_endpoint_auth_methods_supported: import_zod2.z.array(import_zod2.z.string()),
+  code_challenge_methods_supported: import_zod2.z.array(import_zod2.z.string()),
+  service_documentation: import_zod2.z.string().url().optional()
+});
+var ProtectedResourceMetadataSchema = import_zod2.z.object({
+  resource: import_zod2.z.string().url(),
+  authorization_servers: import_zod2.z.array(import_zod2.z.string().url()),
+  scopes_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  bearer_methods_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  resource_signing_alg_values_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  resource_documentation: import_zod2.z.string().url().optional()
+});
+var InternalTokenValidationRequestSchema = import_zod2.z.object({
+  access_token: import_zod2.z.string().min(1)
+});
+var InternalTokenValidationResponseSchema = import_zod2.z.object({
+  valid: import_zod2.z.boolean(),
+  userId: import_zod2.z.string().optional(),
+  userEmail: import_zod2.z.string().optional(),
+  userName: import_zod2.z.string().optional(),
+  scope: import_zod2.z.string().optional(),
+  permissions: import_zod2.z.string().optional(),
+  clientId: import_zod2.z.string().optional(),
+  expiresAt: import_zod2.z.string().optional()
+});
+
+// ../../packages/core/dist/validation/index.js
+var ListProjectsInputSchema = import_zod3.z.object({
+  workspaceType: import_zod3.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
+});
+var ListTasksInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().optional(),
+  state: import_zod3.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod3.z.string().optional(),
+  includeArchived: import_zod3.z.boolean().optional()
+});
+var cuidOrPrefixedId = import_zod3.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod3.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
+var GetTaskInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId
 });
-var AssignTaskInputSchema = import_zod2.z.object({
+var AssignTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  expectedState: import_zod2.z.nativeEnum(TaskState).default(TaskState.TODO)
+  expectedState: import_zod3.z.nativeEnum(TaskState).default(TaskState.TODO)
 });
-var UpdateProgressInputSchema = import_zod2.z.object({
+var UpdateProgressInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  statusMessage: import_zod2.z.string().max(1e3).optional(),
-  completedCheckpointIds: import_zod2.z.array(import_zod2.z.string()).optional(),
-  currentCheckpointIndex: import_zod2.z.number().int().optional()
+  statusMessage: import_zod3.z.string().max(1e3).optional(),
+  completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional(),
+  currentCheckpointIndex: import_zod3.z.number().int().optional()
 });
-var CompleteTaskInputSchema = import_zod2.z.object({
+var CompleteTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  pullRequestTitle: import_zod2.z.string().min(1).max(300).optional(),
-  pullRequestBody: import_zod2.z.string().max(1e4).optional()
+  pullRequestTitle: import_zod3.z.string().min(1).max(300).optional(),
+  pullRequestBody: import_zod3.z.string().max(1e4).optional()
 });
-var ReportErrorInputSchema = import_zod2.z.object({
+var ReportErrorInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  errorType: import_zod2.z.nativeEnum(ErrorType),
-  errorMessage: import_zod2.z.string().min(1).max(1e3),
-  context: import_zod2.z.string().max(2e3).optional()
+  errorType: import_zod3.z.nativeEnum(ErrorType),
+  errorMessage: import_zod3.z.string().min(1).max(1e3),
+  context: import_zod3.z.string().max(2e3).optional()
 });
-var GetProjectContextInputSchema = import_zod2.z.object({
+var GetProjectContextInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId
 });
-var AddNoteInputSchema = import_zod2.z.object({
+var AddNoteInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  content: import_zod2.z.string().min(1).max(500)
+  content: import_zod3.z.string().min(1).max(500)
 });
-var AbandonTaskInputSchema = import_zod2.z.object({
+var AbandonTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  deleteBranch: import_zod2.z.boolean().optional()
+  deleteBranch: import_zod3.z.boolean().optional()
 });
-var RequestChangesInputSchema = import_zod2.z.object({
+var RequestChangesInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  reviewComments: import_zod2.z.string().min(1).max(5e3),
-  requestedChanges: import_zod2.z.array(import_zod2.z.string().min(1).max(500)).optional()
+  reviewComments: import_zod3.z.string().min(1).max(5e3),
+  requestedChanges: import_zod3.z.array(import_zod3.z.string().min(1).max(500)).optional()
 });
-var ApproveTaskInputSchema = import_zod2.z.object({
+var ApproveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  reviewComments: import_zod2.z.string().max(2e3).optional()
+  reviewComments: import_zod3.z.string().max(2e3).optional()
 });
-var ArchiveTaskInputSchema = import_zod2.z.object({
+var ArchiveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var UnarchiveTaskInputSchema = import_zod2.z.object({
+var UnarchiveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var CreatePersonalProjectInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  description: import_zod2.z.string().max(500).optional(),
-  repositoryUrl: import_zod2.z.string().url()
+var CreatePersonalProjectInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  description: import_zod3.z.string().max(500).optional(),
+  repositoryUrl: import_zod3.z.string().url()
 });
-var CheckActiveTaskInputSchema = import_zod2.z.object({});
-var CreateTaskMCPInputSchema = import_zod2.z.object({
+var CheckActiveTaskInputSchema = import_zod3.z.object({});
+var CreateTaskMCPInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   epicId: cuidOrPrefixedId.nullable().optional(),
-  title: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(5e3),
