@nyuchi/mzizi-mcp 0.3.0

package/README.md

@@ -0,0 +1,186 @@
+# @nyuchi/mzizi-mcp
+
+Registry-driven Model Context Protocol server for the mzizi design system — the
+drop-in replacement for the legacy `design.nyuchi.com` MCP.
+
+The tool catalog is loaded at startup from the Supabase `mcp_tool_registry` table
+(RLS public-read, anon role) and dispatched dynamically. Adding, renaming, or
+retiring a tool is a registry edit, not a code change. The server is read-only on
+the anonymous surface — write-kind tools are excluded.
+
+**Live at** `https://mcp.mzizi.dev/mcp` (Cloudflare Worker `mzizi-mcp`, version
+0.3.0). A **free WorkOS-AuthKit signup gate** fronts the endpoint; sign up
+once and read the whole registry at no cost. The worker advertises
+`/.well-known/oauth-protected-resource` so MCP clients can run the OAuth discovery
+dance automatically.
+
+**MCP Registry name:** `io.github.nyuchi/mzizi-mcp`
+
+---
+
+## Using it — MCP client config
+
+Point any MCP client at the live HTTP endpoint:
+
+```json
+{
+  "mcpServers": {
+    "mzizi": {
+      "type": "http",
+      "url": "https://mcp.mzizi.dev/mcp"
+    }
+  }
+}
+```
+
+The client will be redirected through the WorkOS-AuthKit OAuth flow on first
+connect. After that, reads are free and unlimited.
+
+### stdio (local / offline)
+
+Run the stdio bin via npx — useful for Claude Code, Cursor, or any assistant that
+speaks stdio MCP:
+
+```json
+{
+  "mcpServers": {
+    "mzizi": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@nyuchi/mzizi-mcp"],
+      "env": {
+        "SUPABASE_URL": "https://grjsboqkaywpwatvrzmy.supabase.co",
+        "SUPABASE_PUBLISHABLE_KEY": "<anon-key>"
+      }
+    }
+  }
+}
+```
+
+`SUPABASE_URL` defaults to the canonical mzizi project if omitted. Only
+`SUPABASE_PUBLISHABLE_KEY` is required for the stdio path.
+
+---
+
+## Registry-driven dispatch
+
+| Registry `kind` | Dispatch                                  |
+| --------------- | ----------------------------------------- |
+| `sql_function`  | `supabase.rpc(fn, args)`                  |
+| `edge_function` | `supabase.functions.invoke(fn, { body })` |
+| `source_table`  | `supabase.from(table).select()`           |
+
+The registry currently holds 62 rows (60 enabled). After filtering out write-kind
+and first-party tools, ~55 tools are exposed on the anonymous public surface,
+spread across 17 categories.
+
+---
+
+## Core tools (always present, defined in code)
+
+| Tool                  | Backed by                       | Returns                                                  |
+| --------------------- | ------------------------------- | -------------------------------------------------------- |
+| `list_collections`    | `component_documents` aggregate | Every collection + document counts + per-owner breakdown |
+| `get_database_status` | `component_documents` count     | Provider health + document-store row count + tool count  |
+
+---
+
+## Tool categories (registry-driven)
+
+| Category        | Example tools                                                                     |
+| --------------- | --------------------------------------------------------------------------------- |
+| `component`     | `get_component`, `list_components`, `search_components`, `get_component_links`    |
+| `architecture`  | `get_node_documents`                                                              |
+| `brand`         | `get_brand_tokens`, `list_ecosystem_brands`                                       |
+| `skills`        | `get_skill`, `list_skills`                                                        |
+| `doctrine`      | doctrine-read tools                                                               |
+| `documents`     | `read_documents`, `read_versions`                                                 |
+| `release`       | `list_changelog`, `get_changelog_entry`, `compute_release_diff`                   |
