@studiometa/productive-mcp 0.10.9 → 0.10.10

package/dist/http.d.ts

@@ -4,6 +4,8 @@
  * This module contains the app/router creation logic for the HTTP transport.
  * The actual server startup is in server.ts.
  */
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { H3 } from 'h3';
 /**
  * JSON-RPC error response
@@ -35,6 +37,7 @@ export declare function handleInitialize(): {
     };
     capabilities: {
         tools: {};
+        prompts: {};
         resources: {};
     };
     instructions: string;
@@ -84,6 +87,8 @@ export declare function handleToolsList(): {
         title?: string | undefined;
     }[];
 };
+export declare function createHttpMcpServer(): Server;
+export declare function createHttpMcpTransport(): Promise<StreamableHTTPServerTransport>;
 /**
  * Create the H3 application with all routes
  */

package/dist/http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,EAA+B,MAAM,IAAI,CAAC;AAgBrD;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;;;;EAM5F;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;EAMhF;AAED;;GAEG;AACH,wBAAgB,gBAAgB;;;;;;;;;;;EAa/B;AAED;;GAEG;AACH,wBAAgB,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE9B;AAWD;;GAEG;AACH,wBAAgB,aAAa,IAAI,EAAE,CA0LlC"}
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAYnG,OAAO,EAAE,EAAE,EAA+B,MAAM,IAAI,CAAC;AAmBrD;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;;;;EAM5F;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;EAMhF;AAED;;GAEG;AACH,wBAAgB,gBAAgB;;;;;;;;;;;;EAc/B;AAED;;GAEG;AACH,wBAAgB,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE9B;AA6DD,wBAAgB,mBAAmB,IAAI,MAAM,CAwD5C;AAED,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,6BAA6B,CAAC,CAUrF;AAuBD;;GAEG;AACH,wBAAgB,aAAa,IAAI,EAAE,CA2FlC"}

package/dist/http.js

@@ -1,170 +1,2 @@
-import { a as INSTRUCTIONS, i as readResource, n as listResourceTemplates, r as listResources, t as VERSION } from "./version-BFw4junA.js";
-import { t as executeToolWithCredentials } from "./handlers-t95fhdps.js";
-import { TOOLS } from "./tools.js";
-import { parseAuthHeader } from "./auth.js";
-import { authorizeGetHandler, authorizePostHandler, oauthMetadataHandler, registerHandler, tokenHandler } from "./oauth.js";
-import { H3, defineHandler } from "h3";
-/**
-* HTTP transport handlers for Productive MCP Server
-*
-* This module contains the app/router creation logic for the HTTP transport.
-* The actual server startup is in server.ts.
-*/
-/**
-* JSON-RPC error response
-*/
-function jsonRpcError(code, message, id = null) {
-	return {
-		jsonrpc: "2.0",
-		error: {
-			code,
-			message
-		},
-		id
-	};
-}
-/**
-* JSON-RPC success response
-*/
-function jsonRpcSuccess(result, id = null) {
-	return {
-		jsonrpc: "2.0",
-		result,
-		id
-	};
-}
-/**
-* Handle the initialize JSON-RPC method
-*/
-function handleInitialize() {
-	return {
-		protocolVersion: "2024-11-05",
-		serverInfo: {
-			name: "productive-mcp",
-			version: VERSION
-		},
-		capabilities: {
-			tools: {},
-			resources: {}
-		},
-		instructions: INSTRUCTIONS
-	};
-}
-/**
-* Handle the tools/list JSON-RPC method
-*/
-function handleToolsList() {
-	return { tools: TOOLS };
-}
-/**
-* Get base URL from event headers
-*/
-function getBaseUrl(event) {
-	const host = event.req.headers.get("host") || "localhost:3000";
-	return `${event.req.headers.get("x-forwarded-proto") || "http"}://${host}`;
-}
-/**
-* Create the H3 application with all routes
-*/
-function createHttpApp() {
-	const app = new H3();
-	app.get("/.well-known/oauth-authorization-server", oauthMetadataHandler);
-	app.post("/register", registerHandler);
-	app.get("/authorize", authorizeGetHandler);
-	app.post("/authorize", authorizePostHandler);
-	app.post("/token", tokenHandler);
-	app.get("/.well-known/oauth-protected-resource", defineHandler((event) => {
-		const baseUrl = getBaseUrl(event);
-		event.res.headers.set("Content-Type", "application/json");
-		event.res.headers.set("Cache-Control", "public, max-age=3600");
-		return {
-			resource: `${baseUrl}/mcp`,
-			authorization_servers: [baseUrl],
-			scopes_supported: ["productive"],
-			bearer_methods_supported: ["header"]
-		};
-	}));
-	app.get("/", defineHandler(() => {
-		return {
-			status: "ok",
-			service: "productive-mcp",
-			version: VERSION
-		};
-	}));
-	app.get("/health", defineHandler(() => {
-		return { status: "ok" };
-	}));
-	app.post("/mcp", defineHandler(async (event) => {
-		const credentials = parseAuthHeader(event.req.headers.get("authorization"));
-		if (!credentials) {
-			const baseUrl = getBaseUrl(event);
-			event.res.headers.set("Content-Type", "application/json");
-			event.res.headers.set("WWW-Authenticate", `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`);
-			event.res.status = 401;
-			return jsonRpcError(-32001, "Authentication required. Provide Bearer token with base64(organizationId:apiToken:userId)");
-		}
-		event.res.headers.set("Content-Type", "application/json");
-		let body;
-		try {
-			body = await event.req.json();
-		} catch {
-			event.res.status = 400;
-			return jsonRpcError(-32700, "Parse error: Invalid JSON");
-		}
-		if (!body || typeof body !== "object") {
-			event.res.status = 400;
-			return jsonRpcError(-32700, "Parse error: Invalid JSON");
-		}
-		const { method, params, id } = body;
-		try {
-			if (method === "initialize") return jsonRpcSuccess(handleInitialize(), id ?? null);
-			if (method === "tools/list") return jsonRpcSuccess(handleToolsList(), id ?? null);
-			if (method === "tools/call") {
-				const { name, arguments: args } = params;
-				return jsonRpcSuccess(await executeToolWithCredentials(name, args || {}, credentials), id ?? null);
-			}
-			if (method === "resources/list") return jsonRpcSuccess({ resources: listResources() }, id ?? null);
-			if (method === "resources/templates/list") return jsonRpcSuccess({ resourceTemplates: listResourceTemplates() }, id ?? null);
-			if (method === "resources/read") {
-				const { uri } = params ?? {};
-				if (!uri) return jsonRpcError(-32602, "Invalid params: uri is required", id ?? null);
-				return jsonRpcSuccess(await readResource(uri, credentials), id ?? null);
-			}
-			return jsonRpcError(-32601, `Method not found: ${method}`, id ?? null);
-		} catch (error) {
-			return jsonRpcError(-32603, `Internal error: ${error instanceof Error ? error.message : String(error)}`, id ?? null);
-		}
-	}));
-	app.get("/mcp/sse", defineHandler(async (event) => {
-		if (!parseAuthHeader(event.req.headers.get("authorization"))) {
-			const baseUrl = getBaseUrl(event);
-			event.res.headers.set("WWW-Authenticate", `Bearer resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`);
-			event.res.status = 401;
-			return { error: "Authentication required" };
-		}
-		const nodeRuntime = event.runtime?.node;
-		const nodeRes = nodeRuntime?.res;
-		if (!nodeRes) {
-			event.res.status = 501;
-			return { error: "SSE requires Node.js runtime" };
-		}
-		nodeRes.writeHead(200, {
-			"Content-Type": "text/event-stream",
-			"Cache-Control": "no-cache",
-			Connection: "keep-alive"
-		});
-		const sessionId = crypto.randomUUID();
-		nodeRes.write(`event: session\ndata: ${JSON.stringify({ sessionId })}\n\n`);
-		const keepAlive = setInterval(() => {
-			nodeRes.write(": keepalive\n\n");
-		}, 3e4);
-		nodeRuntime?.req.on("close", () => {
-			clearInterval(keepAlive);
-		});
-		return new Promise(() => {});
-	}));
-	return app;
-}
-export { createHttpApp, handleInitialize, handleToolsList, jsonRpcError, jsonRpcSuccess };
-
-//# sourceMappingURL=http.js.map
+import { a as handleToolsList, i as handleInitialize, n as createHttpMcpServer, o as jsonRpcError, r as createHttpMcpTransport, s as jsonRpcSuccess, t as createHttpApp } from "./http-CVE4qtko.js";
+export { createHttpApp, createHttpMcpServer, createHttpMcpTransport, handleInitialize, handleToolsList, jsonRpcError, jsonRpcSuccess };

package/dist/index.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
-import { a as INSTRUCTIONS, i as readResource, n as listResourceTemplates, r as listResources, t as VERSION } from "./version-BFw4junA.js";
-import "./handlers-t95fhdps.js";
-import { a as handlePrompt, n as getAvailableTools, s as handleToolCall, t as getAvailablePrompts } from "./stdio-Bi1Lvp8O.js";
+import { a as INSTRUCTIONS, i as readResource, n as listResourceTemplates, r as listResources, t as VERSION } from "./version-Cy8UEAT1.js";
+import { a as handlePrompt, n as getAvailableTools, s as handleToolCall, t as getAvailablePrompts } from "./stdio-BFK9AcdQ.js";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, GetPromptRequestSchema, ListPromptsRequestSchema, ListResourceTemplatesRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import { getConfig } from "@studiometa/productive-api";
+//#region src/index.ts
 /**
 * Productive MCP Server - Stdio Transport
 *
@@ -94,6 +94,7 @@ if (import.meta.url === `file://${process.argv[1]}` || process.argv[1]?.endsWith
 	console.error("Fatal error:", error);
 	process.exit(1);
 });
+//#endregion
 export { createStdioServer, startStdioServer };
 