-  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    description: import_zod2.z.string().min(1).max(500)
+  title: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(5e3),
+  priority: import_zod3.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    description: import_zod3.z.string().min(1).max(500)
   })).min(1)
 });
-var CreateOrganizationInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(255),
-  slug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+var CreateOrganizationInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(255)
 });
-var UpdateOrganizationInputSchema = import_zod2.z.object({
+var UpdateOrganizationInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(255).optional(),
-  logoUrl: import_zod2.z.string().url().nullable().optional(),
-  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
-  tenantName: import_zod2.z.string().max(255).nullable().optional()
-});
-var CreateProjectInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  description: import_zod2.z.string().max(500).optional(),
-  type: import_zod2.z.nativeEnum(ProjectType),
-  repositoryUrl: import_zod2.z.string().url(),
-  baseBranch: import_zod2.z.string().default("develop").optional(),
-  tags: import_zod2.z.array(import_zod2.z.string()).default([])
-});
-var UpdateProjectInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().min(1).optional(),
-  name: import_zod2.z.string().min(1).max(100).optional(),
-  description: import_zod2.z.string().max(500).optional(),
-  repositoryUrl: import_zod2.z.string().url().optional(),
-  baseBranch: import_zod2.z.string().optional(),
-  tags: import_zod2.z.array(import_zod2.z.string()).optional(),
-  allowMemberArchive: import_zod2.z.boolean().optional()
-});
-var CreateEpicInputSchema = import_zod2.z.object({
+  name: import_zod3.z.string().min(1).max(255).optional(),
+  logoUrl: import_zod3.z.string().url().nullable().optional(),
+  accentColor: import_zod3.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod3.z.string().max(255).nullable().optional()
+});
+var CreateProjectInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  description: import_zod3.z.string().max(500).optional(),
+  type: import_zod3.z.nativeEnum(ProjectType),
+  repositoryUrl: import_zod3.z.string().url(),
+  baseBranch: import_zod3.z.string().default("develop").optional(),
+  tags: import_zod3.z.array(import_zod3.z.string()).default([])
+});
+var UpdateProjectInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().min(1).optional(),
+  name: import_zod3.z.string().min(1).max(100).optional(),
+  description: import_zod3.z.string().max(500).optional(),
+  repositoryUrl: import_zod3.z.string().url().optional(),
+  baseBranch: import_zod3.z.string().optional(),
+  tags: import_zod3.z.array(import_zod3.z.string()).optional(),
+  allowMemberArchive: import_zod3.z.boolean().optional()
+});
+var CreateEpicInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(2e3).optional()
-});
-var CreateTaskInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().min(1),
-  epicId: import_zod2.z.string().min(1).nullable().optional(),
-  title: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(5e3),
-  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    description: import_zod2.z.string().min(1).max(500)
+  name: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(2e3).optional()
+});
+var CreateTaskInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().min(1),
+  epicId: import_zod3.z.string().min(1).nullable().optional(),
+  title: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(5e3),
+  priority: import_zod3.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    description: import_zod3.z.string().min(1).max(500)
   })).min(1)
 });
-var UpdateTaskInputSchema = import_zod2.z.object({
-  taskId: import_zod2.z.string().min(1),
-  title: import_zod2.z.string().min(1).max(200).optional(),
-  description: import_zod2.z.string().max(5e3).optional(),
-  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
-  state: import_zod2.z.nativeEnum(TaskState).optional(),
-  assigneeId: import_zod2.z.string().nullable().optional(),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    id: import_zod2.z.string().optional(),
-    description: import_zod2.z.string().min(1).max(500),
-    completed: import_zod2.z.boolean().optional()
+var UpdateTaskInputSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  title: import_zod3.z.string().min(1).max(200).optional(),
+  description: import_zod3.z.string().max(5e3).optional(),
+  priority: import_zod3.z.nativeEnum(TaskPriority).optional(),
+  state: import_zod3.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod3.z.string().nullable().optional(),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    id: import_zod3.z.string().optional(),
+    description: import_zod3.z.string().min(1).max(500),
+    completed: import_zod3.z.boolean().optional()
   })).optional()
 });
-var AssignTaskWebappInputSchema = import_zod2.z.object({
-  taskId: import_zod2.z.string().min(1),
-  userId: import_zod2.z.string().min(1)
+var AssignTaskWebappInputSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  userId: import_zod3.z.string().min(1)
 });
-var CreateTagInputSchema = import_zod2.z.object({
+var CreateTagInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+  name: import_zod3.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
 });
-var UpdateTagInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+var UpdateTagInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
 });
-var UpdateOrganizationSettingsInputSchema = import_zod2.z.object({
+var UpdateOrganizationSettingsInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  ldapEnabled: import_zod2.z.boolean().optional(),
-  ldapUrl: import_zod2.z.string().url().nullable().optional(),
-  ldapBindDN: import_zod2.z.string().nullable().optional(),
-  ldapSearchBase: import_zod2.z.string().nullable().optional(),
-  deleteMergedBranches: import_zod2.z.boolean().optional(),
