@sota-io/mcp 1.3.0 → 1.4.1

package/CLAUDE.md

@@ -39,11 +39,17 @@ You do NOT need to:
 - Configure connection strings
 - Set up SSL for the database (internal network, sslmode=disable is safe)
 
-If your app needs tables, run migrations on startup:
-- **Prisma**: `npx prisma migrate deploy` in your start script
-- **Drizzle**: `npx drizzle-kit push` or migrate on startup
-- **SQLAlchemy/Alembic**: `alembic upgrade head` in entrypoint
-- **Django**: `python manage.py migrate` before `gunicorn`
+If your app needs tables, run migrations on startup — there is no shell access to containers. Chain the migration command before your server start:
+
+- **Prisma**: Use `npx prisma db push && node server.js` as your start script. Note: use `db push` (not `migrate deploy`) because PgBouncer transaction mode blocks advisory locks. Add `?pgbouncer=true` to DATABASE_URL in your Prisma schema.
+- **Drizzle**: `npx drizzle-kit push && node server.js` — applies schema changes without migration files, works with PgBouncer.
+- **TypeORM**: `npx typeorm migration:run -d dist/data-source.js && node dist/server.js`
+- **Sequelize**: `npx sequelize-cli db:migrate && node server.js`
+- **Knex**: `npx knex migrate:latest && node server.js`
+- **Django**: `python manage.py migrate --noinput && gunicorn myproject.wsgi --bind 0.0.0.0:$PORT`
+- **Alembic**: `alembic upgrade head && uvicorn app.main:app --host 0.0.0.0 --port $PORT`
+
+Full migration guide: https://sota.io/docs/guides/postgresql
 
 ## Environment Variables
 
@@ -115,6 +121,8 @@ module.exports = { output: 'standalone' }
 | App not accessible | Use `get-status` — must show "running". Check health check (60s timeout). |
 | Env vars not applied | Changing env vars requires redeployment. Call `deploy` again. |
 | Next.js NEXT_PUBLIC_* empty | Set these BEFORE deploying (they're embedded at build time). |
+| Migrations not running | Start script must chain migration before server. Example: `"start": "npx prisma db push && node server.js"` |
+| `prepared statement already exists` | PgBouncer conflict — add `?pgbouncer=true` to DATABASE_URL in Prisma schema. |
 
 ## Links
 

package/README.md

@@ -7,7 +7,33 @@ MCP server for [sota.io](https://sota.io) — deploy web apps via AI agents.
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Node](https://img.shields.io/badge/node-%3E%3D20-green)](https://nodejs.org)
 
-## Quick Start
+## Two transports
+
+Since v1.4.0 this package ships **two transports**:
+
+- **`sota-mcp`** (stdio, default) — for Claude Code, Cursor, Windsurf, and any
+  MCP client that spawns a local process. Pass your `SOTA_API_KEY` via env var.
+- **`sota-mcp-http`** (Streamable HTTP) — for self-hosting the remote endpoint
+  that powers `mcp.sota.io` (used by Claude Desktop and Claude.ai web). Reads
+  `SUPABASE_JWT_SECRET`, `DATABASE_URL`, etc. — most users do not need this;
+  it's the same code that runs on `mcp.sota.io` if you want to host your own.
+
+Most users want the stdio transport.
+
+## One-click install for Claude Desktop / Claude.ai web
+
+If you use Claude Desktop or Claude.ai (Pro / Max / Team / Enterprise plan),
+the easiest install is **not** this npm package — it's the hosted remote
+endpoint at `mcp.sota.io`. Click here:
+
+[**Add to Claude →**](https://claude.ai/customize/connectors?modal=add-custom-connector&connectorName=sota.io&connectorUrl=https%3A%2F%2Fmcp.sota.io%2Fmcp)
+
+OAuth handles auth. New users can sign up entirely inside Claude via the
+`create_account` tool — no browser tab switch.