 //# sourceMappingURL=index.js.map

package/dist/oauth.d.ts

@@ -68,7 +68,7 @@ export declare const authorizeGetHandler: import("h3").EventHandlerWithFetch<imp
  * Authorization endpoint - process login
  * POST /authorize
  */
-export declare const authorizePostHandler: import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<string>>;
+export declare const authorizePostHandler: import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<string | import("h3").HTTPResponse>>;
 /**
  * Token endpoint - exchange code for access token
  * POST /token

package/dist/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAQH;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;EAyB/B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;GAoC1B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB,0GA+C9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,oBAAoB,uFA0D/B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;GA2FvB,CAAC"}
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAQH;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;EAyB/B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;GAoC1B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB,0GA+C9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,oBAAoB,mHA0D/B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;GA2FvB,CAAC"}

package/dist/oauth.js

@@ -2,6 +2,7 @@ import { createAuthToken } from "./auth.js";
 import { createAuthCode, decodeAuthCode } from "./crypto.js";
 import { defineHandler, getQuery, redirect } from "h3";
 import { createHash } from "node:crypto";
+//#region src/oauth.ts
 /**
 * OAuth 2.0 endpoints for Claude Desktop integration
 *
@@ -24,7 +25,7 @@ import { createHash } from "node:crypto";
 *
 * MCP clients MUST check this endpoint first for server capabilities.
 */
-const oauthMetadataHandler = defineHandler((event) => {
+var oauthMetadataHandler = defineHandler((event) => {
 	const host = event.req.headers.get("host") || "localhost:3000";
 	const baseUrl = `${event.req.headers.get("x-forwarded-proto") || "http"}://${host}`;
 	event.res.headers.set("Content-Type", "application/json");
@@ -50,7 +51,7 @@ const oauthMetadataHandler = defineHandler((event) => {
 * Since we use stateless tokens, we accept any registration and return
 * a generated client_id.
 */
-const registerHandler = defineHandler(async (event) => {
+var registerHandler = defineHandler(async (event) => {
 	event.res.headers.set("Content-Type", "application/json");
 	let body;
 	try {
@@ -82,7 +83,7 @@ const registerHandler = defineHandler(async (event) => {
 * Authorization endpoint - shows login form
 * GET /authorize
 */
-const authorizeGetHandler = defineHandler((event) => {
+var authorizeGetHandler = defineHandler((event) => {
 	const query = getQuery(event);
 	const clientId = query.client_id;
 	const redirectUri = query.redirect_uri;
@@ -123,7 +124,7 @@ const authorizeGetHandler = defineHandler((event) => {
 * Authorization endpoint - process login
 * POST /authorize
 */
-const authorizePostHandler = defineHandler(async (event) => {
+var authorizePostHandler = defineHandler(async (event) => {
 	const formData = await event.req.formData();
 	const { orgId, apiToken, userId, redirectUri, state, codeChallenge, codeChallengeMethod } = Object.fromEntries(formData.entries());
 	if (!redirectUri) {
@@ -163,8 +164,7 @@ const authorizePostHandler = defineHandler(async (event) => {
 	const redirectUrl = new URL(redirectUri);
 	redirectUrl.searchParams.set("code", code);
 	if (state) redirectUrl.searchParams.set("state", state);
-	event.res.headers.set("Content-Type", "text/html; charset=utf-8");
-	return renderSuccessPage(redirectUrl.toString());
+	return redirect(redirectUrl.toString());
 });
 /**
 * Token endpoint - exchange code for access token
@@ -174,7 +174,7 @@ const authorizePostHandler = defineHandler(async (event) => {
 * - authorization_code grant (with PKCE validation)
 * - refresh_token grant
 */
-const tokenHandler = defineHandler(async (event) => {
+var tokenHandler = defineHandler(async (event) => {
 	event.res.headers.set("Content-Type", "application/json");
 	let body;
 	if ((event.req.headers.get("content-type") || "").includes("application/x-www-form-urlencoded")) {
@@ -457,115 +457,6 @@ function renderLoginForm(params) {
 </html>`;
 }
 /**
-* Render success page with auto-redirect
-*/
-function renderSuccessPage(redirectUrl) {
-	return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <meta http-equiv="refresh" content="2;url=${escapeHtml(redirectUrl)}">
-  <title>Connected - Productive MCP</title>
-  <style>
-    * {
-      box-sizing: border-box;
-      margin: 0;
-      padding: 0;
-    }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-      min-height: 100vh;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      padding: 20px;
-    }
-    .container {
-      background: white;
-      border-radius: 16px;
-      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
-      padding: 40px;
-      width: 100%;
-      max-width: 420px;
-      text-align: center;
-    }
-    .success-icon {
-      width: 64px;
-      height: 64px;
-      margin: 0 auto 24px;
-      background: linear-gradient(135deg, #10b981 0%, #059669 100%);
-      border-radius: 50%;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-    }
-    .success-icon svg {
-      width: 32px;
-      height: 32px;
-      stroke: white;
-    }
-    h1 {
-      color: #1a1a2e;
-      font-size: 24px;
-      margin-bottom: 8px;
-    }
-    .message {
-      color: #666;
-      font-size: 14px;
-      margin-bottom: 24px;
-    }
-    .spinner {
-      width: 24px;
-      height: 24px;
-      border: 3px solid #e5e7eb;
-      border-top-color: #667eea;
-      border-radius: 50%;
-      animation: spin 1s linear infinite;
-      margin: 0 auto 16px;
-    }
-    @keyframes spin {
-      to { transform: rotate(360deg); }
-    }
-    .redirect-text {
-      color: #9ca3af;
-      font-size: 13px;
-      margin-bottom: 16px;
-    }
-    .manual-link {
-      color: #667eea;
-      text-decoration: none;
-      font-size: 14px;
-    }
-    .manual-link:hover {
-      text-decoration: underline;
-    }
-  </style>
-</head>
-<body>
-  <div class="container">
-    <div class="success-icon">
-      <svg viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-        <path d="M20 6L9 17L4 12" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"/>
-      </svg>
-    </div>
-    <h1>Successfully Connected!</h1>
-    <p class="message">Your Productive.io credentials have been verified.</p>
-    <div class="spinner"></div>
-    <p class="redirect-text">Redirecting to Claude Desktop...</p>
-    <a href="${escapeHtml(redirectUrl)}" class="manual-link">Click here if not redirected automatically</a>
-  </div>
-  <script>
-    // Redirect after a short delay (backup for meta refresh)
-    setTimeout(function() {
-      window.location.href = ${JSON.stringify(redirectUrl)};
-    }, 2000);
-  <\/script>
-</body>
-</html>`;
-}
-/**
 * Render error page
 */
 function renderErrorPage(message) {
@@ -616,6 +507,7 @@ function renderErrorPage(message) {
 function escapeHtml(str) {
 	return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
 }
+//#endregion
 export { authorizeGetHandler, authorizePostHandler, oauthMetadataHandler, registerHandler, tokenHandler };
 