-  enforceConventionalCommits: import_zod2.z.boolean().optional(),
-  maxPersonalProjectsPerUser: import_zod2.z.number().int().min(0).optional(),
-  logoUrl: import_zod2.z.string().url().nullable().optional(),
-  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
-  tenantName: import_zod2.z.string().max(255).nullable().optional()
-});
-var InviteUserInputSchema = import_zod2.z.object({
+  ldapEnabled: import_zod3.z.boolean().optional(),
+  ldapUrl: import_zod3.z.string().url().nullable().optional(),
+  ldapBindDN: import_zod3.z.string().nullable().optional(),
+  ldapSearchBase: import_zod3.z.string().nullable().optional(),
+  deleteMergedBranches: import_zod3.z.boolean().optional(),
+  enforceConventionalCommits: import_zod3.z.boolean().optional(),
+  maxPersonalProjectsPerUser: import_zod3.z.number().int().min(0).optional(),
+  logoUrl: import_zod3.z.string().url().nullable().optional(),
+  accentColor: import_zod3.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod3.z.string().max(255).nullable().optional()
+});
+var InviteUserInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  email: import_zod2.z.string().email(),
-  role: import_zod2.z.nativeEnum(UserRole).default(UserRole.MEMBER),
-  tags: import_zod2.z.array(import_zod2.z.string()).default([])
+  email: import_zod3.z.string().email(),
+  role: import_zod3.z.nativeEnum(UserRole).default(UserRole.MEMBER),
+  tags: import_zod3.z.array(import_zod3.z.string()).default([])
 });
-var AssignUserTagsInputSchema = import_zod2.z.object({
+var AssignUserTagsInputSchema = import_zod3.z.object({
   userId: cuidOrPrefixedId,
-  tags: import_zod2.z.array(import_zod2.z.string()).min(0)
+  tags: import_zod3.z.array(import_zod3.z.string()).min(0)
 });
-var InviteCollaboratorInputSchema = import_zod2.z.object({
+var InviteCollaboratorInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  email: import_zod2.z.string().email()
+  email: import_zod3.z.string().email()
 });
-var PublishProjectInputSchema = import_zod2.z.object({
+var PublishProjectInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  transferOwnership: import_zod2.z.boolean().default(false),
-  tags: import_zod2.z.array(import_zod2.z.string()).min(1)
+  transferOwnership: import_zod3.z.boolean().default(false),
+  tags: import_zod3.z.array(import_zod3.z.string()).min(1)
+});
+var GenerateApiKeyInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  publicNickname: import_zod3.z.string().max(50).optional(),
+  expiresInDays: import_zod3.z.number().int().min(1).max(365).default(90),
+  permissions: import_zod3.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
 });
-var GenerateApiKeyInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  expiresInDays: import_zod2.z.number().int().min(1).max(365).default(90),
-  permissions: import_zod2.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
+var UpdateApiKeyInputSchema = import_zod3.z.object({
+  publicNickname: import_zod3.z.string().max(50).nullable().optional(),
+  scopedOrganizationId: import_zod3.z.string().optional().nullable(),
+  scopedProjectIds: import_zod3.z.array(import_zod3.z.string()).optional()
 });
-var RevokeApiKeyInputSchema = import_zod2.z.object({
+var RevokeApiKeyInputSchema = import_zod3.z.object({
   keyId: cuidOrPrefixedId
 });
-var LoginInputSchema = import_zod2.z.object({
-  email: import_zod2.z.string().email(),
-  password: import_zod2.z.string().min(8).max(255)
+var LoginInputSchema = import_zod3.z.object({
+  email: import_zod3.z.string().email(),
+  password: import_zod3.z.string().min(8).max(255)
 });
-var RegisterInputSchema = import_zod2.z.object({
-  email: import_zod2.z.string().email(),
-  password: import_zod2.z.string().min(8).max(255),
-  name: import_zod2.z.string().min(1).max(255),
-  organizationSlug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+var RegisterInputSchema = import_zod3.z.object({
+  email: import_zod3.z.string().email(),
+  password: import_zod3.z.string().min(8).max(255),
+  name: import_zod3.z.string().min(1).max(255)
 });
-var VerifyTaskInputSchema = import_zod2.z.object({
+var VerifyTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  approved: import_zod2.z.boolean(),
-  feedback: import_zod2.z.string().max(5e3).optional()
+  approved: import_zod3.z.boolean(),
+  feedback: import_zod3.z.string().max(5e3).optional()
 });
-var GetTaskPromptInputSchema = import_zod2.z.object({
+var GetTaskPromptInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var UpdateTaskMCPInputSchema = import_zod2.z.object({
+var UpdateTaskMCPInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  title: import_zod2.z.string().min(1).max(200).optional(),
-  description: import_zod2.z.string().max(5e3).optional(),
-  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    id: import_zod2.z.string().optional(),
-    description: import_zod2.z.string().min(1).max(500)
+  title: import_zod3.z.string().min(1).max(200).optional(),
+  description: import_zod3.z.string().max(5e3).optional(),
+  priority: import_zod3.z.nativeEnum(TaskPriority).optional(),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    id: import_zod3.z.string().optional(),
+    description: import_zod3.z.string().min(1).max(500)
   })).optional()
 });
-var ReportBranchInputSchema = import_zod2.z.object({
+var ReportBranchInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
   branchName: gitBranchName
 });
-var ReportPRInputSchema = import_zod2.z.object({
+var ReportPRInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  pullRequestUrl: import_zod2.z.string().url(),
-  pullRequestNumber: import_zod2.z.number().int().positive()
+  pullRequestUrl: import_zod3.z.string().url(),
+  pullRequestNumber: import_zod3.z.number().int().positive()
 });
 
 // ../../packages/core/dist/logging/metrics.js
@@ -792,23 +988,16 @@ function createHistogram(name, help, buckets = [5e-3, 0.01, 0.025, 0.05, 0.1, 0.