+
+See [https://sota.io/docs/integrations/claude](https://sota.io/docs/integrations/claude).
+
+## Quick Start (stdio — Claude Code, Cursor, Windsurf, …)
 
 1. Get an API key from [sota.io/dashboard/settings](https://sota.io/dashboard/settings)
 2. [Configure your IDE](#configuration)
@@ -130,6 +156,10 @@ Edit `~/.codeium/windsurf/mcp_config.json`:
 | `list-projects` | List all projects | *(none)* |
 | `create-project` | Create a new project | `name` |
 | `delete-project` | Delete a project permanently | `project_id` |
+| `add-domain` | Add custom domain to project | `project_id`, `domain` |
+| `list-domains` | List custom domains | `project_id` |
+| `get-domain` | Get domain details and DNS status | `project_id`, `domain_id` |
+| `remove-domain` | Remove custom domain | `project_id`, `domain_id` |
 
 ### `deploy`
 
@@ -241,6 +271,57 @@ Delete a project and all its deployments from sota.io. This action is permanent.
 "Delete my sota.io project abc123"
 ```
 
+### `add-domain`
+
+Add a custom domain to a project. Returns DNS instructions for pointing the domain.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `project_id` | string | Yes | Project ID |
+| `domain` | string | Yes | Domain name (e.g., "example.com" or "app.example.com") |
+
+```
+"Add example.com as a custom domain to my project"
+```
+
+### `list-domains`
+
+List all custom domains for a project.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `project_id` | string | Yes | Project ID |
+
+```
+"Show all custom domains for my project"
+```
+
+### `get-domain`
+
+Get domain details including DNS verification status and SSL state.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `project_id` | string | Yes | Project ID |
+| `domain_id` | string | Yes | Domain ID |
+
+```
+"Check the DNS status of my custom domain"
+```
+
+### `remove-domain`
+
+Remove a custom domain from a project.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `project_id` | string | Yes | Project ID |
+| `domain_id` | string | Yes | Domain ID to remove |
+
+```
+"Remove the custom domain from my project"
+```
+
 ## Environment Variables
 
 | Variable | Required | Default | Description |

package/dist/auth/disposable-check.d.ts

@@ -0,0 +1,2 @@
+export declare function isDisposableEmailDomain(email: string): Promise<boolean>;
+//# sourceMappingURL=disposable-check.d.ts.map

package/dist/auth/disposable-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"disposable-check.d.ts","sourceRoot":"","sources":["../../src/auth/disposable-check.ts"],"names":[],"mappings":"AAYA,wBAAsB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAgB7E"}

package/dist/auth/disposable-check.js

@@ -0,0 +1,30 @@
+/**
+ * Disposable-email domain check — server-side gate for create_account tool.
+ *
+ * The web /api/auth/check-email route uses a build-time-embedded TS module
+ * generated from the maintained github.com/disposable-email-domains list.
+ * Here in mcp-server we don't want to duplicate the 5500-domain list, so we
+ * just call the web's check endpoint (it's already public, no auth, returns
+ * 200/422). One round-trip per create_account Step 1.
+ */
+const CHECK_URL = process.env.DISPOSABLE_EMAIL_CHECK_URL ?? "https://sota.io/api/auth/check-email";
+export async function isDisposableEmailDomain(email) {
+    try {
+        const r = await fetch(CHECK_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ email }),
+            signal: AbortSignal.timeout(5_000),
+        });
+        if (r.status === 422)
+            return true;
+        return false;
+    }
+    catch {
+        // Fail open on network error — we'd rather let a real user through
+        // than block them because our own /api/auth/check-email had a hiccup.
+        // Supabase OTP rate-limits will still catch volume abuse.
