@sellable/mcp 0.1.110 → 0.1.111

package/dist/tools/campaigns.js

@@ -21,10 +21,11 @@ function normalizeLeadSourceProvider(input) {
 }
 export function buildWatchUrl(config, path) {
     const workspaceId = config.activeWorkspaceId || config.workspaceId;
-    const workspaceParam = workspaceId
-        ? `&workspaceId=${encodeURIComponent(workspaceId)}`
-        : "";
-    return `${config.apiUrl}/auth/continue?token=${encodeURIComponent(config.token)}&redirect=${encodeURIComponent(path)}${workspaceParam}`;
+    const url = new URL(path, config.apiUrl);
+    if (workspaceId && !url.searchParams.has("workspaceId")) {
+        url.searchParams.set("workspaceId", workspaceId);
+    }
+    return url.toString();
 }
 function isLinkedInProfileUrl(input) {
     try {

package/dist/tools/context.d.ts

@@ -81,7 +81,7 @@ export declare function getCampaignContext(input: GetCampaignContextInput): Prom
         };
         watchUrl: {
             urlPresent: boolean;
-            signed: boolean;
+            direct: boolean | undefined;
             redirectPath: string | null;
         };
         table: {

package/dist/tools/context.js

@@ -178,7 +178,7 @@ export function markCampaignContextDirty(campaignId, reason) {
             },
             watchUrl: {
                 urlPresent: false,
-                signed: false,
+                direct: false,
                 redirectPath: null,
             },
             table: {

package/dist/tools/leads.d.ts

@@ -2460,6 +2460,11 @@ export declare function confirmLeadList(input: ConfirmLeadListInput): Promise<{
         rowIds?: string[];
         requestedTargetLeadCount?: number;
         sourceRowLimit?: number;
+        async?: boolean;
+        campaignTableReady?: boolean;
+        importStatus?: string | null;
+        remainingRowCount?: number | null;
+        rowCount?: number | null;
     };
     boundedReviewBatch: {
         requestedTargetLeadCount: number;

package/dist/tools/leads.js

@@ -2199,7 +2199,30 @@ export async function confirmLeadList(input) {
     if (!resolvedLeadListId) {
         throw new Error("confirm_lead_list requires sourceLeadListId");
     }
-    const effectiveCurrentStep = currentStep === undefined ? "confirm-lead-list" : currentStep;
+    const safePostConfirmCurrentSteps = new Set([
+        "filter-choice",
+        "create-icp-rubric",
+        "apply-icp-rubric",
+        "validate-sample",
+        "auto-execute-leads",
+        "messages",
+        "auto-execute-messaging",
+        "awaiting-user-greenlight",
+        "settings",
+        "sequence",
+        "send",
+        "claude-greenlight",
+        "running",
+    ]);
+    const effectiveCurrentStep = currentStep === undefined
+        ? "filter-choice"
+        : typeof currentStep === "string" &&
+            currentStep.length > 0 &&
+            safePostConfirmCurrentSteps.has(currentStep)
+            ? currentStep
+            : currentStep === null
+                ? null
+                : "filter-choice";
     const shouldSetCurrentStep = typeof effectiveCurrentStep === "string" && effectiveCurrentStep.length > 0;
     let readiness;
     const leadListMeta = await api.get(`/api/v3/workflow-tables/${resolvedLeadListId}?mode=meta`);
@@ -2257,13 +2280,27 @@ export async function confirmLeadList(input) {
         }
         throw new Error("Import still in progress. Keep the campaign at confirm-lead-list; retry readiness, cancel the import, or re-run-source before launching post-import scouts.");
     }
-    const importResult = await api.post(`/api/v3/campaign-builder/import-leads`, {
+    const isTerminalAccessError = (error) => error instanceof SellableApiError && [401, 403, 404].includes(error.status);
+    const formatTerminalAccessError = (error) => {
+        if (error.status === 401 || error.status === 403) {
+            return "Campaign or lead-list access failed. Fix workspace/auth access before retrying confirm_lead_list.";
+        }
+        return "Campaign or source lead list could not be found. Re-open the correct campaign or reselect the source list before retrying confirm_lead_list.";
+    };
+    const importResult = await api
+        .post(`/api/v3/campaign-builder/import-leads`, {
         sourceLeadListId: resolvedLeadListId,
         campaignOfferId,
         campaignName,
         keepInSync,
         ...(typeof targetLeadCount === "number" ? { targetLeadCount } : {}),
         ...(shouldSetCurrentStep ? { currentStep: effectiveCurrentStep } : {}),
+    })
+        .catch((error) => {
+        if (isTerminalAccessError(error)) {
+            throw new Error(formatTerminalAccessError(error));
+        }
+        throw error;
     });
     const campaignTableId = importResult.workflowTableId ?? importResult.campaignTableId;
     const requestedTargetLeadCount = typeof targetLeadCount === "number" && Number.isFinite(targetLeadCount)
@@ -2275,6 +2312,29 @@ export async function confirmLeadList(input) {
     const overflowRowIds = campaignTableId && requestedTargetLeadCount !== null
         ? importedRowIds.slice(requestedTargetLeadCount)
         : [];
+    const importedRowCount = importedRowIds.length > 0
+        ? importedRowIds.length
+        : typeof importResult.rowCount === "number"
+            ? importResult.rowCount
+            : typeof importResult.leadsImported === "number"
+                ? importResult.leadsImported
+                : 0;
+    const remainingRowCount = typeof importResult.remainingRowCount === "number"
+        ? importResult.remainingRowCount
+        : 0;
+    const importStatus = String(importResult.importStatus ?? "").toLowerCase();
+    const campaignTableReady = importResult.campaignTableReady === true ||
+        (!importResult.async &&
+            importStatus !== "pending" &&
+            importStatus !== "partial" &&
+            remainingRowCount <= 0 &&
+            importedRowCount > 0);
+    if (!campaignTableReady) {
+        throw new Error("Campaign review rows are still importing. Stay on lead import until the bounded campaign table is ready, then retry confirm_lead_list or wait_for_campaign_table_ready.");
+    }
+    if (importedRowCount <= 0) {
+        throw new Error("No usable review rows were kept for the campaign table. Tighten or change the source before continuing.");
+    }
     if (campaignTableId && overflowRowIds.length > 0) {
         const deleteBatchSize = 25;
         for (let index = 0; index < overflowRowIds.length; index += deleteBatchSize) {
@@ -2310,7 +2370,10 @@ export async function confirmLeadList(input) {
                 trimmedOverflowRowCount: overflowRowIds.length,
             }
             : undefined,
-        message: "Lead list imported into campaign table. Next: move to filter-choice, then wait_for_campaign_table_ready, then sample with get_rows_minimal.",
+        message: requestedTargetLeadCount !== null &&
+            leadListRowCount > requestedTargetLeadCount
+            ? `I found ${leadListRowCount} source candidates and imported the first ${Math.min(importedRowCount, requestedTargetLeadCount)} into the campaign review table.`
+            : "Lead list imported into the campaign review table. Next: sample rows with get_rows_minimal or continue into filter work.",
     };
 }
 export function getProviderPrompt(input) {