 var httpRequestsTotal = createCounter("mtaap_http_requests_total", "Total number of HTTP requests");
 var httpRequestDuration = createHistogram("mtaap_http_request_duration_seconds", "HTTP request duration in seconds");
 var activeUsers = createGauge("mtaap_active_users", "Number of active users");
-var tasksTotal = createCounter("mtaap_tasks_total", "Total number of tasks by state");
-var taskStateChanges = createCounter("mtaap_task_state_changes_total", "Total number of task state changes");
 var httpErrorsTotal = createCounter("mtaap_http_errors_total", "Total number of HTTP errors");
 var httpActiveConnections = createGauge("mtaap_http_active_connections", "Number of active HTTP connections");
 var newSignupsTotal = createCounter("mtaap_new_signups_total", "Total number of new user signups");
 var loginSuccessTotal = createCounter("mtaap_login_success_total", "Total number of successful logins");
 var loginFailureTotal = createCounter("mtaap_login_failure_total", "Total number of failed logins");
-var dbConnectionPoolActive = createGauge("mtaap_db_connection_pool_active", "Number of active database connections");
-var dbConnectionPoolIdle = createGauge("mtaap_db_connection_pool_idle", "Number of idle database connections");
-var dbConnectionPoolMax = createGauge("mtaap_db_connection_pool_max", "Maximum number of database connections");
 var dbQueryDuration = createHistogram("mtaap_db_query_duration_seconds", "Database query duration in seconds");
 var dbSlowQueriesTotal = createCounter("mtaap_db_slow_queries_total", "Total number of slow database queries (>1s)");
-var dbErrorsTotal = createCounter("mtaap_db_errors_total", "Total number of database errors");
 var tasksCreatedTotal = createCounter("mtaap_tasks_created_total", "Total number of tasks created");
 var tasksAssignedTotal = createCounter("mtaap_tasks_assigned_total", "Total number of tasks assigned");
 var tasksCompletedTotal = createCounter("mtaap_tasks_completed_total", "Total number of tasks completed");
-var tasksByState = createGauge("mtaap_tasks_by_state", "Number of tasks by state");
 
 // ../../packages/core/dist/logging/performance-monitor.js
 var MAX_SAMPLES = 1e3;
@@ -1030,12 +1219,17 @@ var ApiError = class extends Error {
 var MCPApiClient = class {
   baseUrl;
   apiKey;
+  oauthToken;
   timeout;
   debug;
   authContext = null;
   constructor(config3) {
+    if (!config3.apiKey && !config3.oauthToken) {
+      throw new Error("Either apiKey or oauthToken must be provided");
+    }
     this.baseUrl = config3.baseUrl.replace(/\/$/, "");
     this.apiKey = config3.apiKey;
+    this.oauthToken = config3.oauthToken;
     this.timeout = config3.timeout ?? DEFAULT_TIMEOUT;
     this.debug = config3.debug ?? false;
   }
@@ -1050,18 +1244,33 @@ var MCPApiClient = class {
       console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
     }
     try {
+      const headers = {
+        "Content-Type": "application/json"
+      };
+      if (this.oauthToken) {
+        headers["Authorization"] = `Bearer ${this.oauthToken}`;
+      } else if (this.apiKey) {
+        headers["X-API-Key"] = this.apiKey;
+      }
       const response = await fetch(url, {
         method,
-        headers: {
-          "Content-Type": "application/json",
-          "X-API-Key": this.apiKey
-        },
+        headers,
         body: body ? JSON.stringify(body) : void 0,
         signal: controller.signal
       });
       clearTimeout(timeoutId);
       const data = await response.json();
       if (!response.ok) {
+        if (response.status === 403 && data.code === "EMAIL_NOT_VERIFIED" && data.verificationUrl) {
+          throw new ApiError(
+            `${data.error}
+
+To verify your email, visit: ${data.verificationUrl}
+${data.hint ? `Hint: ${data.hint}` : ""}`,
+            "EMAIL_NOT_VERIFIED",
+            403
+          );
+        }
         throw new ApiError(
           data.error || "API request failed",
           data.code || "UNKNOWN_ERROR",
@@ -1309,7 +1518,7 @@ var PERMISSION_RANK = {
   ADMIN: 3
 };
 function assertApiKeyPermission(apiKey, required, toolName) {
-  const actualRank = PERMISSION_RANK[apiKey.permissions] ?? 0;
+  const actualRank = apiKey.permissions ? PERMISSION_RANK[apiKey.permissions] ?? 0 : 0;
   const requiredRank = PERMISSION_RANK[required] ?? 0;
   if (actualRank >= requiredRank) {
     return;
@@ -1430,7 +1639,7 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Discover all accessible projects. Use first to find project IDs. Filter by TEAM, PERSONAL, or ALL workspaces.",
       inputSchema: {
-        workspaceType: import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
+        workspaceType: import_zod4.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
       }
     },
     async (args) => {
@@ -1460,10 +1669,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Query tasks with filters. Use state=TODO for assignable tasks, state=REVIEW for pending reviews.",
       inputSchema: {
-        projectId: import_zod3.z.string().optional().describe("Filter by project ID"),
-        state: import_zod3.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
-        assigneeId: import_zod3.z.string().optional().describe("Filter by assignee ID"),
-        includeArchived: import_zod3.z.boolean().optional().describe("Include archived tasks (default: false)")
+        projectId: import_zod4.z.string().optional().describe("Filter by project ID"),
+        state: import_zod4.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
+        assigneeId: import_zod4.z.string().optional().describe("Filter by assignee ID"),