+| `resolver`      | `resolve_primitive`, `list_framework_descriptors`                                 |
+| `a11y`          | `calculate_contrast_ratio`, `simulate_color_blindness`, `run_accessibility_audit` |
+| `observability` | `list_observability_events`, `is_domain_allowed`                                  |
+| `fundi`         | `get_healing_log`, `list_recent_fundi_issues`                                     |
+| `chaos`         | `list_chaos_events`                                                               |
+| `system`        | system-read tools                                                                 |
+| `ai`            | `get_ai_instructions`, `list_ai_instructions`                                     |
+| `governance`    | `get_bundu_convention`                                                            |
+| `meta`          | `mcp_describe`                                                                    |
+
+Call `mcp_describe` (with optional `p_category` filter) to enumerate the full live
+catalog.
+
+---
+
+## Resources
+
+| URI                   | Content                                              |
+| --------------------- | ---------------------------------------------------- |
+| `mzizi://collections` | Every collection + document counts + owner breakdown |
+| `mzizi://components`  | Lean index of the `components` collection            |
+
+---
+
+## Environment / secrets
+
+### HTTP Worker (Cloudflare — set via `wrangler secret put`)
+
+| Secret                     | Required | Notes                                          |
+| -------------------------- | -------- | ---------------------------------------------- |
+| `SUPABASE_URL`             | yes      | Public Supabase project URL                    |
+| `SUPABASE_PUBLISHABLE_KEY` | yes      | Anon (RLS public-read) key                     |
+| `SUPABASE_SECRET_KEY`      | no       | Service-role key; placeholder is used if unset |
+| `WORKOS_CLIENT_ID`         | yes      | mzizi-mcp WorkOS AuthKit app client ID         |
+| `WORKOS_CLIENT_SECRET`     | yes      | mzizi-mcp WorkOS AuthKit app secret            |
+| `COOKIE_ENCRYPTION_KEY`    | yes      | HMAC key for the consent cookie (random bytes) |
+
+### stdio / local dev (`.dev.vars` or environment)
+
+| Variable                   | Required | Notes                               |
+| -------------------------- | -------- | ----------------------------------- |
+| `SUPABASE_URL`             | no       | Defaults to canonical mzizi project |
+| `SUPABASE_PUBLISHABLE_KEY` | yes      | Anon key                            |
+
+---
+
+## Entrypoints
+
+| Surface       | Entry               | Use                                             |
+| ------------- | ------------------- | ----------------------------------------------- |
+| stdio         | `bin: mzizi-mcp`    | Local AI assistants (Claude Code, Cursor, etc.) |
+| HTTP / Worker | `mzizi-mcp/http`    | Cloudflare Workers + any fetch runtime          |
+| Library       | `@nyuchi/mzizi-mcp` | Embed the server factory in your own host       |
+
+Source files:
+
+- `src/server.ts` — `createMziziMcpServer(supabase)` factory
+- `src/http.ts` — `createMziziHttpHandler()` for any fetch runtime
+- `src/worker.ts` — Cloudflare Worker bound to `env` (the gated deployment)
+- `src/stdio.ts` — `bin: mzizi-mcp` for the MCP registry / local Claude Code
+
+---
+
+## Build and deploy
+
+```bash
+# typecheck
+pnpm --filter @nyuchi/mzizi-mcp typecheck
+
+# build (tsc → dist/)
+pnpm --filter @nyuchi/mzizi-mcp build
+
+# local Worker dev
+pnpm --filter @nyuchi/mzizi-mcp cf:dev
+
+# deploy manually (CI handles pushes to main)
+pnpm --filter @nyuchi/mzizi-mcp cf:deploy
+```
+
+CI deploys automatically on push to `main` touching `mzizi-mcp/**` via
+`.github/workflows/deploy-mzizi-mcp.yml`.
+
+---
+
+## License
+
+Apache-2.0. Part of the mzizi tooling — an open-architecture project of the
+[Bundu Foundation](https://mzizi.dev), operated by [nyuchi](https://nyuchi.com).