 //# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../src/oauth.ts"],"sourcesContent":["/**\n * OAuth 2.0 endpoints for Claude Desktop integration\n *\n * Implements OAuth 2.1 with PKCE as specified in the MCP authorization spec.\n * Uses stateless encrypted tokens - no server-side storage required.\n *\n * Spec: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization\n *\n * Flow:\n * 1. Claude redirects user to /authorize with OAuth params (including PKCE)\n * 2. User enters Productive credentials in login form\n * 3. Server encrypts credentials + PKCE challenge into authorization code\n * 4. Redirects back to Claude with the code\n * 5. Claude exchanges code for access token via /token (with code_verifier)\n * 6. Server validates PKCE and returns access token\n */\n\nimport { defineHandler, getQuery, redirect, type H3Event } from 'h3';\nimport { createHash } from 'node:crypto';\n\nimport { createAuthToken } from './auth.js';\nimport { createAuthCode, decodeAuthCode } from './crypto.js';\n\n/**\n * OAuth metadata for discovery (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n *\n * MCP clients MUST check this endpoint first for server capabilities.\n */\nexport const oauthMetadataHandler = defineHandler((event: H3Event) => {\n  const host = event.req.headers.get('host') || 'localhost:3000';\n  const protocol = event.req.headers.get('x-forwarded-proto') || 'http';\n  const baseUrl = `${protocol}://${host}`;\n\n  event.res.headers.set('Content-Type', 'application/json');\n  event.res.headers.set('Cache-Control', 'public, max-age=3600');\n\n  return {\n    // Required fields per RFC 8414\n    issuer: baseUrl,\n    authorization_endpoint: `${baseUrl}/authorize`,\n    token_endpoint: `${baseUrl}/token`,\n    response_types_supported: ['code'],\n\n    // OAuth 2.1 / MCP requirements\n    grant_types_supported: ['authorization_code', 'refresh_token'],\n    code_challenge_methods_supported: ['S256'],\n    token_endpoint_auth_methods_supported: ['none'], // Public client\n\n    // Optional but useful\n    registration_endpoint: `${baseUrl}/register`,\n    scopes_supported: ['productive'],\n    service_documentation: 'https://github.com/studiometa/productive-tools',\n  };\n});\n\n/**\n * Dynamic Client Registration endpoint (RFC 7591)\n * POST /register\n *\n * MCP servers SHOULD support DCR to allow clients to register automatically.\n * Since we use stateless tokens, we accept any registration and return\n * a generated client_id.\n */\nexport const registerHandler = defineHandler(async (event: H3Event) => {\n  event.res.headers.set('Content-Type', 'application/json');\n\n  let body: Record<string, unknown>;\n  try {\n    body = (await event.req.json()) as Record<string, unknown>;\n  } catch {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Invalid JSON body',\n    };\n  }\n\n  // Extract client metadata\n  const clientName = (body.client_name as string) || 'MCP Client';\n  const redirectUris = (body.redirect_uris as string[]) || [];\n\n  // Generate a client_id based on the registration\n  // Since we're stateless, we encode minimal info in the client_id\n  const clientId = Buffer.from(\n    JSON.stringify({\n      name: clientName,\n      ts: Date.now(),\n    }),\n  ).toString('base64url');\n\n  event.res.status = 201;\n  return {\n    client_id: clientId,\n    client_name: clientName,\n    redirect_uris: redirectUris,\n    token_endpoint_auth_method: 'none',\n    grant_types: ['authorization_code', 'refresh_token'],\n    response_types: ['code'],\n  };\n});\n\n/**\n * Authorization endpoint - shows login form\n * GET /authorize\n */\nexport const authorizeGetHandler = defineHandler((event: H3Event) => {\n  const query = getQuery(event);\n\n  // Extract OAuth parameters\n  const clientId = query.client_id as string;\n  const redirectUri = query.redirect_uri as string;\n  const state = query.state as string;\n  const codeChallenge = query.code_challenge as string;\n  const codeChallengeMethod = query.code_challenge_method as string;\n  const scope = query.scope as string;\n\n  // Validate required parameters per OAuth 2.1\n  if (!redirectUri) {\n    event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n    event.res.status = 400;\n    return renderErrorPage('Missing required parameter: redirect_uri');\n  }\n\n  // PKCE is REQUIRED for public clients per MCP spec\n  if (!codeChallenge) {\n    // Redirect back with error per OAuth spec\n    const errorUrl = new URL(redirectUri);\n    errorUrl.searchParams.set('error', 'invalid_request');\n    errorUrl.searchParams.set('error_description', 'code_challenge is required');\n    if (state) errorUrl.searchParams.set('state', state);\n    return redirect(errorUrl.toString());\n  }\n\n  if (codeChallengeMethod && codeChallengeMethod !== 'S256') {\n    const errorUrl = new URL(redirectUri);\n    errorUrl.searchParams.set('error', 'invalid_request');\n    errorUrl.searchParams.set('error_description', 'Only S256 code_challenge_method is supported');\n    if (state) errorUrl.searchParams.set('state', state);\n    return redirect(errorUrl.toString());\n  }\n\n  event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n\n  // Render login form\n  return renderLoginForm({\n    clientId,\n    redirectUri,\n    state,\n    codeChallenge,\n    codeChallengeMethod: codeChallengeMethod || 'S256',\n    scope,\n  });\n});\n\n/**\n * Authorization endpoint - process login\n * POST /authorize\n */\nexport const authorizePostHandler = defineHandler(async (event: H3Event) => {\n  const formData = await event.req.formData();\n  const body = Object.fromEntries(formData.entries()) as Record<string, string>;\n\n  const { orgId, apiToken, userId, redirectUri, state, codeChallenge, codeChallengeMethod } = body;\n\n  // Validate redirect URI first (security requirement)\n  if (!redirectUri) {\n    event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n    event.res.status = 400;\n    return renderErrorPage('Missing redirect_uri parameter');\n  }\n\n  // Validate redirect URI format (must be HTTPS or localhost)\n  try {\n    const uri = new URL(redirectUri);\n    const isLocalhost = uri.hostname === 'localhost' || uri.hostname === '127.0.0.1';\n    const isHttps = uri.protocol === 'https:';\n    if (!isLocalhost && !isHttps) {\n      event.res.status = 400;\n      return renderErrorPage('redirect_uri must be HTTPS or localhost');\n    }\n  } catch {\n    event.res.status = 400;\n    return renderErrorPage('Invalid redirect_uri format');\n  }\n\n  // Validate required credentials\n  if (!orgId || !apiToken) {\n    event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n    return renderLoginForm({\n      redirectUri,\n      state,\n      codeChallenge,\n      codeChallengeMethod,\n      error: 'Organization ID and API Token are required',\n    });\n  }\n\n  // Create encrypted authorization code with PKCE challenge\n  const code = createAuthCode({\n    orgId,\n    apiToken,\n    userId: userId || undefined,\n    codeChallenge,\n    codeChallengeMethod: codeChallengeMethod || 'S256',\n  });\n\n  // Build redirect URL with authorization code\n  const redirectUrl = new URL(redirectUri);\n  redirectUrl.searchParams.set('code', code);\n  if (state) {\n    redirectUrl.searchParams.set('state', state);\n  }\n\n  // Show success page with auto-redirect\n  event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n  return renderSuccessPage(redirectUrl.toString());\n});\n\n/**\n * Token endpoint - exchange code for access token\n * POST /token\n *\n * Supports:\n * - authorization_code grant (with PKCE validation)\n * - refresh_token grant\n */\nexport const tokenHandler = defineHandler(async (event: H3Event) => {\n  event.res.headers.set('Content-Type', 'application/json');\n\n  let body: Record<string, string>;\n  const contentType = event.req.headers.get('content-type') || '';\n\n  if (contentType.includes('application/x-www-form-urlencoded')) {\n    const rawText = await event.req.text();\n    body = Object.fromEntries(new URLSearchParams(rawText));\n  } else {\n    body = (await event.req.json()) as Record<string, string>;\n  }\n\n  const { grant_type, code, code_verifier, refresh_token } = body;\n\n  // Handle refresh token grant\n  if (grant_type === 'refresh_token') {\n    return handleRefreshToken(event, refresh_token);\n  }\n\n  // Validate authorization code grant\n  if (grant_type !== 'authorization_code') {\n    event.res.status = 400;\n    return {\n      error: 'unsupported_grant_type',\n      error_description: 'Supported grant types: authorization_code, refresh_token',\n    };\n  }\n\n  if (!code) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing authorization code',\n    };\n  }\n\n  if (!code_verifier) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing code_verifier (PKCE required)',\n    };\n  }\n\n  try {\n    // Decode the authorization code\n    const payload = decodeAuthCode(code);\n\n    // Validate PKCE: SHA256(code_verifier) must equal code_challenge\n    if (payload.codeChallenge) {\n      const expectedChallenge = createS256Challenge(code_verifier);\n      if (expectedChallenge !