package/dist/tools/navigation.d.ts

@@ -81,7 +81,7 @@ export declare function computeCampaignNavigationStateFromCampaign(campaign: Cam
     };
     watchUrl: {
         urlPresent: boolean;
-        signed: boolean;
+        direct: boolean | undefined;
         redirectPath: string | null;
     };
     table: {
@@ -125,7 +125,7 @@ export declare function getCampaignNavigationState(input: GetCampaignNavigationS
     };
     watchUrl: {
         urlPresent: boolean;
-        signed: boolean;
+        direct: boolean | undefined;
         redirectPath: string | null;
     };
     table: {

package/dist/tools/navigation.js

@@ -281,9 +281,9 @@ function mapHeadlessToUiStep(step) {
         return "signal-discovery";
     if (step === "filter-choice")
         return "filter-choice";
-    if (step === "create-icp-rubric")
-        return "filter-rules";
-    if (step === "apply-icp-rubric" || step === "validate-sample") {
+    if (step === "create-icp-rubric" ||
+        step === "apply-icp-rubric" ||
+        step === "validate-sample") {
         return "filter-leads";
     }
     if (step === "messages" ||
@@ -381,7 +381,7 @@ function describeVisibleStep(step) {
             };
     }
 }
-function parseSignedWatchUrl(watchUrl, campaignId) {
+function parseWatchUrl(watchUrl, campaignId) {
     if (!watchUrl) {
         return {
             urlPresent: false,
@@ -392,26 +392,39 @@ function parseSignedWatchUrl(watchUrl, campaignId) {
     }
     try {
         const url = new URL(watchUrl);
+        const directPath = `/campaign-builder/${campaignId}`;
+        const isDirectCampaignUrl = url.pathname === directPath &&
+            (url.searchParams.get("mode") === "claude" ||
+                url.searchParams.get("mode") === "codex" ||
+                url.searchParams.get("mode") === "watch");
+        if (isDirectCampaignUrl) {
+            return {
+                urlPresent: true,
+                direct: true,
+                redirectPath: `${url.pathname}?${url.searchParams.toString()}`.replace(/\?$/, ""),
+                warning: null,
+            };
+        }
         const redirect = url.searchParams.get("redirect");
         const decodedRedirect = redirect ? decodeURIComponent(redirect) : null;
-        const signed = url.pathname === "/auth/continue" &&
+        const isLegacySigned = url.pathname === "/auth/continue" &&
             Boolean(url.searchParams.get("token")) &&
-            decodedRedirect === `/campaign-builder/${campaignId}?mode=claude`;
+            decodedRedirect?.startsWith(`${directPath}?mode=`) === true;
         return {
             urlPresent: true,
-            signed,
+            direct: false,
             redirectPath: decodedRedirect,
-            warning: signed
-                ? null
-                : "Watch URL is not a signed /auth/continue watch link for /campaign-builder/{campaignId}?mode=claude.",
+            warning: isLegacySigned
+                ? "Watch URL still uses a tokenized /auth/continue handoff. Return the safe direct /campaign-builder/{campaignId}?mode=claude watch URL instead."
+                : "Watch URL is not a safe direct /campaign-builder/{campaignId}?mode=claude watch link.",
         };
     }
     catch {
         return {
             urlPresent: true,
-            signed: false,
+            direct: false,
             redirectPath: null,
-            warning: "Watch URL is malformed; recover a fresh signed /auth/continue watch link before browser handoff.",
+            warning: "Watch URL is malformed; recover a fresh safe direct campaign-builder watch link before browser handoff.",
         };
     }
 }
@@ -554,7 +567,7 @@ export function computeCampaignNavigationStateFromCampaign(campaign, options) {
             checkpoint: "send",