+        return false;
+    }
+}
+//# sourceMappingURL=disposable-check.js.map

package/dist/auth/disposable-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"disposable-check.js","sourceRoot":"","sources":["../../src/auth/disposable-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,sCAAsC,CAAC;AAEnF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,KAAa;IACzD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;YAC/B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;YAC/B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;SACnC,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAClC,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,sEAAsE;QACtE,0DAA0D;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/auth/token-bridge.d.ts

@@ -0,0 +1,28 @@
+export interface BridgeResult {
+    /** The sota_xxx key plaintext to forward to sota-api on this request */
+    apiKey: string;
+    /** Whether a new key row was created (true on first sight of this user) */
+    created: boolean;
+    /** Whether the existing DB row was rotated (true on cold-start with pre-existing row) */
+    rotated: boolean;
+}
+/**
+ * Net-new user provisioning: called from the `create_account` tool after
+ * Supabase verified the OTP. Inserts the user_plans Free-tier row (if not
+ * already present) AND a `source='claude'` API key. Returns the key plaintext.
+ *
+ * Idempotent on user_plans (ON CONFLICT DO NOTHING) — covers the case where
+ * the user already exists with a plan but no Claude key (e.g. they signed up
+ * via the web first, then called create_account from Claude).
+ */
+export declare function provisionPlanAndKey(userId: string): Promise<BridgeResult>;
+/**
+ * Look up or provision a `source='claude'` API key for the given user.
+ *
+ * On cold start (no in-memory plaintext), if a DB row already exists we have
+ * no plaintext recoverable. Solution: rotate — delete the old row, insert a
+ * fresh key, return the new plaintext. The Claude integration continues to
+ * work transparently because sota-mcp does the lookup on every request.
+ */
+export declare function getOrProvisionApiKey(userId: string): Promise<BridgeResult>;
+//# sourceMappingURL=token-bridge.d.ts.map

package/dist/auth/token-bridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-bridge.d.ts","sourceRoot":"","sources":["../../src/auth/token-bridge.ts"],"names":[],"mappings":"AAgGA,MAAM,WAAW,YAAY;IAC3B,wEAAwE;IACxE,MAAM,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,OAAO,EAAE,OAAO,CAAC;IACjB,yFAAyF;IACzF,OAAO,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;;;GAQG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAqBvB;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAqCvB"}

package/dist/auth/token-bridge.js

@@ -0,0 +1,152 @@
+/**
+ * Token-to-Key bridge: maps a verified Claude JWT to an internal sota_xxx API key.
+ *
+ * Why: sota-api authenticates by `sota_xxx` keys (SHA-256 hashed in DB). Claude
+ * gives us a JWT. We don't pass the JWT through to sota-api — instead, on first
+ * sight of a JWT.sub, we provision a dedicated key tagged `source='claude'` and
+ * cache the mapping in-memory + persisted in DB.
+ *
+ * Benefits:
+ *   - One revocation surface for Marx: "delete all source=claude keys for user X"
+ *     immediately cuts off the Claude integration without touching the user's
+ *     CLI/dashboard keys
+ *   - Audit log can separate Claude-originated tool calls from CLI tool calls
+ *   - Future plan-gating happens at the existing sota-api layer (no duplicate
+ *     enforcement in sota-mcp)
+ *
+ * Lifecycle:
+ *   1. JWT in (verified, sub = user_id)
+ *   2. SELECT id, key_prefix FROM api_keys WHERE user_id=$1 AND source='claude'
+ *      LIMIT 1  -- one Claude key per user, reused across requests
+ *   3. If not found:
+ *      a. Generate sota_ + 40 hex (20 bytes random)
+ *      b. SHA-256 the full key
+ *      c. INSERT INTO api_keys (user_id, name='Claude MCP', key_hash, key_prefix,
+ *         source='claude')
+ *      d. Hold the plaintext only in memory for this request
+ *   4. Cache user_id → plaintext key for the process lifetime (5-min TTL; new
+ *      keys reuse the in-memory cache after restart by regenerating on first
+ *      hit — that's wasteful only on cold start, acceptable)
+ *
+ * IMPORTANT: we never get the plaintext back from the DB on subsequent hits.