== payload.codeChallenge) {\n        event.res.status = 400;\n        return {\n          error: 'invalid_grant',\n          error_description: 'Invalid code_verifier',\n        };\n      }\n    }\n\n    // Create access token (base64 encoded credentials)\n    const accessToken = createAuthToken({\n      organizationId: payload.orgId,\n      apiToken: payload.apiToken,\n      userId: payload.userId,\n    });\n\n    // Create refresh token (encrypted credentials, longer expiry)\n    const refreshToken = createAuthCode(\n      {\n        orgId: payload.orgId,\n        apiToken: payload.apiToken,\n        userId: payload.userId,\n      },\n      86400 * 30, // 30 days\n    );\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 3600, // 1 hour (access tokens should be short-lived)\n      refresh_token: refreshToken,\n    };\n  } catch (error) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_grant',\n      error_description: error instanceof Error ? error.message : 'Invalid authorization code',\n    };\n  }\n});\n\n/**\n * Handle refresh token grant\n */\nfunction handleRefreshToken(event: H3Event, refreshToken: string | undefined) {\n  if (!refreshToken) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing refresh_token',\n    };\n  }\n\n  try {\n    // Decode refresh token (it's just an encrypted auth code with longer expiry)\n    const payload = decodeAuthCode(refreshToken);\n\n    // Create new access token\n    const accessToken = createAuthToken({\n      organizationId: payload.orgId,\n      apiToken: payload.apiToken,\n      userId: payload.userId,\n    });\n\n    // Create new refresh token (rotate for security)\n    const newRefreshToken = createAuthCode(\n      {\n        orgId: payload.orgId,\n        apiToken: payload.apiToken,\n        userId: payload.userId,\n      },\n      86400 * 30, // 30 days\n    );\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 3600,\n      refresh_token: newRefreshToken,\n    };\n  } catch (error) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_grant',\n      error_description: error instanceof Error ? error.message : 'Invalid refresh token',\n    };\n  }\n}\n\n/**\n * Create S256 PKCE challenge from verifier\n * SHA256(code_verifier) encoded as base64url\n */\nfunction createS256Challenge(codeVerifier: string): string {\n  return createHash('sha256').update(codeVerifier).digest('base64url');\n}\n\n/**\n * Render the login form HTML\n */\nfunction renderLoginForm(params: {\n  clientId?: string;\n  redirectUri?: string;\n  state?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  scope?: string;\n  error?: string;\n}): string {\n  const { redirectUri, state, codeChallenge, codeChallengeMethod, error } = params;\n\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>Connect to Productive.io</title>\n  <style>\n    * {\n      box-sizing: border-box;\n      margin: 0;\n      padding: 0;\n    }\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);\n      padding: 40px;\n      width: 100%;\n      max-width: 420px;\n    }\n    .logo {\n      text-align: center;\n      margin-bottom: 24px;\n    }\n    .logo svg {\n      width: 48px;\n      height: 48px;\n    }\n    h1 {\n      text-align: center;\n      color: #1a1a2e;\n      font-size: 24px;\n      margin-bottom: 8px;\n    }\n    .subtitle {\n      text-align: center;\n      color: #666;\n      font-size: 14px;\n      margin-bottom: 32px;\n    }\n    .error {\n      background: #fee2e2;\n      border: 1px solid #fecaca;\n      color: #dc2626;\n      padding: 12px 16px;\n      border-radius: 8px;\n      margin-bottom: 24px;\n      font-size: 14px;\n    }\n    .form-group {\n      margin-bottom: 20px;\n    }\n    label {\n      display: block;\n      font-size: 14px;\n      font-weight: 500;\n      color: #374151;\n      margin-bottom: 6px;\n    }\n    input {\n      width: 100%;\n      padding: 12px 16px;\n      border: 1px solid #d1d5db;\n      border-radius: 8px;\n      font-size: 16px;\n      transition: border-color 0.2s, box-shadow 0.2s;\n    }\n    input:focus {\n      outline: none;\n      border-color: #667eea;\n      box-shadow: 0 0 0 3px rgba(102, 126, 234, 0.2);\n    }\n    input::placeholder {\n      color: #9ca3af;\n    }\n    .help-text {\n      font-size: 12px;\n      color: #6b7280;\n      margin-top: 4px;\n    }\n    button {\n      width: 100%;\n      padding: 14px 24px;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      color: white;\n      border: none;\n      border-radius: 8px;\n      font-size: 16px;\n      font-weight: 600;\n      cursor: pointer;\n      transition: transform 0.2s, box-shadow 0.2s;\n    }\n    button:hover {\n      transform: translateY(-1px);\n      box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);\n    }\n    button:active {\n      transform: translateY(0);\n    }\n    .footer {\n      text-align: center;\n      margin-top: 24px;\n      font-size: 12px;\n      color: #9ca3af;\n    }\n    .footer a {\n      color: #667eea;\n      text-decoration: none;\n    }\n    .footer a:hover {\n      text-decoration: underline;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"logo\">\n      <svg viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\">\n        <path d=\"M12 2L2 7L12 12L22 7L12 2Z\" stroke=\"#667eea\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n        <path d=\"M2 17L12 22L22 17\" stroke=\"#764ba2\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n        <path d=\"M2 12L12 17L22 12\" stroke=\"#667eea\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n      </svg>\n    </div>\n    <h1>Connect to Productive.io</h1>\n    <p class=\"subtitle\">Enter your Productive.io credentials to connect with Claude</p>\n    \n    ${error ? `<div class=\"error\">${escapeHtml(error)}</div>` : ''}\n    \n    <form method=\"POST\" action=\"/authorize\">\n      <input type=\"hidden\" name=\"redirectUri\" value=\"${escapeHtml(redirectUri || '')}\">\n      <input type=\"hidden\" name=\"state\" value=\"${escapeHtml(state || '')}\">\n      <input type=\"hidden\" name=\"codeChallenge\" value=\"${escapeHtml(codeChallenge || '')}\">\n      <input type=\"hidden\" name=\"codeChallengeMethod\" value=\"${escapeHtml(codeChallengeMethod || 'S256')}\">\n      \n      <div class=\"form-group\">\n        <label for=\"orgId\">Organization ID *</label>\n        <input type=\"text\" id=\"orgId\" name=\"orgId\" required placeholder=\"e.g., 12345\">\n        <p class=\"help-text\">Found in Settings → API integrations</p>\n      </div>\n      \n      <div class=\"form-group\">\n        <label for=\"apiToken\">API Token *</label>\n        <input type=\"password\" id=\"apiToken\" name=\"apiToken\" required placeholder=\"pk_...\">\n        <p class=\"help-text\">Generate at Settings → API integrations → Generate new token</p>\n      </div>\n      \n      <div class=\"form-group\">\n        <label for=\"userId\">User ID (optional)</label>\n        <input type=\"text\" id=\"userId\" name=\"userId\" placeholder=\"e.g., 67890\">\n        <p class=\"help-text\">Required for creating time entries. Found in your profile URL.</p>\n      </div>\n      \n      <button type=\"submit\">Connect to Productive</button>\n    </form>\n    \n    <p class=\"footer\">\n      Your credentials are encrypted and sent directly to Claude.<br>\n      <a href=\"https://developer.productive.io\" target=\"_blank\">Productive.io API Documentation</a>\n    </p>\n  </div>\n</body>\n</html>`;\n}\n\n/**\n * Render success page with auto-redirect\n */\nfunction renderSuccessPage(redirectUrl: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <meta http-equiv=\"refresh\" content=\"2;url=${escapeHtml(redirectUrl)}\">\n  <title>Connected - Productive MCP</title>\n  <style>\n    * {\n      box-sizing: border-box;\n      margin: 0;\n      padding: 0;\n    }\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);\n      padding: 40px;\n      width: 100%;\n      max-width: 420px;\n      text-align: center;\n    }\n    .success-icon {\n      width: 64px;\n      height: 64px;\n      margin: 0 auto 24px;\n      background: linear-gradient(135deg, #10b981 0%, #059669 100%);\n      border-radius: 50%;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n    }\n    .success-icon svg {\n      width: 32px;\n      height: 32px;\n      stroke: white;\n    }\n    h1 {\n      color: #1a1a2e;\n      font-size: 24px;\n      margin-bottom: 8px;\n    }\n    .message {\n      color: #666;\n      font-size: 14px;\n      margin-bottom: 24px;\n    }\n    .spinner {\n      width: 24px;\n      height: 24px;\n      border: 3px solid #e5e7eb;\n      border-top-color: #667eea;\n      border-radius: 50%;\n      animation: spin 1s linear infinite;\n      margin: 0 auto 16px;\n    }\n    @keyframes spin {\n      to { transform: rotate(360deg); }\n    }\n    .redirect-text {\n      color: #9ca3af;\n      font-size: 13px;\n      margin-bottom: 16px;\n    }\n    .manual-link {\n      color: #667eea;\n      text-decoration: none;\n      font-size: 14px;\n    }\n    .manual-link:hover {\n      text-decoration: underline;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"success-icon\">\n      <svg viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\">\n        <path d=\"M20 6L9 17L4 12\" stroke-width=\"2.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n      </svg>\n    </div>\n    <h1>Successfully Connected!</h1>\n    <p class=\"message\">Your Productive.io credentials have been verified.</p>\n    <div class=\"spinner\"></div>\n    <p class=\"redirect-text\">Redirecting to Claude Desktop...