         }
         : describeVisibleStep(orientationStep);
-    const watchUrlState = parseSignedWatchUrl(campaign.watchUrl, campaign.id);
+    const watchUrlState = parseWatchUrl(campaign.watchUrl, campaign.id);
     if (watchUrlState.warning) {
         warnings.push(watchUrlState.warning);
     }
@@ -579,7 +592,7 @@ export function computeCampaignNavigationStateFromCampaign(campaign, options) {
         },
         watchUrl: {
             urlPresent: watchUrlState.urlPresent,
-            signed: watchUrlState.signed,
+            direct: watchUrlState.direct,
             redirectPath: watchUrlState.redirectPath,
         },
         table: {

package/dist/tools/readiness.d.ts

@@ -134,7 +134,7 @@ export declare function waitForCampaignTableReady(input: WaitForCampaignTableRea
         };
         watchUrl: {
             urlPresent: boolean;
-            signed: boolean;
+            direct: boolean | undefined;
             redirectPath: string | null;
         };
         table: {
@@ -183,7 +183,7 @@ export declare function waitForCampaignTableReady(input: WaitForCampaignTableRea
         };
         watchUrl: {
             urlPresent: boolean;
-            signed: boolean;
+            direct: boolean | undefined;
             redirectPath: string | null;
         };
         table: {
@@ -234,7 +234,7 @@ export declare function waitForCampaignTableReady(input: WaitForCampaignTableRea
         };
         watchUrl: {
             urlPresent: boolean;
-            signed: boolean;
+            direct: boolean | undefined;
             redirectPath: string | null;
         };
         table: {

package/dist/tools/watch-url-security.js

@@ -1,7 +1,22 @@
 function sanitizeWatchUrlValue(value) {
-    // Watch URLs are intentional auth continuation handoffs for fresh browsers.
-    // Do not strip them here; redaction belongs in logs, not MCP tool results.
-    return value;
+    try {
+        const url = new URL(value);
+        if (url.pathname === "/auth/continue") {
+            const redirect = url.searchParams.get("redirect");
+            if (redirect) {
+                const direct = new URL(decodeURIComponent(redirect), url.origin);
+                const workspaceId = url.searchParams.get("workspaceId");
+                if (workspaceId && !direct.searchParams.has("workspaceId")) {
+                    direct.searchParams.set("workspaceId", workspaceId);
+                }
+                return direct.toString();
+            }
+        }
+        return value;
+    }
+    catch {
+        return value;
+    }
 }
 export function sanitizeWatchUrlsForMcpResult(value) {
     if (!value || typeof value !== "object")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sellable/mcp",
-  "version": "0.1.110",
+  "version": "0.1.111",
   "type": "module",
   "description": "Sellable MCP server for Claude Code and Codex campaign workflows",
   "main": "dist/index.js",

package/skills/create-campaign/SKILL.md

@@ -162,11 +162,11 @@ copy.
 ## Codex Watch Browser Handoff
 
 When a campaign tool returns `watchUrl`, treat it as an active browser handoff,
-not only a URL to print. A valid handoff link must be a signed
-`/auth/continue?token=...&redirect=/campaign-builder/{campaignId}?mode=claude`
-URL. `create_campaign.watchUrl`, `create_campaign({ campaignId }).watchUrl`,
-and `get_campaign.watchUrl` are all acceptable only when they return that signed
-shape.
+not only a URL to print. A valid handoff link must be a safe direct
+`/campaign-builder/{campaignId}?mode=claude` URL. `create_campaign.watchUrl`,
+`create_campaign({ campaignId }).watchUrl`, and `get_campaign.watchUrl` are all
+acceptable only when they return that direct campaign-builder shape, with
+`workspaceId` used only as a safe routing hint when needed.
 