+ * The plaintext is generated ONCE per user, cached in-memory while the
+ * process lives. After a process restart, we have no plaintext for users
+ * whose key already exists in DB → solution: REGENERATE (delete old row,
+ * insert new). That's safe because each Claude session re-binds to whatever
+ * key is current.
+ */
+import crypto from "node:crypto";
+import { Pool } from "pg";
+const DATABASE_URL = process.env.DATABASE_URL ?? "";
+let pool = null;
+function getPool() {
+    if (!pool) {
+        if (!DATABASE_URL) {
+            throw new Error("DATABASE_URL not configured — sota-mcp cannot bridge tokens to API keys");
+        }
+        // Supabase pooler uses a CA chain pg can't verify by default. Strip
+        // ?sslmode= from the URL and force a permissive TLS config explicitly,
+        // matching what the rest of the sota.io stack does.
+        const cleanUrl = DATABASE_URL.replace(/[?&]sslmode=[^&]*/i, "");
+        pool = new Pool({
+            connectionString: cleanUrl,
+            max: 5,
+            idleTimeoutMillis: 30_000,
+            ssl: { rejectUnauthorized: false, require: true },
+        });
+        pool.on("error", (err) => {
+            // Best-effort logging; pool keeps working across single-conn errors
+            // eslint-disable-next-line no-console
+            console.error("pg pool error:", err.message);
+        });
+    }
+    return pool;
+}
+// In-memory cache: userId → { plaintextKey, expiresAt }
+// TTL is short (5 min) because we'd rather rotate-on-restart than ever leak.
+const cache = new Map();
+const CACHE_TTL_MS = 5 * 60_000;
+function cacheGet(userId) {
+    const entry = cache.get(userId);
+    if (!entry)
+        return null;
+    if (entry.expiresAt < Date.now()) {
+        cache.delete(userId);
+        return null;
+    }
+    return entry.plaintext;
+}
+function cacheSet(userId, plaintext) {
+    cache.set(userId, { plaintext, expiresAt: Date.now() + CACHE_TTL_MS });
+}
+function generateKey() {
+    const randBytes = crypto.randomBytes(20);
+    const plaintext = "sota_" + randBytes.toString("hex"); // sota_ + 40 hex
+    const hash = crypto.createHash("sha256").update(plaintext).digest("hex");
+    const prefix = plaintext.slice(0, 13); // "sota_" + first 8 hex
+    return { plaintext, hash, prefix };
+}
+/**
+ * Net-new user provisioning: called from the `create_account` tool after
+ * Supabase verified the OTP. Inserts the user_plans Free-tier row (if not
+ * already present) AND a `source='claude'` API key. Returns the key plaintext.
+ *
+ * Idempotent on user_plans (ON CONFLICT DO NOTHING) — covers the case where
+ * the user already exists with a plan but no Claude key (e.g. they signed up
+ * via the web first, then called create_account from Claude).
+ */
+export async function provisionPlanAndKey(userId) {
+    const client = await getPool().connect();
+    try {
+        // Free-tier defaults (mirrors api/internal/repository/user_plan.go defaults)
+        await client.query(`INSERT INTO user_plans (
+         user_id, plan, max_projects, max_memory_mb, max_cpu_millicores,
+         max_databases, max_custom_domains, max_builds_per_day,
+         source, onboarded_at
+       ) VALUES ($1, 'free', 3, 256, 500, 1, 0, 10, 'claude', now())
+       ON CONFLICT (user_id) DO NOTHING`, [userId]);
+    }
+    catch (err) {
+        throw new Error(`user_plans provisioning failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    finally {
+        client.release();
+    }
+    return getOrProvisionApiKey(userId);
+}
+/**
+ * Look up or provision a `source='claude'` API key for the given user.