package/dist/auth/authkit-handler.d.ts

@@ -0,0 +1,28 @@
+/**
+ * WorkOS AuthKit handler — the OAuth provider's `defaultHandler`.
+ *
+ * Ported from `nyuchi/mongodb-mcp`, with the gates removed: mongodb-mcp is
+ * internal and enforces an org allowlist + a required permission. mzizi-mcp is
+ * a FREE, PUBLIC tool — any WorkOS user who signs up is let through. There is
+ * no org gate and no required-permission gate here.
+ *
+ * Subscription gating for the future in-MCP fundi agent does NOT belong in this
+ * callback (auth = free signup). It belongs at the fundi *tool* level, which
+ * reads the entitlement off `ctx.props` (see `props.ts`). Keeping `permissions`
+ * on the token is what makes that later check possible without a second login.
+ */
+import type { OAuthHelpers } from "@cloudflare/workers-oauth-provider";
+import { WorkOS } from "@workos-inc/node";
+import { Hono } from "hono";
+import type { Env } from "../env.js";
+type AuthEnv = {
+    Bindings: Env & {
+        OAUTH_PROVIDER: OAuthHelpers;
+    };
+    Variables: {
+        workOS: WorkOS;
+    };
+};
+export declare const AuthkitHandler: Hono<AuthEnv, import("hono/types").BlankSchema, "/">;
+export {};
+//# sourceMappingURL=authkit-handler.d.ts.map

package/dist/auth/authkit-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authkit-handler.d.ts","sourceRoot":"","sources":["../../src/auth/authkit-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAe,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACnF,OAAO,EAAiD,MAAM,EAAE,MAAM,kBAAkB,CAAA;AACxF,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAA;AAEzC,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAA;AAcpC,KAAK,OAAO,GAAG;IAAE,QAAQ,EAAE,GAAG,GAAG;QAAE,cAAc,EAAE,YAAY,CAAA;KAAE,CAAC;IAAC,SAAS,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAA;AAqLlG,eAAO,MAAM,cAAc,sDAAM,CAAA"}