 In Codex Desktop, when in-app browser control is available, open the returned watch link on the user's behalf. After opening it, inspect the browser-visible campaign state, then explain what the user is seeing before continuing with more campaign tools. Use customer language such as:
 
@@ -175,8 +175,8 @@ I’ll open the campaign view and keep it in sync as I build.
 ```
 
 If browser control is unavailable, provide the watch link without discussing the
-runtime limitation. In off-desktop Codex runs, make the signed link easy to
-copy/open, then continue with explicit customer-facing campaign progress and
+runtime limitation. In off-desktop Codex runs, make the direct watch link easy
+to copy/open, then continue with explicit customer-facing campaign progress and
 `get_campaign_navigation_state` orientation checks.
 Use this fallback shape:
 
@@ -188,9 +188,9 @@ here as I build.
 ```
 
 If opening the watch link lands on an auth, 404, permission, blank, or visible
-error state, report only what is visible, recover a fresh signed watch link once
-with `create_campaign({ campaignId })` or `get_campaign`, and try that link. Do
-not claim the browser was opened, inspected, or synchronized unless the visible
+error state, report only what is visible, recover a fresh watch link once with
+`create_campaign({ campaignId })` or `get_campaign`, and try that link. Do not
+claim the browser was opened, inspected, or synchronized unless the visible
 browser state was actually observed. Do not claim the browser was opened unless
 it was opened and observed.
 

package/skills/create-campaign-v2/core/flow.v2.json

@@ -330,7 +330,7 @@
             "campaignBrief"
           ],
           "watchUrlSource": "create_campaign.watchUrl",
-          "requiredWatchUrlShape": "signed /auth/continue?token=...&redirect=/campaign-builder/{campaignId}?mode=claude",
+          "requiredWatchUrlShape": "direct /campaign-builder/{campaignId}?mode=claude watch URL",
           "codexBrowserHandoff": {
             "openWhenAvailable": true,
             "inspectBeforeContinuing": true,

package/skills/create-campaign-v2/references/watch-link-handoff.md

@@ -11,12 +11,12 @@ gating, and handoff read campaign state first.
 
 ## Plumbing Reuse
 
-`create_campaign` already returns a signed `/auth/continue` `watchUrl` on the response
-(`CampaignDetail.watchUrl` in `mcp/sellable/src/tools/campaigns.ts`). V2 does
-NOT mint a new token, does NOT call a different route, and does NOT construct
-the URL locally. Capture whatever `watchUrl` the existing tool returns and
-surface it verbatim. The link must be able to authenticate a fresh browser and
-land on the campaign builder without sending the user to signup.
+`create_campaign` already returns a safe direct campaign-builder `watchUrl` on
+the response (`CampaignDetail.watchUrl` in
+`mcp/sellable/src/tools/campaigns.ts`). V2 does NOT mint a new token, does NOT call
+a different route, and does NOT construct the URL locally. Capture whatever
+`watchUrl` the existing tool returns and surface it verbatim. The link must
+land on the campaign builder without exposing token secrets in the MCP result.
 
 ## Shell-First Link
 
@@ -59,7 +59,7 @@ If shell creation fails or the response is missing `watchUrl`, stop and surface
 the error. Do not continue into campaignless source scouting in the active
 shell-first flow.
 If a legacy atomic-mint response is missing `watchUrl`, it is not a silent skip.
-Stop before `save_rubrics` and recover the missing signed URL first.
+Stop before `save_rubrics` and recover the missing watch URL first.
 
 ## Step Orientation
 
@@ -81,19 +81,19 @@ Do not spam the link between internal tool calls.
 On resume:
 
 1. Load the `CampaignOffer` for the campaign being resumed.
-2. Recover the signed auth continuation link through the existing resume path
+2. Recover the direct watch link through the existing resume path
    (`create_campaign({ campaignId })` when available).
 3. Inspect `currentStep` and print a short orientation for where the user will
    land now.
 4. Print the recovered `watchUrl`.
 
-The re-surface must use the signed `watchUrl` from the tool response, not a
+The re-surface must use the `watchUrl` from the tool response, not a
 cached or reconstructed URL.
 
 ## Hard Rules
 
 - Never fabricate or reconstruct the URL locally.
-- The watch link must authenticate a fresh browser via `/auth/continue`.
+- The watch link must be a safe direct campaign-builder URL.
 - Missing `watchUrl` is an error, not a silent skip.
 - The first watch link must be shown only after the v1 brief is on the campaign.
 - A watch link is not approval to import, attach sequence, or start.