+ *
+ * On cold start (no in-memory plaintext), if a DB row already exists we have
+ * no plaintext recoverable. Solution: rotate — delete the old row, insert a
+ * fresh key, return the new plaintext. The Claude integration continues to
+ * work transparently because sota-mcp does the lookup on every request.
+ */
+export async function getOrProvisionApiKey(userId) {
+    const cached = cacheGet(userId);
+    if (cached)
+        return { apiKey: cached, created: false, rotated: false };
+    const client = await getPool().connect();
+    try {
+        const existing = await client.query(`SELECT id FROM api_keys WHERE user_id = $1 AND source = 'claude' LIMIT 1`, [userId]);
+        const { plaintext, hash, prefix } = generateKey();
+        if (existing.rowCount === 0) {
+            // First-time: simple INSERT
+            await client.query(`INSERT INTO api_keys (user_id, name, key_hash, key_prefix, source)
+         VALUES ($1, $2, $3, $4, 'claude')`, [userId, "Claude MCP", hash, prefix]);
+            cacheSet(userId, plaintext);
+            return { apiKey: plaintext, created: true, rotated: false };
+        }
+        // Cold-start rotation: replace the existing row's hash + prefix so the
+        // freshly minted plaintext becomes the active key for this user.
+        await client.query(`UPDATE api_keys
+       SET key_hash = $2, key_prefix = $3, last_used_at = now()
+       WHERE id = $1`, [existing.rows[0].id, hash, prefix]);
+        cacheSet(userId, plaintext);
+        return { apiKey: plaintext, created: false, rotated: true };
+    }
+    finally {
+        client.release();
+    }
+}
+//# sourceMappingURL=token-bridge.js.map

package/dist/auth/token-bridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-bridge.js","sourceRoot":"","sources":["../../src/auth/token-bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;AACpD,IAAI,IAAI,GAAgB,IAAI,CAAC;AAE7B,SAAS,OAAO;IACd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;QACJ,CAAC;QACD,oEAAoE;QACpE,uEAAuE;QACvE,oDAAoD;QACpD,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;QAChE,IAAI,GAAG,IAAI,IAAI,CAAC;YACd,gBAAgB,EAAE,QAAQ;YAC1B,GAAG,EAAE,CAAC;YACN,iBAAiB,EAAE,MAAM;YACzB,GAAG,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAuB;SACvE,CAAC,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACvB,oEAAoE;YACpE,sCAAsC;YACtC,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wDAAwD;AACxD,6EAA6E;AAC7E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAoD,CAAC;AAC1E,MAAM,YAAY,GAAG,CAAC,GAAG,MAAM,CAAC;AAEhC,SAAS,QAAQ,CAAC,MAAc;IAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACjC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC,SAAS,CAAC;AACzB,CAAC;AAED,SAAS,QAAQ,CAAC,MAAc,EAAE,SAAiB;IACjD,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,WAAW;IAClB,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,iBAAiB;IACxE,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;IAC/D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACrC,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC,OAAO,EAAE,CAAC;IACzC,IAAI,CAAC;QACH,6EAA6E;QAC7E,MAAM,MAAM,CAAC,KAAK,CAChB;;;;;wCAKkC,EAClC,CAAC,MAAM,CAAC,CACT,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,mCAAmC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtF,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;IACD,OAAO,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAc;IAEd,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,MAAM;QAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAEtE,MAAM,MAAM,GAAG,MAAM,OAAO,EAAE,CAAC,OAAO,EAAE,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,CACjC,0EAA0E,EAC1E,CAAC,MAAM,CAAC,CACT,CAAC;QAEF,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;QAElD,IAAI,QAAQ,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YAC5B,4BAA4B;YAC5B,MAAM,MAAM,CAAC,KAAK,CAChB;2CACmC,EACnC,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,CAAC,CACrC,CAAC;YACF,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAC5B,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC9D,CAAC;QAED,uEAAuE;QACvE,iEAAiE;QACjE,MAAM,MAAM,CAAC,KAAK,CAChB;;qBAEe,EACf,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,CACpC,CAAC;QACF,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC5B,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC9D,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/auth/verify-jwt.d.ts

@@ -0,0 +1,13 @@
+export interface VerifiedJwt {
+    sub: string;
+    email?: string;
+    iss: string;
+    exp: number;
+    raw: string;
+}
+export declare class JwtVerificationError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+export declare function verifyJwt(rawToken: string): Promise<VerifiedJwt>;
+//# sourceMappingURL=verify-jwt.d.ts.map

package/dist/auth/verify-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-jwt.d.ts","sourceRoot":"","sources":["../../src/auth/verify-jwt.ts"],"names":[],"mappings":"AA2CA,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,oBAAqB,SAAQ,KAAK;aACA,IAAI,EAAE,MAAM;gBAA7C,OAAO,EAAE,MAAM,EAAkB,IAAI,EAAE,MAAM;CAG1D;AAED,wBAAsB,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAoDtE"}

package/dist/auth/verify-jwt.js

@@ -0,0 +1,84 @@
+/**
+ * JWT validation for incoming Claude bearer tokens.