package/dist/auth/authkit-handler.js

@@ -0,0 +1,164 @@
+/**
+ * WorkOS AuthKit handler — the OAuth provider's `defaultHandler`.
+ *
+ * Ported from `nyuchi/mongodb-mcp`, with the gates removed: mongodb-mcp is
+ * internal and enforces an org allowlist + a required permission. mzizi-mcp is
+ * a FREE, PUBLIC tool — any WorkOS user who signs up is let through. There is
+ * no org gate and no required-permission gate here.
+ *
+ * Subscription gating for the future in-MCP fundi agent does NOT belong in this
+ * callback (auth = free signup). It belongs at the fundi *tool* level, which
+ * reads the entitlement off `ctx.props` (see `props.ts`). Keeping `permissions`
+ * on the token is what makes that later check possible without a second login.
+ */
+import { WorkOS } from "@workos-inc/node";
+import { Hono } from "hono";
+import * as jose from "jose";
+import { addApprovedClient, bindStateToSession, createOAuthState, generateCSRFProtection, isClientApproved, OAuthError, renderApprovalDialog, validateCSRFToken, validateOAuthState, } from "./oauth-utils.js";
+const SERVER_NAME = "Mzizi Design System Registry";
+const SERVER_DESCRIPTION = "Free, public MCP over the Mzizi design-system registry — components, design tokens, brand, and the N1–N10 ecosystem architecture. Sign in or create a free account to connect.";
+const ICON_REDIRECT = "https://www.nyuchi.com/icon-light.png";
+const app = new Hono();
+function requireWorkOS(c) {
+    const existing = c.get("workOS");
+    if (existing)
+        return existing;
+    if (!c.env.WORKOS_CLIENT_SECRET) {
+        throw new Error("WORKOS_CLIENT_SECRET is not configured. Add it as a Worker secret before using auth routes.");
+    }
+    const workOS = new WorkOS(c.env.WORKOS_CLIENT_SECRET);
+    c.set("workOS", workOS);
+    return workOS;
+}
+function redirectToIcon() {
+    return new Response(null, {
+        status: 301,
+        headers: { Location: ICON_REDIRECT, "Cache-Control": "public, max-age=86400" },
+    });
+}
+app.get("/", (c) => c.html(`<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>${SERVER_NAME}</title><style>body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#f9fafb;color:#111;margin:0}.wrap{max-width:640px;margin:4rem auto;padding:2rem}h1{font-size:1.6rem}code{background:#eef2f0;padding:.15rem .4rem;border-radius:4px}a{color:#1f6f4f}</style></head><body><div class="wrap"><h1>${SERVER_NAME}</h1><p>${SERVER_DESCRIPTION}</p><p>This is a remote <strong>Model Context Protocol</strong> endpoint. Add it as a connector in an MCP client (e.g. claude.ai) and connect to <code>/mcp</code>; you will be prompted to sign in or create a free account.</p><p>Learn more at <a href="https://mzizi.dev">mzizi.dev</a>.</p></div></body></html>`, 200, { "Cache-Control": "public, max-age=300" }));
+app.get("/favicon.ico", () => redirectToIcon());
+app.get("/icon.png", () => redirectToIcon());
+app.get("/authorize", async (c) => {
+    const oauthReqInfo = await c.env.OAUTH_PROVIDER.parseAuthRequest(c.req.raw);
+    const { clientId } = oauthReqInfo;
+    if (!clientId)
+        return c.text("Invalid request", 400);
+    if (await isClientApproved(c.req.raw, clientId, c.env.COOKIE_ENCRYPTION_KEY)) {
+        const { stateToken } = await createOAuthState(oauthReqInfo, c.env.OAUTH_KV);
+        const { setCookie: sessionBindingCookie } = await bindStateToSession(stateToken);
+        return redirectToAuthKit(c, stateToken, { "Set-Cookie": sessionBindingCookie });
+    }
+    const { token: csrfToken, setCookie } = generateCSRFProtection();
+    return renderApprovalDialog(c.req.raw, {
+        client: await c.env.OAUTH_PROVIDER.lookupClient(clientId),
+        csrfToken,
+        server: { description: SERVER_DESCRIPTION, name: SERVER_NAME },
+        setCookie,
+        state: { oauthReqInfo },
+    });
+});
+app.post("/authorize", async (c) => {
+    try {
+        const formData = await c.req.raw.formData();