+        includeArchived: import_zod4.z.boolean().optional().describe("Include archived tasks (default: false)")
       }
     },
     async (args) => {
@@ -1494,7 +1703,7 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Get complete task details with acceptance criteria and notes. Call before assign_task to understand requirements.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID to retrieve")
+        taskId: import_zod4.z.string().describe("The task ID to retrieve")
       }
     },
     async (args) => {
@@ -1520,9 +1729,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Atomically claim a task. Race-safe - fails if already assigned. Task must be TODO. Returns suggested branch name and worktree path for isolated parallel development.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to assign"),
-        expectedState: import_zod3.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to assign"),
+        expectedState: import_zod4.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
       }
     },
     async (args) => {
@@ -1556,10 +1765,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report progress and checkpoint work. Call frequently during execution. Marks acceptance criteria complete.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID to update"),
-        statusMessage: import_zod3.z.string().optional().describe("Status message (max 1000 chars)"),
-        completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional().describe("Array of completed checkpoint IDs"),
-        currentCheckpointIndex: import_zod3.z.number().optional().describe("Current checkpoint index")
+        taskId: import_zod4.z.string().describe("The task ID to update"),
+        statusMessage: import_zod4.z.string().optional().describe("Status message (max 1000 chars)"),
+        completedCheckpointIds: import_zod4.z.array(import_zod4.z.string()).optional().describe("Array of completed checkpoint IDs"),
+        currentCheckpointIndex: import_zod4.z.number().optional().describe("Current checkpoint index")
       }
     },
     async (args) => {
@@ -1593,10 +1802,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Prepare task for PR creation. Returns PR suggestions. After creating PR locally, call report_pr to transition to REVIEW. Requires IN_PROGRESS state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to complete"),
-        pullRequestTitle: import_zod3.z.string().optional().describe("PR title (max 300 chars)"),
-        pullRequestBody: import_zod3.z.string().optional().describe("PR body/description (max 10000 chars)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to complete"),
+        pullRequestTitle: import_zod4.z.string().optional().describe("PR title (max 300 chars)"),
+        pullRequestBody: import_zod4.z.string().optional().describe("PR body/description (max 10000 chars)")
       }
     },
     async (args) => {
@@ -1653,10 +1862,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report unrecoverable errors (BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR). Consider abandon_task after.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID"),
-        errorType: import_zod3.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
-        errorMessage: import_zod3.z.string().describe("Error message (max 1000 chars)"),
-        context: import_zod3.z.string().optional().describe("Additional context (max 2000 chars)")
+        taskId: import_zod4.z.string().describe("The task ID"),
+        errorType: import_zod4.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
+        errorMessage: import_zod4.z.string().describe("Error message (max 1000 chars)"),
+        context: import_zod4.z.string().optional().describe("Additional context (max 2000 chars)")
       }
     },
     async (args) => {
@@ -1691,7 +1900,7 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Load project README, tech stack, and coding conventions. Call after selecting project.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID")
+        projectId: import_zod4.z.string().describe("The project ID")
       }
     },
     async (args) => {
@@ -1721,8 +1930,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Document implementation decisions. Notes persist for future reference and handoff.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID"),
-        content: import_zod3.z.string().describe("Note content (max 500 chars)")
+        taskId: import_zod4.z.string().describe("The task ID"),
+        content: import_zod4.z.string().describe("Note content (max 500 chars)")
       }
     },
     async (args) => {
@@ -1751,9 +1960,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Release task assignment and optionally clean up branch. Task returns to TODO. Use after errors.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to abandon"),
-        deleteBranch: import_zod3.z.boolean().optional().describe("Whether to delete the associated branch")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to abandon"),
+        deleteBranch: import_zod4.z.boolean().optional().describe("Whether to delete the associated branch")
       }
     },
     async (args) => {
@@ -1787,9 +1996,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report a branch created by the agent. Call after using git to create and push a branch. Task must be IN_PROGRESS.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID"),
-        branchName: import_zod3.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID"),