</p>\n    <a href=\"${escapeHtml(redirectUrl)}\" class=\"manual-link\">Click here if not redirected automatically</a>\n  </div>\n  <script>\n    // Redirect after a short delay (backup for meta refresh)\n    setTimeout(function() {\n      window.location.href = ${JSON.stringify(redirectUrl)};\n    }, 2000);\n  </script>\n</body>\n</html>`;\n}\n\n/**\n * Render error page\n */\nfunction renderErrorPage(message: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>Error - Productive MCP</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: #f3f4f6;\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);\n      padding: 40px;\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #dc2626;\n      margin-bottom: 16px;\n    }\n    p {\n      color: #6b7280;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <h1>Error</h1>\n    <p>${escapeHtml(message)}</p>\n  </div>\n</body>\n</html>`;\n}\n\n/**\n * Escape HTML special characters\n */\nfunction escapeHtml(str: string): string {\n  return str\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#039;');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAa,uBAAuB,eAAe,UAAmB;CACpE,MAAM,OAAO,MAAM,IAAI,QAAQ,IAAI,OAAO,IAAI;CAE9C,MAAM,UAAU,GADC,MAAM,IAAI,QAAQ,IAAI,oBAAoB,IAAI,OACnC,KAAK;AAEjC,OAAM,IAAI,QAAQ,IAAI,gBAAgB,mBAAmB;AACzD,OAAM,IAAI,QAAQ,IAAI,iBAAiB,uBAAuB;AAE9D,QAAO;EAEL,QAAQ;EACR,wBAAwB,GAAG,QAAQ;EACnC,gBAAgB,GAAG,QAAQ;EAC3B,0BAA0B,CAAC,OAAO;EAGlC,uBAAuB,CAAC,sBAAsB,gBAAgB;EAC9D,kCAAkC,CAAC,OAAO;EAC1C,uCAAuC,CAAC,OAAO;EAG/C,uBAAuB,GAAG,QAAQ;EAClC,kBAAkB,CAAC,aAAa;EAChC,uBAAuB;EACxB;EACD;;;;;;;;;AAUF,MAAa,kBAAkB,cAAc,OAAO,UAAmB;AACrE,OAAM,IAAI,QAAQ,IAAI,gBAAgB,mBAAmB;CAEzD,IAAI;AACJ,KAAI;AACF,SAAQ,MAAM,MAAM,IAAI,MAAM;SACxB;AACN,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;CAIH,MAAM,aAAc,KAAK,eAA0B;CACnD,MAAM,eAAgB,KAAK,iBAA8B,EAAE;CAI3D,MAAM,WAAW,OAAO,KACtB,KAAK,UAAU;EACb,MAAM;EACN,IAAI,KAAK,KAAK;EACf,CAAC,CACH,CAAC,SAAS,YAAY;AAEvB,OAAM,IAAI,SAAS;AACnB,QAAO;EACL,WAAW;EACX,aAAa;EACb,eAAe;EACf,4BAA4B;EAC5B,aAAa,CAAC,sBAAsB,gBAAgB;EACpD,gBAAgB,CAAC,OAAO;EACzB;EACD;;;;;AAMF,MAAa,sBAAsB,eAAe,UAAmB;CACnE,MAAM,QAAQ,SAAS,MAAM;CAG7B,MAAM,WAAW,MAAM;CACvB,MAAM,cAAc,MAAM;CAC1B,MAAM,QAAQ,MAAM;CACpB,MAAM,gBAAgB,MAAM;CAC5B,MAAM,sBAAsB,MAAM;CAClC,MAAM,QAAQ,MAAM;AAGpB,KAAI,CAAC,aAAa;AAChB,QAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,QAAM,IAAI,SAAS;AACnB,SAAO,gBAAgB,2CAA2C;;AAIpE,KAAI,CAAC,eAAe;EAElB,MAAM,WAAW,IAAI,IAAI,YAAY;AACrC,WAAS,aAAa,IAAI,SAAS,kBAAkB;AACrD,WAAS,aAAa,IAAI,qBAAqB,6BAA6B;AAC5E,MAAI,MAAO,UAAS,aAAa,IAAI,SAAS,MAAM;AACpD,SAAO,SAAS,SAAS,UAAU,CAAC;;AAGtC,KAAI,uBAAuB,wBAAwB,QAAQ;EACzD,MAAM,WAAW,IAAI,IAAI,YAAY;AACrC,WAAS,aAAa,IAAI,SAAS,kBAAkB;AACrD,WAAS,aAAa,IAAI,qBAAqB,+CAA+C;AAC9F,MAAI,MAAO,UAAS,aAAa,IAAI,SAAS,MAAM;AACpD,SAAO,SAAS,SAAS,UAAU,CAAC;;AAGtC,OAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AAGjE,QAAO,gBAAgB;EACrB;EACA;EACA;EACA;EACA,qBAAqB,uBAAuB;EAC5C;EACD,CAAC;EACF;;;;;AAMF,MAAa,uBAAuB,cAAc,OAAO,UAAmB;CAC1E,MAAM,WAAW,MAAM,MAAM,IAAI,UAAU;CAG3C,MAAM,EAAE,OAAO,UAAU,QAAQ,aAAa,OAAO,eAAe,wBAFvD,OAAO,YAAY,SAAS,SAAS,CAAC;AAKnD,KAAI,CAAC,aAAa;AAChB,QAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,QAAM,IAAI,SAAS;AACnB,SAAO,gBAAgB,iCAAiC;;AAI1D,KAAI;EACF,MAAM,MAAM,IAAI,IAAI,YAAY;EAChC,MAAM,cAAc,IAAI,aAAa,eAAe,IAAI,aAAa;EACrE,MAAM,UAAU,IAAI,aAAa;AACjC,MAAI,CAAC,eAAe,CAAC,SAAS;AAC5B,SAAM,IAAI,SAAS;AACnB,UAAO,gBAAgB,0CAA0C;;SAE7D;AACN,QAAM,IAAI,SAAS;AACnB,SAAO,gBAAgB,8BAA8B;;AAIvD,KAAI,CAAC,SAAS,CAAC,UAAU;AACvB,QAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,SAAO,gBAAgB;GACrB;GACA;GACA;GACA;GACA,OAAO;GACR,CAAC;;CAIJ,MAAM,OAAO,eAAe;EAC1B;EACA;EACA,QAAQ,UAAU,KAAA;EAClB;EACA,qBAAqB,uBAAuB;EAC7C,CAAC;CAGF,MAAM,cAAc,IAAI,IAAI,YAAY;AACxC,aAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,KAAI,MACF,aAAY,aAAa,IAAI,SAAS,MAAM;AAI9C,OAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,QAAO,kBAAkB,YAAY,UAAU,CAAC;EAChD;;;;;;;;;AAUF,MAAa,eAAe,cAAc,OAAO,UAAmB;AAClE,OAAM,IAAI,QAAQ,IAAI,gBAAgB,mBAAmB;CAEzD,IAAI;AAGJ,MAFoB,MAAM,IAAI,QAAQ,IAAI,eAAe,IAAI,IAE7C,SAAS,oCAAoC,EAAE;EAC7D,MAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AACtC,SAAO,OAAO,YAAY,IAAI,gBAAgB,QAAQ,CAAC;OAEvD,QAAQ,MAAM,MAAM,IAAI,MAAM;CAGhC,MAAM,EAAE,YAAY,MAAM,eAAe,kBAAkB;AAG3D,KAAI,eAAe,gBACjB,QAAO,mBAAmB,OAAO,cAAc;AAIjD,KAAI,eAAe,sBAAsB;AACvC,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI,CAAC,MAAM;AACT,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI,CAAC,eAAe;AAClB,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI;EAEF,MAAM,UAAU,eAAe,KAAK;AAGpC,MAAI,QAAQ;OACgB,oBAAoB,cAAc,KAClC,QAAQ,eAAe;AAC/C,UAAM,IAAI,SAAS;AACnB,WAAO;KACL,OAAO;KACP,mBAAmB;KACpB;;;AAqBL,SAAO;GACL,cAjBkB,gBAAgB;IAClC,gBAAgB,QAAQ;IACxB,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,CAAC;GAcA,YAAY;GACZ,YAAY;GACZ,eAbmB,eACnB;IACE,OAAO,QAAQ;IACf,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,EACD,QAAQ,GACT;GAOA;UACM,OAAO;AACd,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU;GAC7D;;EAEH;;;;AAKF,SAAS,mBAAmB,OAAgB,cAAkC;AAC5E,KAAI,CAAC,cAAc;AACjB,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI;EAEF,MAAM,UAAU,eAAe,aAAa;AAmB5C,SAAO;GACL,cAjBkB,gBAAgB;IAClC,gBAAgB,QAAQ;IACxB,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,CAAC;GAcA,YAAY;GACZ,YAAY;GACZ,eAbsB,eACtB;IACE,OAAO,QAAQ;IACf,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,EACD,QAAQ,GACT;GAOA;UACM,OAAO;AACd,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU;GAC7D;;;;;;;AAQL,SAAS,oBAAoB,cAA8B;AACzD,QAAO,WAAW,SAAS,CAAC,OAAO,aAAa,CAAC,OAAO,YAAY;;;;;AAMtE,SAAS,gBAAgB,QAQd;CACT,MAAM,EAAE,aAAa,OAAO,eAAe,qBAAqB,UAAU;AAE1E,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAuIH,QAAQ,sBAAsB,WAAW,MAAM,CAAC,UAAU,GAAG;;;uDAGZ,WAAW,eAAe,GAAG,CAAC;iDACpC,WAAW,SAAS,GAAG,CAAC;yDAChB,WAAW,iBAAiB,GAAG,CAAC;+DAC1B,WAAW,uBAAuB,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCzG,SAAS,kBAAkB,aAA6B;AACtD,QAAO;;;;;8CAKqC,WAAW,YAAY,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eAyFvD,WAAW,YAAY,CAAC;;;;;+BAKR,KAAK,UAAU,YAAY,CAAC;;;;;;;;;AAU3D,SAAS,gBAAgB,SAAyB;AAChD,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;SAoCA,WAAW,QAAQ,CAAC;;;;;;;;AAS7B,SAAS,WAAW,KAAqB;AACvC,QAAO,IACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,SAAS"}
+{"version":3,"file":"oauth.js","names":[],"sources":["../src/oauth.ts"],"sourcesContent":["/**\n * OAuth 2.0 endpoints for Claude Desktop integration\n *\n * Implements OAuth 2.1 with PKCE as specified in the MCP authorization spec.\n * Uses stateless encrypted tokens - no server-side storage required.\n *\n * Spec: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization\n *\n * Flow:\n * 1. Claude redirects user to /authorize with OAuth params (including PKCE)\n * 2. User enters Productive credentials in login form\n * 3. Server encrypts credentials + PKCE challenge into authorization code\n * 4. Redirects back to Claude with the code\n * 5. Claude exchanges code for access token via /token (with code_verifier)\n * 6. Server validates PKCE and returns access token\n */\n\nimport { defineHandler, getQuery, redirect, type H3Event } from 'h3';\nimport { createHash } from 'node:crypto';\n\nimport { createAuthToken } from './auth.js';\nimport { createAuthCode, decodeAuthCode } from './crypto.js';\n\n/**\n * OAuth metadata for discovery (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n *\n * MCP clients MUST check this endpoint first for server capabilities.\n */\nexport const oauthMetadataHandler = defineHandler((event: H3Event) => {\n  const host = event.req.headers.get('host') || 'localhost:3000';\n  const protocol = event.req.headers.get('x-forwarded-proto') || 'http';\n  const baseUrl = `${protocol}://${host}`;\n\n  event.res.headers.set('Content-Type', 'application/json');\n  event.res.headers.set('Cache-Control', 'public, max-age=3600');\n\n  return {\n    // Required fields per RFC 8414\n    issuer: baseUrl,\n    authorization_endpoint: `${baseUrl}/authorize`,\n    token_endpoint: `${baseUrl}/token`,\n    response_types_supported: ['code'],\n\n    // OAuth 2.1 / MCP requirements\n    grant_types_supported: ['authorization_code', 'refresh_token'],\n    code_challenge_methods_supported: ['S256'],\n    token_endpoint_auth_methods_supported: ['none'], // Public client\n\n    // Optional but useful\n    registration_endpoint: `${baseUrl}/register`,\n    scopes_supported: ['productive'],\n    service_documentation: 'https://github.com/studiometa/productive-tools',\n  };\n});\n\n/**\n * Dynamic Client Registration endpoint (RFC 7591)\n * POST /register\n *\n * MCP servers SHOULD support DCR to allow clients to register automatically.\n * Since we use stateless tokens, we accept any registration and return\n * a generated client_id.