+        validateCSRFToken(formData, c.req.raw);
+        const encodedState = formData.get("state");
+        if (!encodedState || typeof encodedState !== "string") {
+            return c.text("Missing state in form data", 400);
+        }
+        let state;
+        try {
+            state = JSON.parse(atob(encodedState));
+        }
+        catch {
+            return c.text("Invalid state data", 400);
+        }
+        if (!state.oauthReqInfo || !state.oauthReqInfo.clientId) {
+            return c.text("Invalid request", 400);
+        }
+        const approvedClientCookie = await addApprovedClient(c.req.raw, state.oauthReqInfo.clientId, c.env.COOKIE_ENCRYPTION_KEY);
+        const { stateToken } = await createOAuthState(state.oauthReqInfo, c.env.OAUTH_KV);
+        const { setCookie: sessionBindingCookie } = await bindStateToSession(stateToken);
+        const headers = new Headers();
+        headers.append("Set-Cookie", approvedClientCookie);
+        headers.append("Set-Cookie", sessionBindingCookie);
+        return redirectToAuthKit(c, stateToken, Object.fromEntries(headers));
+    }
+    catch (error) {
+        console.error("POST /authorize error:", error);
+        if (error instanceof OAuthError)
+            return error.toResponse();
+        const message = error instanceof Error ? error.message : String(error);
+        return c.text(`Internal server error: ${message}`, 500);
+    }
+});
+function redirectToAuthKit(c, stateToken, headers = {}) {
+    const workOS = requireWorkOS(c);
+    return new Response(null, {
+        headers: {
+            ...headers,
+            location: workOS.userManagement.getAuthorizationUrl({
+                provider: "authkit",
+                clientId: c.env.WORKOS_CLIENT_ID,
+                redirectUri: new URL("/callback", c.req.url).href,
+                state: stateToken,
+            }),
+        },
+        status: 302,
+    });
+}
+app.get("/callback", async (c) => {
+    let oauthReqInfo;
+    let clearSessionCookie;
+    try {
+        const result = await validateOAuthState(c.req.raw, c.env.OAUTH_KV);
+        oauthReqInfo = result.oauthReqInfo;
+        clearSessionCookie = result.clearCookie;
+    }
+    catch (error) {
+        if (error instanceof OAuthError)
+            return error.toResponse();
+        return c.text("Internal server error", 500);
+    }
+    if (!oauthReqInfo.clientId)
+        return c.text("Invalid OAuth request data", 400);
+    const code = c.req.query("code");
+    if (!code)
+        return c.text("Missing code", 400);
+    const workOS = requireWorkOS(c);
+    let response;
+    try {
+        response = await workOS.userManagement.authenticateWithCode({
+            clientId: c.env.WORKOS_CLIENT_ID,
+            code,
+        });
+    }
+    catch (error) {
+        console.error("Authentication error:", error);
+        return c.text("Invalid authorization code", 400);
+    }
+    const { accessToken, organizationId, refreshToken, user } = response;
+    const { permissions = [] } = jose.decodeJwt(accessToken);
+    // No org allowlist, no required-permission gate: mzizi-mcp is free + public,
+    // so every authenticated WorkOS user is let through. `permissions` is carried
+    // on the token only so a future fundi subscription check can read it.
+    const { redirectTo } = await c.env.OAUTH_PROVIDER.completeAuthorization({
+        request: oauthReqInfo,
+        userId: user.id,
+        metadata: {},
+        scope: permissions,
+        props: {
+            accessToken,
+            organizationId,
+            permissions,
+            refreshToken,
+            user,
+        },
+    });
+    const headers = new Headers({ Location: redirectTo });
+    if (clearSessionCookie)
+        headers.set("Set-Cookie", clearSessionCookie);
+    return new Response(null, { status: 302, headers });
+});
+export const AuthkitHandler = app;
+//# sourceMappingURL=authkit-handler.js.map