+ *
+ * Supabase OAuth Server (Phase 56) issues access tokens via HS256 — its JWKS
+ * endpoint is intentionally empty in May 2026 because tokens are signed with
+ * the project's shared JWT secret. We validate with that same secret.
+ *
+ * Acceptance criteria for a valid token (RFC 8707 audience binding partially):
+ *  - signature verifies with the configured HS256 secret
+ *  - exp not in the past, nbf not in the future
+ *  - iss starts with the expected Supabase project issuer URL
+ *    (we accept BOTH the project-ref URL and the custom-domain URL — Supabase
+ *    Custom Domain doesn't rewrite the iss claim in May 2026, see Phase 56
+ *    SUMMARY.md "Caveats" section)
+ *  - sub is a non-empty UUID-shaped string
+ *
+ * NOT enforced in 57-02 (deferred to Phase 61 Pattern A migration where
+ * Anthropic-Held Credentials let us mint mcp.sota.io-audience tokens):
+ *  - strict aud == "https://mcp.sota.io" check (Supabase tokens carry
+ *    aud="authenticated", not our resource URL; rejecting on that would
+ *    block every incoming token)
+ */
+import { jwtVerify, errors as joseErrors } from "jose";
+const SUPABASE_JWT_SECRET = process.env.SUPABASE_JWT_SECRET ?? "";
+const ACCEPTED_ISSUERS = [
+    "https://wnwsdtqhywfxxlnyqafk.supabase.co/auth/v1",
+    "https://auth.sota.io/auth/v1",
+];
+if (!SUPABASE_JWT_SECRET) {
+    // Server still boots, but every incoming token will fail validation.
+    // This keeps health checks alive while signalling a missing config.
+    // eslint-disable-next-line no-console
+    console.warn("WARN: SUPABASE_JWT_SECRET is not set — every Bearer token will be rejected.");
+}
+const secretKey = SUPABASE_JWT_SECRET
+    ? new TextEncoder().encode(SUPABASE_JWT_SECRET)
+    : null;
+export class JwtVerificationError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+    }
+}
+export async function verifyJwt(rawToken) {
+    if (!secretKey) {
+        throw new JwtVerificationError("Server JWT secret not configured", "server_misconfigured");
+    }
+    try {
+        const { payload } = await jwtVerify(rawToken, secretKey, {
+            algorithms: ["HS256"],
+        });
+        const iss = typeof payload.iss === "string" ? payload.iss : "";
+        if (!ACCEPTED_ISSUERS.includes(iss)) {
+            throw new JwtVerificationError(`Unexpected issuer: ${iss}`, "invalid_issuer");
+        }
+        const sub = typeof payload.sub === "string" ? payload.sub : "";
+        if (!sub) {
+            throw new JwtVerificationError("Token has no sub claim", "no_subject");
+        }
+        return {
+            sub,
+            email: typeof payload.email === "string" ? payload.email : undefined,
+            iss,
+            exp: typeof payload.exp === "number" ? payload.exp : 0,
+            raw: rawToken,
+        };
+    }
+    catch (err) {
+        if (err instanceof JwtVerificationError)
+            throw err;
+        if (err instanceof joseErrors.JWTExpired) {
+            throw new JwtVerificationError("Token expired", "token_expired");
+        }
+        if (err instanceof joseErrors.JWTInvalid) {
+            throw new JwtVerificationError("Malformed JWT", "malformed_jwt");
+        }
+        if (err instanceof joseErrors.JWSSignatureVerificationFailed) {
+            throw new JwtVerificationError("JWT signature invalid", "invalid_signature");
+        }
+        throw new JwtVerificationError(err instanceof Error ? err.message : String(err), "unknown");
+    }
+}
+//# sourceMappingURL=verify-jwt.js.map

package/dist/auth/verify-jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-jwt.js","sourceRoot":"","sources":["../../src/auth/verify-jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvD,MAAM,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC;AAClE,MAAM,gBAAgB,GAAG;IACvB,kDAAkD;IAClD,8BAA8B;CAC/B,CAAC;AAEF,IAAI,CAAC,mBAAmB,EAAE,CAAC;IACzB,qEAAqE;IACrE,oEAAoE;IACpE,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,6EAA6E,CAC9E,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAAG,mBAAmB;IACnC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,mBAAmB,CAAC;IAC/C,CAAC,CAAC,IAAI,CAAC;AAUT,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IACA;IAA7C,YAAY,OAAe,EAAkB,IAAY;QACvD,KAAK,CAAC,OAAO,CAAC,CAAC;QAD4B,SAAI,GAAJ,IAAI,CAAQ;IAEzD,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,QAAgB;IAC9C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,oBAAoB,CAC5B,kCAAkC,EAClC,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,SAAS,EAAE;YACvD,UAAU,EAAE,CAAC,OAAO,CAAC;SACtB,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,oBAAoB,CAC5B,sBAAsB,GAAG,EAAE,EAC3B,gBAAgB,CACjB,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,oBAAoB,CAAC,wBAAwB,EAAE,YAAY,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACL,GAAG;YACH,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;YACpE,GAAG;YACH,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACtD,GAAG,EAAE,QAAQ;SACd,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,oBAAoB;YAAE,MAAM,GAAG,CAAC;QACnD,IAAI,GAAG,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,IAAI,oBAAoB,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,GAAG,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;YACzC,MAAM,IAAI,oBAAoB,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,GAAG,YAAY,UAAU,CAAC,8BAA8B,EAAE,CAAC;YAC7D,MAAM,IAAI,oBAAoB,CAC5B,uBAAuB,EACvB,mBAAmB,CACpB,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,oBAAoB,CAC5B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAChD,SAAS,CACV,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/http.d.ts

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+/**
+ * sota.io MCP Server — HTTP Transport (remote)
+ *
+ * Streamable HTTP variant of the existing stdio MCP server. Same 13 tools,
+ * exposed via mcp.sota.io/mcp for one-click installation from Claude Desktop
+ * and Claude.ai.
+ *
+ * Phase 57-01 (this file): scaffold + transport + RFC 9728 metadata.
+ *   Auth is currently a pass-through Bearer API key — clients send their
+ *   existing sota_xxx key as `Authorization: Bearer <key>` and it gets
+ *   forwarded to sota-api. No OAuth validation yet.
+ *
+ * Phase 57-02 (next): OAuth 2.1 + JWT validation against Supabase JWKS,
+ *   token-to-API-key bridge with `source=claude` audit tagging.
+ *
+ * Phase 57-03 (next): `create_account` tool for net-new user signup from
+ *   inside Claude + plan-based capability gating.
+ */
+export {};
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;GAiBG"}