\n */\nexport const registerHandler = defineHandler(async (event: H3Event) => {\n  event.res.headers.set('Content-Type', 'application/json');\n\n  let body: Record<string, unknown>;\n  try {\n    body = (await event.req.json()) as Record<string, unknown>;\n  } catch {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Invalid JSON body',\n    };\n  }\n\n  // Extract client metadata\n  const clientName = (body.client_name as string) || 'MCP Client';\n  const redirectUris = (body.redirect_uris as string[]) || [];\n\n  // Generate a client_id based on the registration\n  // Since we're stateless, we encode minimal info in the client_id\n  const clientId = Buffer.from(\n    JSON.stringify({\n      name: clientName,\n      ts: Date.now(),\n    }),\n  ).toString('base64url');\n\n  event.res.status = 201;\n  return {\n    client_id: clientId,\n    client_name: clientName,\n    redirect_uris: redirectUris,\n    token_endpoint_auth_method: 'none',\n    grant_types: ['authorization_code', 'refresh_token'],\n    response_types: ['code'],\n  };\n});\n\n/**\n * Authorization endpoint - shows login form\n * GET /authorize\n */\nexport const authorizeGetHandler = defineHandler((event: H3Event) => {\n  const query = getQuery(event);\n\n  // Extract OAuth parameters\n  const clientId = query.client_id as string;\n  const redirectUri = query.redirect_uri as string;\n  const state = query.state as string;\n  const codeChallenge = query.code_challenge as string;\n  const codeChallengeMethod = query.code_challenge_method as string;\n  const scope = query.scope as string;\n\n  // Validate required parameters per OAuth 2.1\n  if (!redirectUri) {\n    event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n    event.res.status = 400;\n    return renderErrorPage('Missing required parameter: redirect_uri');\n  }\n\n  // PKCE is REQUIRED for public clients per MCP spec\n  if (!codeChallenge) {\n    // Redirect back with error per OAuth spec\n    const errorUrl = new URL(redirectUri);\n    errorUrl.searchParams.set('error', 'invalid_request');\n    errorUrl.searchParams.set('error_description', 'code_challenge is required');\n    if (state) errorUrl.searchParams.set('state', state);\n    return redirect(errorUrl.toString());\n  }\n\n  if (codeChallengeMethod && codeChallengeMethod !== 'S256') {\n    const errorUrl = new URL(redirectUri);\n    errorUrl.searchParams.set('error', 'invalid_request');\n    errorUrl.searchParams.set('error_description', 'Only S256 code_challenge_method is supported');\n    if (state) errorUrl.searchParams.set('state', state);\n    return redirect(errorUrl.toString());\n  }\n\n  event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n\n  // Render login form\n  return renderLoginForm({\n    clientId,\n    redirectUri,\n    state,\n    codeChallenge,\n    codeChallengeMethod: codeChallengeMethod || 'S256',\n    scope,\n  });\n});\n\n/**\n * Authorization endpoint - process login\n * POST /authorize\n */\nexport const authorizePostHandler = defineHandler(async (event: H3Event) => {\n  const formData = await event.req.formData();\n  const body = Object.fromEntries(formData.entries()) as Record<string, string>;\n\n  const { orgId, apiToken, userId, redirectUri, state, codeChallenge, codeChallengeMethod } = body;\n\n  // Validate redirect URI first (security requirement)\n  if (!redirectUri) {\n    event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n    event.res.status = 400;\n    return renderErrorPage('Missing redirect_uri parameter');\n  }\n\n  // Validate redirect URI format (must be HTTPS or localhost)\n  try {\n    const uri = new URL(redirectUri);\n    const isLocalhost = uri.hostname === 'localhost' || uri.hostname === '127.0.0.1';\n    const isHttps = uri.protocol === 'https:';\n    if (!isLocalhost && !isHttps) {\n      event.res.status = 400;\n      return renderErrorPage('redirect_uri must be HTTPS or localhost');\n    }\n  } catch {\n    event.res.status = 400;\n    return renderErrorPage('Invalid redirect_uri format');\n  }\n\n  // Validate required credentials\n  if (!orgId || !apiToken) {\n    event.res.headers.set('Content-Type', 'text/html; charset=utf-8');\n    return renderLoginForm({\n      redirectUri,\n      state,\n      codeChallenge,\n      codeChallengeMethod,\n      error: 'Organization ID and API Token are required',\n    });\n  }\n\n  // Create encrypted authorization code with PKCE challenge\n  const code = createAuthCode({\n    orgId,\n    apiToken,\n    userId: userId || undefined,\n    codeChallenge,\n    codeChallengeMethod: codeChallengeMethod || 'S256',\n  });\n\n  // Build redirect URL with authorization code\n  const redirectUrl = new URL(redirectUri);\n  redirectUrl.searchParams.set('code', code);\n  if (state) {\n    redirectUrl.searchParams.set('state', state);\n  }\n\n  // Redirect back to the OAuth client with the authorization code.\n  // Strict OAuth clients may not follow HTML/meta-refresh or JavaScript redirects.\n  return redirect(redirectUrl.toString());\n});\n\n/**\n * Token endpoint - exchange code for access token\n * POST /token\n *\n * Supports:\n * - authorization_code grant (with PKCE validation)\n * - refresh_token grant\n */\nexport const tokenHandler = defineHandler(async (event: H3Event) => {\n  event.res.headers.set('Content-Type', 'application/json');\n\n  let body: Record<string, string>;\n  const contentType = event.req.headers.get('content-type') || '';\n\n  if (contentType.includes('application/x-www-form-urlencoded')) {\n    const rawText = await event.req.text();\n    body = Object.fromEntries(new URLSearchParams(rawText));\n  } else {\n    body = (await event.req.json()) as Record<string, string>;\n  }\n\n  const { grant_type, code, code_verifier, refresh_token } = body;\n\n  // Handle refresh token grant\n  if (grant_type === 'refresh_token') {\n    return handleRefreshToken(event, refresh_token);\n  }\n\n  // Validate authorization code grant\n  if (grant_type !== 'authorization_code') {\n    event.res.status = 400;\n    return {\n      error: 'unsupported_grant_type',\n      error_description: 'Supported grant types: authorization_code, refresh_token',\n    };\n  }\n\n  if (!code) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing authorization code',\n    };\n  }\n\n  if (!code_verifier) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing code_verifier (PKCE required)',\n    };\n  }\n\n  try {\n    // Decode the authorization code\n    const payload = decodeAuthCode(code);\n\n    // Validate PKCE: SHA256(code_verifier) must equal code_challenge\n    if (payload.codeChallenge) {\n      const expectedChallenge = createS256Challenge(code_verifier);\n      if (expectedChallenge !== payload.codeChallenge) {\n        event.res.status = 400;\n        return {\n          error: 'invalid_grant',\n          error_description: 'Invalid code_verifier',\n        };\n      }\n    }\n\n    // Create access token (base64 encoded credentials)\n    const accessToken = createAuthToken({\n      organizationId: payload.orgId,\n      apiToken: payload.apiToken,\n      userId: payload.userId,\n    });\n\n    // Create refresh token (encrypted credentials, longer expiry)\n    const refreshToken = createAuthCode(\n      {\n        orgId: payload.orgId,\n        apiToken: payload.apiToken,\n        userId: payload.userId,\n      },\n      86400 * 30, // 30 days\n    );\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 3600, // 1 hour (access tokens should be short-lived)\n      refresh_token: refreshToken,\n    };\n  } catch (error) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_grant',\n      error_description: error instanceof Error ? error.message : 'Invalid authorization code',\n    };\n  }\n});\n\n/**\n * Handle refresh token grant\n */\nfunction handleRefreshToken(event: H3Event, refreshToken: string | undefined) {\n  if (!refreshToken) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing refresh_token',\n    };\n  }\n\n  try {\n    // Decode refresh token (it's just an encrypted auth code with longer expiry)\n    const payload = decodeAuthCode(refreshToken);\n\n    // Create new access token\n    const accessToken = createAuthToken({\n      organizationId: payload.orgId,\n      apiToken: payload.apiToken,\n      userId: payload.userId,\n    });\n\n    // Create new refresh token (rotate for security)\n    const newRefreshToken = createAuthCode(\n      {\n        orgId: payload.orgId,\n        apiToken: payload.apiToken,\n        userId: payload.userId,\n      },\n      86400 * 30, // 30 days\n    );\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 3600,\n      refresh_token: newRefreshToken,\n    };\n  } catch (error) {\n    event.res.status = 400;\n    return {\n      error: 'invalid_grant',\n      error_description: error instanceof Error ? error.message : 'Invalid refresh token',\n    };\n  }\n}\n\n/**\n * Create S256 PKCE challenge from verifier\n * SHA256(code_verifier) encoded as base64url\n */\nfunction createS256Challenge(codeVerifier: string): string {\n  return createHash('sha256').update(codeVerifier).digest('base64url');\n}\n\n/**\n * Render the login form HTML\n */\nfunction renderLoginForm(params: {\n  clientId?: string;\n  redirectUri?: string;\n  state?