package/dist/auth/authkit-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authkit-handler.js","sourceRoot":"","sources":["../../src/auth/authkit-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAiD,MAAM,EAAE,MAAM,kBAAkB,CAAA;AACxF,OAAO,EAAgB,IAAI,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAG5B,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EAChB,sBAAsB,EACtB,gBAAgB,EAChB,UAAU,EACV,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,kBAAkB,CAAA;AAIzB,MAAM,WAAW,GAAG,8BAA8B,CAAA;AAClD,MAAM,kBAAkB,GACtB,gLAAgL,CAAA;AAClL,MAAM,aAAa,GAAG,uCAAuC,CAAA;AAE7D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAW,CAAA;AAE/B,SAAS,aAAa,CAAC,CAAmB;IACxC,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAChC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAA;IAC7B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,6FAA6F,CAC9F,CAAA;IACH,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;IACrD,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IACvB,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,eAAe,EAAE,uBAAuB,EAAE;KAC/E,CAAC,CAAA;AACJ,CAAC;AAED,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CACjB,CAAC,CAAC,IAAI,CACJ,2IAA2I,WAAW,0UAA0U,WAAW,WAAW,kBAAkB,sTAAsT,EAC9zB,GAAG,EACH,EAAE,eAAe,EAAE,qBAAqB,EAAE,CAC3C,CACF,CAAA;AACD,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,cAAc,EAAE,CAAC,CAAA;AAC/C,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,cAAc,EAAE,CAAC,CAAA;AAE5C,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAChC,MAAM,YAAY,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC3E,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAA;IACjC,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;IAEpD,IAAI,MAAM,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC,GAAG,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAC7E,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,gBAAgB,CAAC,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC3E,MAAM,EAAE,SAAS,EAAE,oBAAoB,EAAE,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAA;QAChF,OAAO,iBAAiB,CAAC,CAAC,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,oBAAoB,EAAE,CAAC,CAAA;IACjF,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,sBAAsB,EAAE,CAAA;IAEhE,OAAO,oBAAoB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE;QACrC,MAAM,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,YAAY,CAAC,QAAQ,CAAC;QACzD,SAAS;QACT,MAAM,EAAE,EAAE,WAAW,EAAE,kBAAkB,EAAE,IAAI,EAAE,WAAW,EAAE;QAC9D,SAAS;QACT,KAAK,EAAE,EAAE,YAAY,EAAE;KACxB,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACjC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAA;QAC3C,iBAAiB,CAAC,QAAQ,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QAC1C,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;YACtD,OAAO,CAAC,CAAC,IAAI,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAA;QAClD,CAAC;QAED,IAAI,KAAqC,CAAA;QACzC,IAAI,CAAC;YACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAA;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAA;QAC1C,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YACxD,OAAO,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;QACvC,CAAC;QAED,MAAM,oBAAoB,GAAG,MAAM,iBAAiB,CAClD,CAAC,CAAC,GAAG,CAAC,GAAG,EACT,KAAK,CAAC,YAAY,CAAC,QAAQ,EAC3B,CAAC,CAAC,GAAG,CAAC,qBAAqB,CAC5B,CAAA;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACjF,MAAM,EAAE,SAAS,EAAE,oBAAoB,EAAE,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAA;QAEhF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;QAC7B,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAA;QAClD,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAA;QAElD,OAAO,iBAAiB,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAA;IACtE,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAA;QAC9C,IAAI,KAAK,YAAY,UAAU;YAAE,OAAO,KAAK,CAAC,UAAU,EAAE,CAAA;QAC1D,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACtE,OAAO,CAAC,CAAC,IAAI,CAAC,0BAA0B,OAAO,EAAE,EAAE,GAAG,CAAC,CAAA;IACzD,CAAC;AACH,CAAC,CAAC,CAAA;AAEF,SAAS,iBAAiB,CACxB,CAAmB,EACnB,UAAkB,EAClB,UAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAC/B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,OAAO,EAAE;YACP,GAAG,OAAO;YACV,QAAQ,EAAE,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC;gBAClD,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,CAAC,CAAC,GAAG,CAAC,gBAAgB;gBAChC,WAAW,EAAE,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI;gBACjD,KAAK,EAAE,UAAU;aAClB,CAAC;SACH;QACD,MAAM,EAAE,GAAG;KACZ,CAAC,CAAA;AACJ,CAAC;AAED,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC/B,IAAI,YAAyB,CAAA;IAC7B,IAAI,kBAA0B,CAAA;IAE9B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAClE,YAAY,GAAG,MAAM,CAAC,YAAY,CAAA;QAClC,kBAAkB,GAAG,MAAM,CAAC,WAAW,CAAA;IACzC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,IAAI,KAAK,YAAY,UAAU;YAAE,OAAO,KAAK,CAAC,UAAU,EAAE,CAAA;QAC1D,OAAO,CAAC,CAAC,IAAI,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAA;IAC7C,CAAC;IAED,IAAI,CAAC,YAAY,CAAC,QAAQ;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAA;IAE5E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IAChC,IAAI,CAAC,IAAI;QAAE,OAAO,CAAC,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;IAE7C,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAC/B,IAAI,QAAgC,CAAA;IACpC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,oBAAoB,CAAC;YAC1D,QAAQ,EAAE,CAAC,CAAC,GAAG,CAAC,gBAAgB;YAChC,IAAI;SACL,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAA;QAC7C,OAAO,CAAC,CAAC,IAAI,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAA;IAClD,CAAC;IAED,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,IAAI,EAAE,GAAG,QAAQ,CAAA;IACpE,MAAM,EAAE,WAAW,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC,SAAS,CAAc,WAAW,CAAC,CAAA;IAErE,6EAA6E;IAC7E,8EAA8E;IAC9E,sEAAsE;IAEtE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAAC;QACtE,OAAO,EAAE,YAAY;QACrB,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,QAAQ,EAAE,EAAE;QACZ,KAAK,EAAE,WAAW;QAClB,KAAK,EAAE;YACL,WAAW;YACX,cAAc;YACd,WAAW;YACX,YAAY;YACZ,IAAI;SACW;KAClB,CAAC,CAAA;IAEF,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAA;IACrD,IAAI,kBAAkB;QAAE,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAA;IAErE,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAA;AACrD,CAAC,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,GAAG,CAAA"}