+        branchName: import_zod4.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
       }
     },
     async (args) => {
@@ -1823,10 +2032,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report a PR created by the agent. Call after using gh pr create. Transitions task to REVIEW state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID"),
-        pullRequestUrl: import_zod3.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
-        pullRequestNumber: import_zod3.z.number().describe("PR number (e.g., 123)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID"),
+        pullRequestUrl: import_zod4.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
+        pullRequestNumber: import_zod4.z.number().describe("PR number (e.g., 123)")
       }
     },
     async (args) => {
@@ -1861,8 +2070,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Soft-delete a task. Hidden but restorable via unarchive_task.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to archive")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to archive")
       }
     },
     async (args) => {
@@ -1895,8 +2104,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Restore previously archived task to original state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to restore")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to restore")
       }
     },
     async (args) => {
@@ -1929,9 +2138,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Create new project in personal workspace linked to GitHub repository.",
       inputSchema: {
-        name: import_zod3.z.string().describe("Project name (max 100 chars)"),
-        description: import_zod3.z.string().optional().describe("Project description (max 500 chars)"),
-        repositoryUrl: import_zod3.z.string().describe("GitHub repository URL")
+        name: import_zod4.z.string().describe("Project name (max 100 chars)"),
+        description: import_zod4.z.string().optional().describe("Project description (max 500 chars)"),
+        repositoryUrl: import_zod4.z.string().describe("GitHub repository URL")
       }
     },
     async (args) => {
@@ -1965,14 +2174,14 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Create task with title, description, acceptance criteria. Starts in DRAFT. Priority: LOW/MEDIUM/HIGH/CRITICAL.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID to create the task in"),
-        epicId: import_zod3.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
-        title: import_zod3.z.string().describe("Task title (max 200 chars)"),
-        description: import_zod3.z.string().describe("Task description (max 5000 chars)"),
-        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
-        acceptanceCriteria: import_zod3.z.array(
-          import_zod3.z.object({
-            description: import_zod3.z.string().describe("Acceptance criterion description (max 500 chars)")
+        projectId: import_zod4.z.string().describe("The project ID to create the task in"),
+        epicId: import_zod4.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
+        title: import_zod4.z.string().describe("Task title (max 200 chars)"),
+        description: import_zod4.z.string().describe("Task description (max 5000 chars)"),
+        priority: import_zod4.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
+        acceptanceCriteria: import_zod4.z.array(
+          import_zod4.z.object({
+            description: import_zod4.z.string().describe("Acceptance criterion description (max 500 chars)")
           })
         ).describe("Array of acceptance criteria (at least 1 required)")
       }
@@ -2011,10 +2220,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Return task from REVIEW to IN_PROGRESS with feedback. Original assignee addresses changes.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to review"),
-        reviewComments: import_zod3.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
-        requestedChanges: import_zod3.z.array(import_zod3.z.string()).optional().describe("List of specific changes requested")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to review"),
+        reviewComments: import_zod4.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
+        requestedChanges: import_zod4.z.array(import_zod4.z.string()).optional().describe("List of specific changes requested")
       }
     },
     async (args) => {
@@ -2049,9 +2258,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Approve completed work and mark DONE. Only for REVIEW state tasks.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to approve"),
-        reviewComments: import_zod3.z.string().optional().describe("Optional approval comments (max 2000 chars)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to approve"),
+        reviewComments: import_zod4.z.string().optional().describe("Optional approval comments (max 2000 chars)")
       }
     },
     async (args) => {
@@ -2085,10 +2294,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Verify a DRAFT task and move it to TODO state. Requires task to pass programmatic validation (title 10+ chars, description 50+ chars, each criterion 20+ chars). If approved=false, stores feedback with NEEDS_REVISION status.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to verify"),
-        approved: import_zod3.z.boolean().describe("Whether to approve the task"),
-        feedback: import_zod3.z.string().optional().describe("Feedback for the task (required if not approved)")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to verify"),
+        approved: import_zod4.z.boolean().describe("Whether to approve the task"),