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  scope?: string;\n  error?: string;\n}): string {\n  const { redirectUri, state, codeChallenge, codeChallengeMethod, error } = params;\n\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>Connect to Productive.io</title>\n  <style>\n    * {\n      box-sizing: border-box;\n      margin: 0;\n      padding: 0;\n    }\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);\n      padding: 40px;\n      width: 100%;\n      max-width: 420px;\n    }\n    .logo {\n      text-align: center;\n      margin-bottom: 24px;\n    }\n    .logo svg {\n      width: 48px;\n      height: 48px;\n    }\n    h1 {\n      text-align: center;\n      color: #1a1a2e;\n      font-size: 24px;\n      margin-bottom: 8px;\n    }\n    .subtitle {\n      text-align: center;\n      color: #666;\n      font-size: 14px;\n      margin-bottom: 32px;\n    }\n    .error {\n      background: #fee2e2;\n      border: 1px solid #fecaca;\n      color: #dc2626;\n      padding: 12px 16px;\n      border-radius: 8px;\n      margin-bottom: 24px;\n      font-size: 14px;\n    }\n    .form-group {\n      margin-bottom: 20px;\n    }\n    label {\n      display: block;\n      font-size: 14px;\n      font-weight: 500;\n      color: #374151;\n      margin-bottom: 6px;\n    }\n    input {\n      width: 100%;\n      padding: 12px 16px;\n      border: 1px solid #d1d5db;\n      border-radius: 8px;\n      font-size: 16px;\n      transition: border-color 0.2s, box-shadow 0.2s;\n    }\n    input:focus {\n      outline: none;\n      border-color: #667eea;\n      box-shadow: 0 0 0 3px rgba(102, 126, 234, 0.2);\n    }\n    input::placeholder {\n      color: #9ca3af;\n    }\n    .help-text {\n      font-size: 12px;\n      color: #6b7280;\n      margin-top: 4px;\n    }\n    button {\n      width: 100%;\n      padding: 14px 24px;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      color: white;\n      border: none;\n      border-radius: 8px;\n      font-size: 16px;\n      font-weight: 600;\n      cursor: pointer;\n      transition: transform 0.2s, box-shadow 0.2s;\n    }\n    button:hover {\n      transform: translateY(-1px);\n      box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);\n    }\n    button:active {\n      transform: translateY(0);\n    }\n    .footer {\n      text-align: center;\n      margin-top: 24px;\n      font-size: 12px;\n      color: #9ca3af;\n    }\n    .footer a {\n      color: #667eea;\n      text-decoration: none;\n    }\n    .footer a:hover {\n      text-decoration: underline;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"logo\">\n      <svg viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\">\n        <path d=\"M12 2L2 7L12 12L22 7L12 2Z\" stroke=\"#667eea\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n        <path d=\"M2 17L12 22L22 17\" stroke=\"#764ba2\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n        <path d=\"M2 12L12 17L22 12\" stroke=\"#667eea\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n      </svg>\n    </div>\n    <h1>Connect to Productive.io</h1>\n    <p class=\"subtitle\">Enter your Productive.io credentials to connect with Claude</p>\n    \n    ${error ? `<div class=\"error\">${escapeHtml(error)}</div>` : ''}\n    \n    <form method=\"POST\" action=\"/authorize\">\n      <input type=\"hidden\" name=\"redirectUri\" value=\"${escapeHtml(redirectUri || '')}\">\n      <input type=\"hidden\" name=\"state\" value=\"${escapeHtml(state || '')}\">\n      <input type=\"hidden\" name=\"codeChallenge\" value=\"${escapeHtml(codeChallenge || '')}\">\n      <input type=\"hidden\" name=\"codeChallengeMethod\" value=\"${escapeHtml(codeChallengeMethod || 'S256')}\">\n      \n      <div class=\"form-group\">\n        <label for=\"orgId\">Organization ID *</label>\n        <input type=\"text\" id=\"orgId\" name=\"orgId\" required placeholder=\"e.g., 12345\">\n        <p class=\"help-text\">Found in Settings → API integrations</p>\n      </div>\n      \n      <div class=\"form-group\">\n        <label for=\"apiToken\">API Token *</label>\n        <input type=\"password\" id=\"apiToken\" name=\"apiToken\" required placeholder=\"pk_...\">\n        <p class=\"help-text\">Generate at Settings → API integrations → Generate new token</p>\n      </div>\n      \n      <div class=\"form-group\">\n        <label for=\"userId\">User ID (optional)</label>\n        <input type=\"text\" id=\"userId\" name=\"userId\" placeholder=\"e.g., 67890\">\n        <p class=\"help-text\">Required for creating time entries. Found in your profile URL.</p>\n      </div>\n      \n      <button type=\"submit\">Connect to Productive</button>\n    </form>\n    \n    <p class=\"footer\">\n      Your credentials are encrypted and sent directly to Claude.<br>\n      <a href=\"https://developer.productive.io\" target=\"_blank\">Productive.io API Documentation</a>\n    </p>\n  </div>\n</body>\n</html>`;\n}\n\n/**\n * Render error page\n */\nfunction renderErrorPage(message: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>Error - Productive MCP</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: #f3f4f6;\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);\n      padding: 40px;\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #dc2626;\n      margin-bottom: 16px;\n    }\n    p {\n      color: #6b7280;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <h1>Error</h1>\n    <p>${escapeHtml(message)}</p>\n  </div>\n</body>\n</html>`;\n}\n\n/**\n * Escape HTML special characters\n */\nfunction escapeHtml(str: string): string {\n  return str\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#039;');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BA,IAAa,uBAAuB,eAAe,UAAmB;CACpE,MAAM,OAAO,MAAM,IAAI,QAAQ,IAAI,OAAO,IAAI;CAE9C,MAAM,UAAU,GADC,MAAM,IAAI,QAAQ,IAAI,oBAAoB,IAAI,OACnC,KAAK;AAEjC,OAAM,IAAI,QAAQ,IAAI,gBAAgB,mBAAmB;AACzD,OAAM,IAAI,QAAQ,IAAI,iBAAiB,uBAAuB;AAE9D,QAAO;EAEL,QAAQ;EACR,wBAAwB,GAAG,QAAQ;EACnC,gBAAgB,GAAG,QAAQ;EAC3B,0BAA0B,CAAC,OAAO;EAGlC,uBAAuB,CAAC,sBAAsB,gBAAgB;EAC9D,kCAAkC,CAAC,OAAO;EAC1C,uCAAuC,CAAC,OAAO;EAG/C,uBAAuB,GAAG,QAAQ;EAClC,kBAAkB,CAAC,aAAa;EAChC,uBAAuB;EACxB;EACD;;;;;;;;;AAUF,IAAa,kBAAkB,cAAc,OAAO,UAAmB;AACrE,OAAM,IAAI,QAAQ,IAAI,gBAAgB,mBAAmB;CAEzD,IAAI;AACJ,KAAI;AACF,SAAQ,MAAM,MAAM,IAAI,MAAM;SACxB;AACN,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;CAIH,MAAM,aAAc,KAAK,eAA0B;CACnD,MAAM,eAAgB,KAAK,iBAA8B,EAAE;CAI3D,MAAM,WAAW,OAAO,KACtB,KAAK,UAAU;EACb,MAAM;EACN,IAAI,KAAK,KAAK;EACf,CAAC,CACH,CAAC,SAAS,YAAY;AAEvB,OAAM,IAAI,SAAS;AACnB,QAAO;EACL,WAAW;EACX,aAAa;EACb,eAAe;EACf,4BAA4B;EAC5B,aAAa,CAAC,sBAAsB,gBAAgB;EACpD,gBAAgB,CAAC,OAAO;EACzB;EACD;;;;;AAMF,IAAa,sBAAsB,eAAe,UAAmB;CACnE,MAAM,QAAQ,SAAS,MAAM;CAG7B,MAAM,WAAW,MAAM;CACvB,MAAM,cAAc,MAAM;CAC1B,MAAM,QAAQ,MAAM;CACpB,MAAM,gBAAgB,MAAM;CAC5B,MAAM,sBAAsB,MAAM;CAClC,MAAM,QAAQ,MAAM;AAGpB,KAAI,CAAC,aAAa;AAChB,QAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,QAAM,IAAI,SAAS;AACnB,SAAO,gBAAgB,2CAA2C;;AAIpE,KAAI,CAAC,eAAe;EAElB,MAAM,WAAW,IAAI,IAAI,YAAY;AACrC,WAAS,aAAa,IAAI,SAAS,kBAAkB;AACrD,WAAS,aAAa,IAAI,qBAAqB,6BAA6B;AAC5E,MAAI,MAAO,UAAS,aAAa,IAAI,SAAS,MAAM;AACpD,SAAO,SAAS,SAAS,UAAU,CAAC;;AAGtC,KAAI,uBAAuB,wBAAwB,QAAQ;EACzD,MAAM,WAAW,IAAI,IAAI,YAAY;AACrC,WAAS,aAAa,IAAI,SAAS,kBAAkB;AACrD,WAAS,aAAa,IAAI,qBAAqB,+CAA+C;AAC9F,MAAI,MAAO,UAAS,aAAa,IAAI,SAAS,MAAM;AACpD,SAAO,SAAS,SAAS,UAAU,CAAC;;AAGtC,OAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AAGjE,QAAO,gBAAgB;EACrB;EACA;EACA;EACA;EACA,qBAAqB,uBAAuB;EAC5C;EACD,CAAC;EACF;;;;;AAMF,IAAa,uBAAuB,cAAc,OAAO,UAAmB;CAC1E,MAAM,WAAW,MAAM,MAAM,IAAI,UAAU;CAG3C,MAAM,EAAE,OAAO,UAAU,QAAQ,aAAa,OAAO,eAAe,wBAFvD,OAAO,YAAY,SAAS,SAAS,CAAC;AAKnD,KAAI,CAAC,aAAa;AAChB,QAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,QAAM,IAAI,SAAS;AACnB,SAAO,gBAAgB,iCAAiC;;AAI1D,KAAI;EACF,MAAM,MAAM,IAAI,IAAI,YAAY;EAChC,MAAM,cAAc,IAAI,aAAa,eAAe,IAAI,aAAa;EACrE,MAAM,UAAU,IAAI,aAAa;AACjC,MAAI,CAAC,eAAe,CAAC,SAAS;AAC5B,SAAM,IAAI,SAAS;AACnB,UAAO,gBAAgB,0CAA0C;;SAE7D;AACN,QAAM,IAAI,SAAS;AACnB,SAAO,gBAAgB,8BAA8B;;AAIvD,KAAI,CAAC,SAAS,CAAC,UAAU;AACvB,QAAM,IAAI,QAAQ,IAAI,gBAAgB,2BAA2B;AACjE,SAAO,gBAAgB;GACrB;GACA;GACA;GACA;GACA,OAAO;GACR,CAAC;;CAIJ,MAAM,OAAO,eAAe;EAC1B;EACA;EACA,QAAQ,UAAU,KAAA;EAClB;EACA,qBAAqB,uBAAuB;EAC7C,CAAC;CAGF,MAAM,cAAc,IAAI,IAAI,YAAY;AACxC,aAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,KAAI,MACF,aAAY,aAAa,IAAI,SAAS,MAAM;AAK9C,QAAO,SAAS,YAAY,UAAU,CAAC;EACvC;;;;;;;;;AAUF,IAAa,eAAe,cAAc,OAAO,UAAmB;AAClE,OAAM,IAAI,QAAQ,IAAI,gBAAgB,mBAAmB;CAEzD,IAAI;AAGJ,MAFoB,MAAM,IAAI,QAAQ,IAAI,eAAe,IAAI,IAE7C,SAAS,oCAAoC,EAAE;EAC7D,MAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AACtC,SAAO,OAAO,YAAY,IAAI,gBAAgB,QAAQ,CAAC;OAEvD,QAAQ,MAAM,MAAM,IAAI,MAAM;CAGhC,MAAM,EAAE,YAAY,MAAM,eAAe,kBAAkB;AAG3D,KAAI,eAAe,gBACjB,QAAO,mBAAmB,OAAO,cAAc;AAIjD,KAAI,eAAe,sBAAsB;AACvC,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI,CAAC,MAAM;AACT,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI,CAAC,eAAe;AAClB,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI;EAEF,MAAM,UAAU,eAAe,KAAK;AAGpC,MAAI,QAAQ;OACgB,oBAAoB,cAAc,KAClC,QAAQ,eAAe;AAC/C,UAAM,IAAI,SAAS;AACnB,WAAO;KACL,OAAO;KACP,mBAAmB;KACpB;;;AAqBL,SAAO;GACL,cAjBkB,gBAAgB;IAClC,gBAAgB,QAAQ;IACxB,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,CAAC;GAcA,YAAY;GACZ,YAAY;GACZ,eAbmB,eACnB;IACE,OAAO,QAAQ;IACf,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,EACD,QAAQ,GACT;GAOA;UACM,OAAO;AACd,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU;GAC7D;;EAEH;;;;AAKF,SAAS,mBAAmB,OAAgB,cAAkC;AAC5E,KAAI,CAAC,cAAc;AACjB,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB;GACpB;;AAGH,KAAI;EAEF,MAAM,UAAU,eAAe,aAAa;AAmB5C,SAAO;GACL,cAjBkB,gBAAgB;IAClC,gBAAgB,QAAQ;IACxB,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,CAAC;GAcA,YAAY;GACZ,YAAY;GACZ,eAbsB,eACtB;IACE,OAAO,QAAQ;IACf,UAAU,QAAQ;IAClB,QAAQ,QAAQ;IACjB,EACD,QAAQ,GACT;GAOA;UACM,OAAO;AACd,QAAM,IAAI,SAAS;AACnB,SAAO;GACL,OAAO;GACP,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU;GAC7D;;;;;;;AAQL,SAAS,oBAAoB,cAA8B;AACzD,QAAO,WAAW,SAAS,CAAC,OAAO,aAAa,CAAC,OAAO,YAAY;;;;;AAMtE,SAAS,gBAAgB,QAQd;CACT,MAAM,EAAE,aAAa,OAAO,eAAe,qBAAqB,UAAU;AAE1E,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAuIH,QAAQ,sBAAsB,WAAW,MAAM,CAAC,UAAU,GAAG;;;uDAGZ,WAAW,eAAe,GAAG,CAAC;iDACpC,WAAW,SAAS,GAAG,CAAC;yDAChB,WAAW,iBAAiB,GAAG,CAAC;+DAC1B,WAAW,uBAAuB,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCzG,SAAS,gBAAgB,SAAyB;AAChD,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;SAoCA,WAAW,QAAQ,CAAC;;;;;;;;AAS7B,SAAS,WAAW,KAAqB;AACvC,QAAO,IACJ,QAAQ,MAAM,QAAQ,CACtB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,OAAO,CACrB,QAAQ,MAAM,SAAS,CACvB,QAAQ,MAAM,SAAS"}