package/dist/auth/mcp-api-handler.d.ts

@@ -0,0 +1,19 @@
+/**
+ * The MCP API handler the OAuth provider mounts at `apiRoute` (`/mcp`).
+ *
+ * It only runs AFTER the provider has validated the access token, so the
+ * authenticated WorkOS identity is available on `ctx.props`. Today the registry
+ * tools are free (auth only) and ignore props; when the fundi agent is attached
+ * inside the MCP, its tools read `ctx.props.permissions` for the subscription
+ * entitlement — the subscription gate, layered on top of the free auth gate.
+ */
+import type { Env } from "../env.js";
+import type { Props } from "./props.js";
+type AuthedContext = ExecutionContext & {
+    props?: Props;
+};
+export declare const mcpApiHandler: {
+    fetch(request: Request, env: Env, _ctx: AuthedContext): Promise<Response>;
+};
+export {};
+//# sourceMappingURL=mcp-api-handler.d.ts.map

package/dist/auth/mcp-api-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-api-handler.d.ts","sourceRoot":"","sources":["../../src/auth/mcp-api-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAA;AAEvC,KAAK,aAAa,GAAG,gBAAgB,GAAG;IAAE,KAAK,CAAC,EAAE,KAAK,CAAA;CAAE,CAAA;AAEzD,eAAO,MAAM,aAAa;mBACH,OAAO,OAAO,GAAG,QAAQ,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC;CAiBhF,CAAA"}

package/dist/auth/mcp-api-handler.js

@@ -0,0 +1,30 @@
+/**
+ * The MCP API handler the OAuth provider mounts at `apiRoute` (`/mcp`).
+ *
+ * It only runs AFTER the provider has validated the access token, so the
+ * authenticated WorkOS identity is available on `ctx.props`. Today the registry
+ * tools are free (auth only) and ignore props; when the fundi agent is attached
+ * inside the MCP, its tools read `ctx.props.permissions` for the subscription
+ * entitlement — the subscription gate, layered on top of the free auth gate.
+ */
+import { createMziziHttpHandler } from "../http.js";
+export const mcpApiHandler = {
+    async fetch(request, env, _ctx) {
+        const handler = createMziziHttpHandler({
+            supabaseConfig: {
+                auth: "none",
+                cors: false,
+                env: {
+                    url: env.SUPABASE_URL,
+                    publishableKeys: { default: env.SUPABASE_PUBLISHABLE_KEY },
+                    // See worker history: `@supabase/server` eagerly builds `supabaseAdmin`
+                    // even when `auth: "none"`, so pass the publishable key as a harmless
+                    // placeholder unless a real service-role key is configured.
+                    secretKeys: { default: env.SUPABASE_SECRET_KEY ?? env.SUPABASE_PUBLISHABLE_KEY },
+                },
+            },
+        });
+        return handler(request);
+    },
+};
+//# sourceMappingURL=mcp-api-handler.js.map