+        feedback: import_zod4.z.string().optional().describe("Feedback for the task (required if not approved)")
       }
     },
     async (args) => {
@@ -2119,8 +2328,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Get state-appropriate prompt for a task. Returns verify prompt for DRAFT, assignment prompt for TODO, or continue prompt for IN_PROGRESS tasks.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID")
       }
     },
     async (args) => {
@@ -2153,15 +2362,15 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Update task details (title, description, priority, acceptanceCriteria). Only works for DRAFT and TODO states. If task is in TODO state, it reverts to DRAFT and requires re-verification.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to update"),
-        title: import_zod3.z.string().optional().describe("New task title"),
-        description: import_zod3.z.string().optional().describe("New task description"),
-        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
-        acceptanceCriteria: import_zod3.z.array(
-          import_zod3.z.object({
-            id: import_zod3.z.string().optional().describe("Existing criterion ID (for updates)"),
-            description: import_zod3.z.string().describe("Criterion description")
+        projectId: import_zod4.z.string().describe("The project ID"),
+        taskId: import_zod4.z.string().describe("The task ID to update"),
+        title: import_zod4.z.string().optional().describe("New task title"),
+        description: import_zod4.z.string().optional().describe("New task description"),
+        priority: import_zod4.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
+        acceptanceCriteria: import_zod4.z.array(
+          import_zod4.z.object({
+            id: import_zod4.z.string().optional().describe("Existing criterion ID (for updates)"),
+            description: import_zod4.z.string().describe("Criterion description")
           })
         ).optional().describe("New acceptance criteria (replaces existing)")
       }
@@ -2251,12 +2460,12 @@ function handleApiError(error) {
     isError: true
   };
 }
-var ActiveTaskSchema = import_zod3.z.object({
-  taskId: import_zod3.z.string().min(1),
-  projectId: import_zod3.z.string().min(1),
-  branchName: import_zod3.z.string().optional(),
-  worktreePath: import_zod3.z.string().optional(),
-  startedAt: import_zod3.z.string().optional()
+var ActiveTaskSchema = import_zod4.z.object({
+  taskId: import_zod4.z.string().min(1),
+  projectId: import_zod4.z.string().min(1),
+  branchName: import_zod4.z.string().optional(),
+  worktreePath: import_zod4.z.string().optional(),
+  startedAt: import_zod4.z.string().optional()
 });
 async function checkActiveTask() {
   const fs = await import("fs");
@@ -2327,15 +2536,91 @@ async function checkActiveTask() {
 }
 
 // src/auth.ts
+function extractBearerToken(authorizationHeader) {
+  if (!authorizationHeader) return null;
+  const parts = authorizationHeader.split(" ");
+  if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+    return null;
+  }
+  return parts[1];
+}
+async function validateOAuthToken(baseUrl, accessToken) {
+  const internalUrl = process.env.COLLAB_INTERNAL_URL || baseUrl;
+  const response = await fetch(`${internalUrl}/api/oauth/validate`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ access_token: accessToken })
+  });
+  if (!response.ok) {
+    throw new Error(`Token validation failed: ${response.status}`);
+  }
+  return response.json();
+}
 function createAuthMiddleware(baseUrl) {
   return async (req, res, next) => {
+    const authHeader = req.headers.authorization;
+    const bearerToken = extractBearerToken(authHeader);
+    if (bearerToken) {
+      try {
+        const validation = await validateOAuthToken(baseUrl, bearerToken);
+        if (!validation.valid) {
+          res.status(401).json({
+            jsonrpc: "2.0",
+            error: {
+              code: -32001,
+              message: validation.userId ? "Token expired" : "Invalid access token"
+            },
+            id: null
+          });
+          return;
+        }
+        const rawPermissions = validation.permissions || "WRITE";
+        const validPermissions = ["READ", "WRITE", "ADMIN"];
+        let permissions;
+        if (validPermissions.includes(rawPermissions)) {
+          permissions = rawPermissions;
+        } else {
+          console.warn(`[collab-mcp-server] Unexpected permissions value "${rawPermissions}", defaulting to WRITE`);
+          permissions = "WRITE";
+        }
+        const authContext = {
+          userId: validation.userId,
+          userEmail: validation.userEmail,
+          userName: validation.userName || validation.userEmail,
+          permissions
+        };
+        const apiClient = new MCPApiClient({
+          baseUrl,
+          oauthToken: bearerToken,
+          timeout: 3e4
+        });
+        req.apiClient = apiClient;
+        req.authContext = authContext;
+        req.authMethod = "oauth";
+        next();
+        return;
+      } catch (error) {
+        console.error("[collab-mcp-server] OAuth validation error:", error);
+        res.status(401).json({
+          jsonrpc: "2.0",
+          error: {
+            code: -32001,
+            message: "OAuth token validation failed"
+          },
+          id: null
+        });
+        return;
+      }
+    }
     const apiKey = req.headers["x-api-key"];
     if (!apiKey || typeof apiKey !== "string") {
       res.status(401).json({