package/dist/server.js

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
-import { t as VERSION } from "./version-BFw4junA.js";
-import "./handlers-t95fhdps.js";
-import { createHttpApp } from "./http.js";
+import { t as VERSION } from "./version-Cy8UEAT1.js";
+import { t as createHttpApp } from "./http-CVE4qtko.js";
 import { toNodeHandler } from "h3";
 import { createServer } from "node:http";
+//#region src/server.ts
 /**
 * Productive MCP Server - HTTP Transport
 *
@@ -67,6 +67,7 @@ if (import.meta.url === `file://${process.argv[1]}` || process.argv[1]?.endsWith
 	console.error("Fatal error:", error);
 	process.exit(1);
 });
+//#endregion
 export { startHttpServer };
 
 //# sourceMappingURL=server.js.map

package/dist/{stdio-Bi1Lvp8O.js → stdio-BFK9AcdQ.js}

@@ -1,7 +1,8 @@
-import { t as executeToolWithCredentials } from "./handlers-t95fhdps.js";
+import { t as executeToolWithCredentials } from "./handlers-vtRpc-Lx.js";
 import { STDIO_ONLY_TOOLS, TOOLS } from "./tools.js";
 import { getConfig, setConfig } from "@studiometa/productive-api";
-const PROMPT_DEFINITIONS = [
+//#region src/prompts/definitions.ts
+var PROMPT_DEFINITIONS = [
 	{
 		name: "end-of-day",
 		description: "Compose an end-of-day standup message based on your activity today",
@@ -64,6 +65,8 @@ const PROMPT_DEFINITIONS = [
 		]
 	}
 ];
+//#endregion
+//#region src/prompts/handlers.ts
 /**
 * Build the end-of-day standup prompt messages
 */
@@ -254,6 +257,8 @@ function getPromptMessages(name, args) {
 		default: throw new Error(`Unknown prompt: ${name}`);
 	}
 }
+//#endregion
+//#region src/stdio.ts
 /**
 * Get all available tools (including stdio-only configuration tools)
 */
@@ -346,6 +351,7 @@ async function handlePrompt(name, args) {
 	if (name === "setup_productive") return handleSetupPrompt();
 	return getPromptMessages(name, args);
 }
+//#endregion
 export { handlePrompt as a, handleGetConfigTool as i, getAvailableTools as n, handleSetupPrompt as o, handleConfigureTool as r, handleToolCall as s, getAvailablePrompts as t };
 
-//# sourceMappingURL=stdio-Bi1Lvp8O.js.map
+//# sourceMappingURL=stdio-BFK9AcdQ.js.map