package/dist/auth/mcp-api-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-api-handler.js","sourceRoot":"","sources":["../../src/auth/mcp-api-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAA;AAMnD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAAQ,EAAE,IAAmB;QACzD,MAAM,OAAO,GAAG,sBAAsB,CAAC;YACrC,cAAc,EAAE;gBACd,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,KAAK;gBACX,GAAG,EAAE;oBACH,GAAG,EAAE,GAAG,CAAC,YAAY;oBACrB,eAAe,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,wBAAwB,EAAE;oBAC1D,wEAAwE;oBACxE,sEAAsE;oBACtE,4DAA4D;oBAC5D,UAAU,EAAE,EAAE,OAAO,EAAE,GAAG,CAAC,mBAAmB,IAAI,GAAG,CAAC,wBAAwB,EAAE;iBACjF;aACF;SACF,CAAC,CAAA;QACF,OAAO,OAAO,CAAC,OAAO,CAAC,CAAA;IACzB,CAAC;CACF,CAAA"}

package/dist/auth/oauth-utils.d.ts

@@ -0,0 +1,47 @@
+import type { AuthRequest, ClientInfo } from "@cloudflare/workers-oauth-provider";
+export declare class OAuthError extends Error {
+    code: string;
+    description: string;
+    statusCode: number;
+    constructor(code: string, description: string, statusCode?: number);
+    toResponse(): Response;
+}
+export interface OAuthStateResult {
+    stateToken: string;
+}
+export interface ValidateStateResult {
+    oauthReqInfo: AuthRequest;
+    clearCookie: string;
+}
+export interface BindStateResult {
+    setCookie: string;
+}
+export interface CSRFProtectionResult {
+    token: string;
+    setCookie: string;
+}
+export interface ValidateCSRFResult {
+    clearCookie: string;
+}
+export declare function sanitizeText(text: string): string;
+export declare function sanitizeUrl(url: string): string;
+export declare function generateCSRFProtection(): CSRFProtectionResult;
+export declare function validateCSRFToken(formData: FormData, request: Request): ValidateCSRFResult;
+export declare function createOAuthState(oauthReqInfo: AuthRequest, kv: KVNamespace, stateTTL?: number): Promise<OAuthStateResult>;
+export declare function bindStateToSession(stateToken: string): Promise<BindStateResult>;
+export declare function validateOAuthState(request: Request, kv: KVNamespace): Promise<ValidateStateResult>;
+export declare function isClientApproved(request: Request, clientId: string, cookieSecret: string): Promise<boolean>;
+export declare function addApprovedClient(request: Request, clientId: string, cookieSecret: string): Promise<string>;
+export interface ApprovalDialogOptions {
+    client: ClientInfo | null;
+    server: {
+        name: string;
+        logo?: string;
+        description?: string;
+    };
+    state: Record<string, unknown>;
+    csrfToken: string;
+    setCookie: string;
+}
+export declare function renderApprovalDialog(request: Request, options: ApprovalDialogOptions): Response;
+//# sourceMappingURL=oauth-utils.d.ts.map

package/dist/auth/oauth-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-utils.d.ts","sourceRoot":"","sources":["../../src/auth/oauth-utils.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAA;AAEjF,qBAAa,UAAW,SAAQ,KAAK;IAE1B,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,MAAM;IACnB,UAAU;gBAFV,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,EACnB,UAAU,SAAM;IAMzB,UAAU,IAAI,QAAQ;CAMvB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,WAAW,CAAA;IACzB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOjD;AAED,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAqB/C;AAED,wBAAgB,sBAAsB,IAAI,oBAAoB,CAK7D;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,GAAG,kBAAkB,CAuB1F;AAED,wBAAsB,gBAAgB,CACpC,YAAY,EAAE,WAAW,EACzB,EAAE,EAAE,WAAW,EACf,QAAQ,SAAM,GACb,OAAO,CAAC,gBAAgB,CAAC,CAM3B;AAED,wBAAsB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAUrF;AAED,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,OAAO,EAChB,EAAE,EAAE,WAAW,GACd,OAAO,CAAC,mBAAmB,CAAC,CAsD9B;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAGlB;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,CAYjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,UAAU,GAAG,IAAI,CAAA;IACzB,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IAC7D,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,qBAAqB,GAAG,QAAQ,CAkG/F"}