         jsonrpc: "2.0",
         error: {
           code: -32001,
-          message: "Missing or invalid X-API-Key header"
+          message: "Missing authentication. Provide Authorization: Bearer <token> or X-API-Key header"
         },
         id: null
       });
@@ -2361,6 +2646,7 @@ function createAuthMiddleware(baseUrl) {
       const authContext = await apiClient.authenticate();
       req.apiClient = apiClient;
       req.authContext = authContext;
+      req.authMethod = "api_key";
       next();
     } catch (error) {
       if (error instanceof ApiError) {
@@ -2408,7 +2694,9 @@ function startSessionCleanup() {
       }
     }
     if (cleanedCount > 0) {
-      console.error(`[collab-mcp-server] Cleaned up ${cleanedCount} expired session(s)`);
+      console.error(
+        `[collab-mcp-server] Cleaned up ${cleanedCount} expired session(s)`
+      );
     }
   }, SESSION_CLEANUP_INTERVAL_MS);
 }
@@ -2423,17 +2711,27 @@ async function createHTTPServer() {
   const port = parseInt(process.env.PORT || String(DEFAULT_PORT), 10);
   const baseUrl = process.env.COLLAB_BASE_URL;
   if (!baseUrl) {
-    console.error("[collab-mcp-server] Error: COLLAB_BASE_URL environment variable is required");
+    console.error(
+      "[collab-mcp-server] Error: COLLAB_BASE_URL environment variable is required"
+    );
     console.error("\nRequired environment variables:");
-    console.error("  COLLAB_BASE_URL    Collab webapp URL (e.g., https://collab.mtaap.de)");
+    console.error(
+      "  COLLAB_BASE_URL    Collab webapp URL (e.g., https://collab.mtaap.de)"
+    );
     console.error("  PORT               Server port (default: 3001)");
-    console.error("\nClients must provide X-API-Key header with their Collab API key.");
+    console.error("\nClients must authenticate using one of:");
+    console.error(
+      "  - Authorization: Bearer <token> header with OAuth access token"
+    );
+    console.error("  - X-API-Key header with their Collab API key");
     process.exit(1);
   }
   try {
     new URL(baseUrl);
   } catch {
-    console.error(`[collab-mcp-server] Error: COLLAB_BASE_URL is not a valid URL: ${baseUrl}`);
+    console.error(
+      `[collab-mcp-server] Error: COLLAB_BASE_URL is not a valid URL: ${baseUrl}`
+    );
     process.exit(1);
   }
   const app = (0, import_express.default)();
@@ -2446,6 +2744,22 @@ async function createHTTPServer() {
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     });
   });
+  app.get("/mcp/.well-known/oauth-protected-resource", (_req, res) => {
+    const protocol = _req.headers["x-forwarded-proto"] || _req.protocol || "https";
+    const host = _req.headers["x-forwarded-host"] || _req.headers.host;
+    const resourceUrl = `${protocol}://${host}/mcp`;
+    res.json({
+      resource: resourceUrl,
+      authorization_servers: [baseUrl],
+      scopes_supported: [
+        OAuthScopes.READ,
+        OAuthScopes.WRITE,
+        OAuthScopes.ADMIN
+      ],
+      bearer_methods_supported: ["header"],
+      resource_documentation: `${baseUrl}/docs/mcp`
+    });
+  });
   const authMiddleware = createAuthMiddleware(baseUrl);
   app.post("/mcp", authMiddleware, async (req, res) => {
     const authReq = req;
@@ -2477,7 +2791,9 @@ async function createHTTPServer() {
             createdAt: now,
             lastAccessedAt: now
           });
-          console.error(`[collab-mcp-server] Session initialized: ${id} (user: ${authReq.authContext.userEmail})`);
+          console.error(
+            `[collab-mcp-server] Session initialized: ${id} (user: ${authReq.authContext.userEmail})`
+          );
         },
         onsessionclosed: (id) => {
           sessions.delete(id);
@@ -2487,10 +2803,15 @@ async function createHTTPServer() {
       transport.onclose = () => {
         if (transport.sessionId) {
           sessions.delete(transport.sessionId);
-          console.error(`[collab-mcp-server] Transport closed for session: ${transport.sessionId}`);
+          console.error(
+            `[collab-mcp-server] Transport closed for session: ${transport.sessionId}`
+          );
         }
       };
-      const server = initializeMCPServer(authReq.apiClient, authReq.authContext);
+      const server = initializeMCPServer(
+        authReq.apiClient,
+        authReq.authContext
+      );
       await server.connect(transport);
       sessionData = {
         transport,
@@ -2573,8 +2894,13 @@ async function createHTTPServer() {
     console.error(`[collab-mcp-server] Listening on http://0.0.0.0:${port}`);
     console.error(`[collab-mcp-server] MCP endpoint: POST/GET/DELETE /mcp`);
     console.error(`[collab-mcp-server] Health check: GET /mcp/health`);
+    console.error(
+      `[collab-mcp-server] OAuth metadata: GET /mcp/.well-known/oauth-protected-resource`
+    );
     console.error(`[collab-mcp-server] API URL: ${baseUrl}`);
-    console.error(`[collab-mcp-server] Session timeout: ${SESSION_TIMEOUT_MS / 1e3 / 60} minutes`);
+    console.error(
+      `[collab-mcp-server] Session timeout: ${SESSION_TIMEOUT_MS / 1e3 / 60} minutes`
+    );
   });
 }
 function handleCliFlags() {
@@ -2600,7 +2926,9 @@ Environment Variables:
   PORT             Server port (default: 3001)
 
 Client Authentication:
-  Clients must provide an X-API-Key header with their Collab API key.
+  Clients must authenticate using one of these methods:
+  - X-API-Key header with their Collab API key
+  - Authorization: Bearer <token> header with OAuth access token
   Each session is authenticated independently.
 
 Example deployment with Docker: