@studiometa/productive-mcp 0.3.0 → 0.4.6

package/README.md

@@ -10,6 +10,7 @@ MCP (Model Context Protocol) server for [Productive.io](https://productive.io) A
 - ✅ Full Productive.io API access via MCP
 - 🔧 Support for projects, tasks, time entries, services, and people
 - 🔐 Two modes: local (stdio) and remote (HTTP)
+- 🔑 **OAuth 2.0 support** for Claude Desktop custom connectors
 - 🌐 Deploy once, share with your team via Claude Desktop custom connectors
 - 🐳 Docker-ready for easy deployment
 - 📦 Built on [@studiometa/productive-cli](../productive-cli)
@@ -83,9 +84,14 @@ Deploy once, share with your entire team via Claude Desktop's **custom connector
 
 ### How It Works
 
+The server supports **OAuth 2.0** for seamless Claude Desktop integration:
+
 1. Deploy the HTTP server to a URL (e.g., `https://productive.mcp.example.com`)
-2. Each team member generates their own Bearer token with their Productive credentials
-3. Team members add the custom connector in Claude Desktop with their personal token
+2. Add the custom connector in Claude Desktop with OAuth enabled
+3. When connecting, users are presented with a login form to enter their Productive credentials
+4. Credentials are securely encrypted and exchanged via OAuth tokens
+
+No central credential storage required - each user's credentials are encrypted directly in their OAuth token.
 
 ### Deploy the Server
 
@@ -128,22 +134,21 @@ services:
     environment:
       PORT: 3000
       HOST: 0.0.0.0
+      OAUTH_SECRET: "your-random-secret-here"  # Required for production!
 ```
 
-### Generate Your Token
+### Environment Variables
 
-Each team member generates their own token containing their Productive credentials:
-
-```bash
-# Format: base64(organizationId:apiToken:userId)
-echo -n "YOUR_ORG_ID:YOUR_API_TOKEN:YOUR_USER_ID" | base64
-```
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `PORT` | No | Server port (default: 3000) |
+| `HOST` | No | Bind address (default: 0.0.0.0) |
+| `OAUTH_SECRET` | **Yes (production)** | Secret key for encrypting OAuth tokens |
 
-Example:
-```bash
-echo -n "12345:pk_abc123xyz:67890" | base64
-# Output: MTIzNDU6cGtfYWJjMTIzeHl6OjY3ODkw
-```
+> ⚠️ **Important**: Always set `OAUTH_SECRET` in production. Generate a random secret:
+> ```bash
+> openssl rand -base64 32
+> ```
 
 ### Configure Claude Desktop Custom Connector
 
@@ -153,10 +158,25 @@ echo -n "12345:pk_abc123xyz:67890" | base64
 4. Configure:
    - **Name**: `Productive`
    - **Remote MCP server URL**: `https://productive.mcp.example.com/mcp`
-   - Leave OAuth fields empty (we use Bearer token)
-5. When making requests, Claude will include your token in the `Authorization` header
+   - **Authorization URL**: `https://productive.mcp.example.com/authorize`
+   - **Token URL**: `https://productive.mcp.example.com/token`
+5. Claude will redirect you to a login form to enter your Productive credentials
+6. After login, you're connected and can start using Productive tools
+
+### Alternative: Manual Bearer Token
+
+If you prefer not to use OAuth, you can generate a Bearer token manually:
 
-> **Note**: As of now, Claude Desktop custom connectors may require OAuth. If Bearer token auth isn't supported directly, you can use a reverse proxy to inject the Authorization header, or wait for Claude Desktop to support custom headers.
+```bash
+# Format: base64(organizationId:apiToken:userId)
+echo -n "YOUR_ORG_ID:YOUR_API_TOKEN:YOUR_USER_ID" | base64
+```
+
+Example:
+```bash
+echo -n "12345:pk_abc123xyz:67890" | base64
+# Output: MTIzNDU6cGtfYWJjMTIzeHl6OjY3ODkw
+```
 
 ### Server Endpoints
 
@@ -165,6 +185,10 @@ echo -n "12345:pk_abc123xyz:67890" | base64
 | `/mcp` | POST | MCP JSON-RPC endpoint |
 | `/health` | GET | Health check |
 | `/` | GET | Server info |
+| `/authorize` | GET | OAuth authorization (login form) |
+| `/authorize` | POST | OAuth authorization (process login) |
+| `/token` | POST | OAuth token exchange |
+| `/.well-known/oauth-authorization-server` | GET | OAuth metadata |
 
 ---
 
@@ -326,6 +350,9 @@ productive-mcp/
 ├── src/
 │   ├── index.ts      # Stdio transport (local mode)
 │   ├── server.ts     # HTTP transport (remote mode)
+│   ├── http.ts       # HTTP routes and MCP endpoint
+│   ├── oauth.ts      # OAuth 2.0 endpoints
+│   ├── crypto.ts     # Encryption for stateless OAuth tokens
 │   ├── tools.ts      # Tool definitions (shared)
 │   ├── handlers.ts   # Tool execution (shared)
 │   └── auth.ts       # Bearer token parsing
@@ -333,6 +360,20 @@ productive-mcp/
 └── README.md
 ```
 
+### OAuth Flow (Stateless)
+
+The OAuth implementation is **stateless** - no database or session storage required:
+
+1. User visits `/authorize` → sees login form
+2. User enters Productive credentials (org ID, API token, user ID)
+3. Server encrypts credentials into the authorization code using `OAUTH_SECRET`
+4. Redirects back to Claude with the encrypted code
+5. Claude calls `/token` with the code
+6. Server decrypts the code → returns access token (base64 credentials)
+7. All MCP requests include this token in the `Authorization: Bearer` header
+
+This approach keeps the server stateless while securely passing credentials through the OAuth flow.
+
 ## Related Packages
 
 - [@studiometa/productive-cli](../productive-cli) - CLI tool for Productive.io

package/dist/crypto.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Cryptographic utilities for stateless OAuth tokens
+ *
+ * Uses AES-256-GCM for authenticated encryption.
+ * The authorization code contains encrypted credentials that can be
+ * decrypted without server-side storage.
+ */
+/**
+ * Get the encryption secret from environment or generate a default
+ * In production, OAUTH_SECRET should always be set
+ */
+export declare function getSecret(): string;
+/**
+ * Encrypt data using AES-256-GCM
+ *
+ * Output format: base64(salt + iv + authTag + ciphertext)
+ *
+ * @param plaintext - Data to encrypt
+ * @param secret - Encryption secret (defaults to OAUTH_SECRET env var)
+ * @returns Base64-encoded encrypted data
+ */
+export declare function encrypt(plaintext: string, secret?: string): string;
+/**
+ * Decrypt data encrypted with encrypt()
+ *
+ * @param ciphertext - Base64-encoded encrypted data
+ * @param secret - Encryption secret (defaults to OAUTH_SECRET env var)
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails (invalid data or wrong secret)
+ */
+export declare function decrypt(ciphertext: string, secret?: string): string;
+/**
+ * Authorization code payload structure
+ */
+export interface AuthCodePayload {
+    orgId: string;
+    apiToken: string;
+    userId?: string;
+    codeChallenge?: string;
+    codeChallengeMethod?: string;
+}
+/**
+ * Create an encrypted authorization code containing credentials and PKCE challenge
+ *
+ * @param credentials - Object with orgId, apiToken, userId, and optional PKCE params
+ * @param expiresInSeconds - Code expiration time (default: 5 minutes)
+ * @returns Encrypted authorization code
+ */
+export declare function createAuthCode(credentials: AuthCodePayload, expiresInSeconds?: number): string;
+/**
+ * Decode and validate an authorization code
+ *
+ * @param code - Encrypted authorization code
+ * @returns Decoded payload with credentials and PKCE challenge
+ * @throws Error if code is invalid or expired
+ */
+export declare function decodeAuthCode(code: string): AuthCodePayload;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgBH;;;GAGG;AACH,wBAAgB,SAAS,IAAI,MAAM,CASlC;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,GAAE,MAAoB,GAAG,MAAM,CAa/E;AAED;;;;;;;GAOG;AACH,wBAAgB,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,GAAE,MAAoB,GAAG,MAAM,CAwBhF;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,eAAe,EAC5B,gBAAgB,GAAE,MAAY,GAC7B,MAAM,CAMR;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAc5D"}

package/dist/crypto.js

@@ -0,0 +1,73 @@
+import { randomBytes, createCipheriv, createDecipheriv, scryptSync } from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const SALT_LENGTH = 16;
+function deriveKey(password, salt) {
+  return scryptSync(password, salt, 32);
+}
+function getSecret() {
+  const secret = process.env.OAUTH_SECRET;
+  if (!secret) {
+    console.warn(
+      "WARNING: OAUTH_SECRET not set. Using default secret. Set OAUTH_SECRET in production!"
+    );
+    return "productive-mcp-default-secret-change-me";
+  }
+  return secret;
+}
+function encrypt(plaintext, secret = getSecret()) {
+  const salt = randomBytes(SALT_LENGTH);
+  const key = deriveKey(secret, salt);
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([salt, iv, authTag, encrypted]);
+  return combined.toString("base64url");
+}
+function decrypt(ciphertext, secret = getSecret()) {
+  try {
+    const combined = Buffer.from(ciphertext, "base64url");
+    const salt = combined.subarray(0, SALT_LENGTH);
+    const iv = combined.subarray(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);
+    const authTag = combined.subarray(
+      SALT_LENGTH + IV_LENGTH,
+      SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH
+    );
+    const encrypted = combined.subarray(SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH);
+    const key = deriveKey(secret, salt);
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    return decrypted.toString("utf8");
+  } catch {
+    throw new Error("Decryption failed: invalid token or secret");
+  }
+}
+function createAuthCode(credentials, expiresInSeconds = 300) {
+  const payload = {
+    ...credentials,
+    exp: Date.now() + expiresInSeconds * 1e3
+  };
+  return encrypt(JSON.stringify(payload));
+}
+function decodeAuthCode(code) {
+  const payload = JSON.parse(decrypt(code));
+  if (payload.exp && Date.now() > payload.exp) {
+    throw new Error("Authorization code expired");
+  }
+  const { orgId, apiToken, userId, codeChallenge, codeChallengeMethod } = payload;
+  if (!orgId || !apiToken) {
+    throw new Error("Invalid authorization code: missing credentials");
+  }
+  return { orgId, apiToken, userId, codeChallenge, codeChallengeMethod };
+}
+export {
+  createAuthCode,
+  decodeAuthCode,
+  decrypt,
+  encrypt,
+  getSecret
+};
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sources":["../src/crypto.ts"],"sourcesContent":["/**\n * Cryptographic utilities for stateless OAuth tokens\n *\n * Uses AES-256-GCM for authenticated encryption.\n * The authorization code contains encrypted credentials that can be\n * decrypted without server-side storage.\n */\n\nimport { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';\n\nconst ALGORITHM = 'aes-256-gcm';\nconst IV_LENGTH = 12; // GCM recommended IV length\nconst AUTH_TAG_LENGTH = 16;\nconst SALT_LENGTH = 16;\n\n/**\n * Derive a 256-bit key from a password using scrypt\n */\nfunction deriveKey(password: string, salt: Buffer): Buffer {\n  return scryptSync(password, salt, 32);\n}\n\n/**\n * Get the encryption secret from environment or generate a default\n * In production, OAUTH_SECRET should always be set\n */\nexport function getSecret(): string {\n  const secret = process.env.OAUTH_SECRET;\n  if (!secret) {\n    console.warn(\n      'WARNING: OAUTH_SECRET not set. Using default secret. Set OAUTH_SECRET in production!'\n    );\n    return 'productive-mcp-default-secret-change-me';\n  }\n  return secret;\n}\n\n/**\n * Encrypt data using AES-256-GCM\n *\n * Output format: base64(salt + iv + authTag + ciphertext)\n *\n * @param plaintext - Data to encrypt\n * @param secret - Encryption secret (defaults to OAUTH_SECRET env var)\n * @returns Base64-encoded encrypted data\n */\nexport function encrypt(plaintext: string, secret: string = getSecret()): string {\n  const salt = randomBytes(SALT_LENGTH);\n  const key = deriveKey(secret, salt);\n  const iv = randomBytes(IV_LENGTH);\n\n  const cipher = createCipheriv(ALGORITHM, key, iv);\n  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n  const authTag = cipher.getAuthTag();\n\n  // Combine: salt + iv + authTag + ciphertext\n  const combined = Buffer.concat([salt, iv, authTag, encrypted]);\n\n  return combined.toString('base64url');\n}\n\n/**\n * Decrypt data encrypted with encrypt()\n *\n * @param ciphertext - Base64-encoded encrypted data\n * @param secret - Encryption secret (defaults to OAUTH_SECRET env var)\n * @returns Decrypted plaintext\n * @throws Error if decryption fails (invalid data or wrong secret)\n */\nexport function decrypt(ciphertext: string, secret: string = getSecret()): string {\n  try {\n    const combined = Buffer.from(ciphertext, 'base64url');\n\n    // Extract components\n    const salt = combined.subarray(0, SALT_LENGTH);\n    const iv = combined.subarray(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);\n    const authTag = combined.subarray(\n      SALT_LENGTH + IV_LENGTH,\n      SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH\n    );\n    const encrypted = combined.subarray(SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH);\n\n    const key = deriveKey(secret, salt);\n\n    const decipher = createDecipheriv(ALGORITHM, key, iv);\n    decipher.setAuthTag(authTag);\n\n    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);\n\n    return decrypted.toString('utf8');\n  } catch {\n    throw new Error('Decryption failed: invalid token or secret');\n  }\n}\n\n/**\n * Authorization code payload structure\n */\nexport interface AuthCodePayload {\n  orgId: string;\n  apiToken: string;\n  userId?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n}\n\n/**\n * Create an encrypted authorization code containing credentials and PKCE challenge\n *\n * @param credentials - Object with orgId, apiToken, userId, and optional PKCE params\n * @param expiresInSeconds - Code expiration time (default: 5 minutes)\n * @returns Encrypted authorization code\n */\nexport function createAuthCode(\n  credentials: AuthCodePayload,\n  expiresInSeconds: number = 300\n): string {\n  const payload = {\n    ...credentials,\n    exp: Date.now() + expiresInSeconds * 1000,\n  };\n  return encrypt(JSON.stringify(payload));\n}\n\n/**\n * Decode and validate an authorization code\n *\n * @param code - Encrypted authorization code\n * @returns Decoded payload with credentials and PKCE challenge\n * @throws Error if code is invalid or expired\n */\nexport function decodeAuthCode(code: string): AuthCodePayload {\n  const payload = JSON.parse(decrypt(code));\n\n  if (payload.exp && Date.now() > payload.exp) {\n    throw new Error('Authorization code expired');\n  }\n\n  const { orgId, apiToken, userId, codeChallenge, codeChallengeMethod } = payload;\n\n  if (!orgId || !apiToken) {\n    throw new Error('Invalid authorization code: missing credentials');\n  }\n\n  return { orgId, apiToken, userId, codeChallenge, codeChallengeMethod };\n}\n"],"names":[],"mappings":";AAUA,MAAM,YAAY;AAClB,MAAM,YAAY;AAClB,MAAM,kBAAkB;AACxB,MAAM,cAAc;AAKpB,SAAS,UAAU,UAAkB,MAAsB;AACzD,SAAO,WAAW,UAAU,MAAM,EAAE;AACtC;AAMO,SAAS,YAAoB;AAClC,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,CAAC,QAAQ;AACX,YAAQ;AAAA,MACN;AAAA,IAAA;AAEF,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAWO,SAAS,QAAQ,WAAmB,SAAiB,aAAqB;AAC/E,QAAM,OAAO,YAAY,WAAW;AACpC,QAAM,MAAM,UAAU,QAAQ,IAAI;AAClC,QAAM,KAAK,YAAY,SAAS;AAEhC,QAAM,SAAS,eAAe,WAAW,KAAK,EAAE;AAChD,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,WAAW,MAAM,GAAG,OAAO,MAAA,CAAO,CAAC;AAClF,QAAM,UAAU,OAAO,WAAA;AAGvB,QAAM,WAAW,OAAO,OAAO,CAAC,MAAM,IAAI,SAAS,SAAS,CAAC;AAE7D,SAAO,SAAS,SAAS,WAAW;AACtC;AAUO,SAAS,QAAQ,YAAoB,SAAiB,aAAqB;AAChF,MAAI;AACF,UAAM,WAAW,OAAO,KAAK,YAAY,WAAW;AAGpD,UAAM,OAAO,SAAS,SAAS,GAAG,WAAW;AAC7C,UAAM,KAAK,SAAS,SAAS,aAAa,cAAc,SAAS;AACjE,UAAM,UAAU,SAAS;AAAA,MACvB,cAAc;AAAA,MACd,cAAc,YAAY;AAAA,IAAA;AAE5B,UAAM,YAAY,SAAS,SAAS,cAAc,YAAY,eAAe;AAE7E,UAAM,MAAM,UAAU,QAAQ,IAAI;AAElC,UAAM,WAAW,iBAAiB,WAAW,KAAK,EAAE;AACpD,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,SAAS,GAAG,SAAS,MAAA,CAAO,CAAC;AAE9E,WAAO,UAAU,SAAS,MAAM;AAAA,EAClC,QAAQ;AACN,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACF;AAoBO,SAAS,eACd,aACA,mBAA2B,KACnB;AACR,QAAM,UAAU;AAAA,IACd,GAAG;AAAA,IACH,KAAK,KAAK,IAAA,IAAQ,mBAAmB;AAAA,EAAA;AAEvC,SAAO,QAAQ,KAAK,UAAU,OAAO,CAAC;AACxC;AASO,SAAS,eAAe,MAA+B;AAC5D,QAAM,UAAU,KAAK,MAAM,QAAQ,IAAI,CAAC;AAExC,MAAI,QAAQ,OAAO,KAAK,IAAA,IAAQ,QAAQ,KAAK;AAC3C,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,EAAE,OAAO,UAAU,QAAQ,eAAe,wBAAwB;AAExE,MAAI,CAAC,SAAS,CAAC,UAAU;AACvB,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AAEA,SAAO,EAAE,OAAO,UAAU,QAAQ,eAAe,oBAAA;AACnD;"}

package/dist/handlers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../src/handlers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAUvD,MAAM,MAAM,UAAU,GAAG,cAAc,CAAC;AAqBxC;;;;;;;GAOG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,WAAW,EAAE,qBAAqB,GACjC,OAAO,CAAC,UAAU,CAAC,CA0GrB"}
+{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../src/handlers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAUvD,MAAM,MAAM,UAAU,GAAG,cAAc,CAAC;AAqBxC;;;;;;;GAOG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,WAAW,EAAE,qBAAqB,GACjC,OAAO,CAAC,UAAU,CAAC,CA4GrB"}

package/dist/handlers.js

@@ -42,8 +42,9 @@ function errorResult(message) {
 }
 async function executeToolWithCredentials(name, args, credentials) {
   const api = new ProductiveApi({
-    apiToken: credentials.apiToken,
-    organizationId: credentials.organizationId
+    token: credentials.apiToken,
+    "org-id": credentials.organizationId,
+    "user-id": credentials.userId
   });
   try {
     switch (name) {

package/dist/handlers.js.map

@@ -1 +1 @@
-{"version":3,"file":"handlers.js","sources":["../src/formatters.ts","../src/handlers.ts"],"sourcesContent":["/**\n * Response formatters for agent-friendly output\n *\n * This module re-exports formatters from @studiometa/productive-cli\n * with MCP-specific defaults (no relationship IDs, no timestamps).\n */\n\nimport {\n  formatTimeEntry as cliFormatTimeEntry,\n  formatProject as cliFormatProject,\n  formatTask as cliFormatTask,\n  formatPerson as cliFormatPerson,\n  formatService as cliFormatService,\n  formatListResponse as cliFormatListResponse,\n  type JsonApiResource,\n  type JsonApiMeta,\n  type FormatOptions,\n  type FormattedPagination,\n} from '@studiometa/productive-cli';\n\n// Re-export types\nexport type { JsonApiResource, JsonApiMeta, FormatOptions, FormattedPagination };\n\n/**\n * MCP-specific format options\n * - No relationship IDs (cleaner output for agents)\n * - No timestamps (reduce noise)\n * - HTML stripping enabled\n */\nconst MCP_FORMAT_OPTIONS: FormatOptions = {\n  includeRelationshipIds: false,\n  includeTimestamps: false,\n  stripHtml: true,\n};\n\n/**\n * Format time entry for agent consumption\n */\nexport function formatTimeEntry(\n  entry: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatTimeEntry(entry, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format project for agent consumption\n */\nexport function formatProject(\n  project: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatProject(project, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format task for agent consumption\n * Tasks use included resources to resolve project/company names\n */\nexport function formatTask(\n  task: JsonApiResource,\n  included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatTask(task, { ...MCP_FORMAT_OPTIONS, included });\n}\n\n/**\n * Format person for agent consumption\n */\nexport function formatPerson(\n  person: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatPerson(person, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format service for agent consumption\n */\nexport function formatService(\n  service: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatService(service, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format list response with pagination\n *\n * @param data - Array of JSON:API resources\n * @param formatter - Formatter function (item, included?) => T\n * @param meta - Pagination metadata\n * @param included - Included resources for relationship resolution\n */\nexport function formatListResponse<T>(\n  data: JsonApiResource[],\n  formatter: (item: JsonApiResource, included?: JsonApiResource[]) => T,\n  meta?: JsonApiMeta,\n  included?: JsonApiResource[]\n): { data: T[]; meta?: FormattedPagination } {\n  // Create a wrapper that converts (item, options?) signature to (item, included?) signature\n  const wrappedFormatter = (item: JsonApiResource, _options?: FormatOptions) => {\n    return formatter(item, included);\n  };\n\n  const result = cliFormatListResponse(data, wrappedFormatter, meta, {\n    ...MCP_FORMAT_OPTIONS,\n    included,\n  });\n\n  return result as { data: T[]; meta?: FormattedPagination };\n}\n","/**\n * Tool execution handlers for Productive MCP server\n * These are shared between stdio and HTTP transports\n */\n\nimport { ProductiveApi } from '@studiometa/productive-cli';\nimport type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport type { ProductiveCredentials } from './auth.js';\nimport {\n  formatTimeEntry,\n  formatTask,\n  formatProject,\n  formatPerson,\n  formatService,\n  formatListResponse,\n} from './formatters.js';\n\nexport type ToolResult = CallToolResult;\n\n/**\n * Helper to create a successful JSON response\n */\nfunction jsonResult(data: unknown): ToolResult {\n  return {\n    content: [{ type: 'text', text: JSON.stringify(data, null, 2) }],\n  };\n}\n\n/**\n * Helper to create an error response\n */\nfunction errorResult(message: string): ToolResult {\n  return {\n    content: [{ type: 'text', text: `Error: ${message}` }],\n    isError: true,\n  };\n}\n\n/**\n * Execute a tool with the given credentials and arguments\n *\n * @param name - Tool name\n * @param args - Tool arguments\n * @param credentials - Productive API credentials\n * @returns Tool execution result\n */\nexport async function executeToolWithCredentials(\n  name: string,\n  args: Record<string, unknown>,\n  credentials: ProductiveCredentials\n): Promise<ToolResult> {\n  // Initialize API client with provided credentials\n  const api = new ProductiveApi({\n    apiToken: credentials.apiToken,\n    organizationId: credentials.organizationId,\n  } as Record<string, string>);\n\n  try {\n    switch (name) {\n      case 'productive_list_projects': {\n        const result = await api.getProjects(args as Parameters<typeof api.getProjects>[0]);\n        return jsonResult(formatListResponse(result.data, formatProject, result.meta));\n      }\n\n      case 'productive_get_project': {\n        const result = await api.getProject((args as { id: string }).id);\n        return jsonResult(formatProject(result.data));\n      }\n\n      case 'productive_list_time_entries': {\n        const result = await api.getTimeEntries(args as Parameters<typeof api.getTimeEntries>[0]);\n        return jsonResult(formatListResponse(result.data, formatTimeEntry, result.meta));\n      }\n\n      case 'productive_get_time_entry': {\n        const result = await api.getTimeEntry((args as { id: string }).id);\n        return jsonResult(formatTimeEntry(result.data));\n      }\n\n      case 'productive_create_time_entry': {\n        const result = await api.createTimeEntry(\n          args as Parameters<typeof api.createTimeEntry>[0]\n        );\n        return jsonResult({\n          success: true,\n          ...formatTimeEntry(result.data),\n        });\n      }\n\n      case 'productive_update_time_entry': {\n        const { id, ...data } = args as { id: string } & Record<string, unknown>;\n        const result = await api.updateTimeEntry(id, data as Parameters<typeof api.updateTimeEntry>[1]);\n        return jsonResult({\n          success: true,\n          ...formatTimeEntry(result.data),\n        });\n      }\n\n      case 'productive_delete_time_entry': {\n        await api.deleteTimeEntry((args as { id: string }).id);\n        return jsonResult({ success: true, message: 'Time entry deleted' });\n      }\n\n      case 'productive_list_tasks': {\n        const params = args as Parameters<typeof api.getTasks>[0] || {};\n        // Always include project and company for context\n        params.include = ['project', 'project.company'];\n        const result = await api.getTasks(params);\n        return jsonResult(formatListResponse(\n          result.data,\n          formatTask,\n          result.meta,\n          result.included\n        ));\n      }\n\n      case 'productive_get_task': {\n        const result = await api.getTask((args as { id: string }).id, {\n          include: ['project', 'project.company'],\n        });\n        return jsonResult(formatTask(result.data, result.included));\n      }\n\n      case 'productive_list_services': {\n        const result = await api.getServices(args as Parameters<typeof api.getServices>[0]);\n        return jsonResult(formatListResponse(result.data, formatService, result.meta));\n      }\n\n      case 'productive_list_people': {\n        const result = await api.getPeople(args as Parameters<typeof api.getPeople>[0]);\n        return jsonResult(formatListResponse(result.data, formatPerson, result.meta));\n      }\n\n      case 'productive_get_person': {\n        const result = await api.getPerson((args as { id: string }).id);\n        return jsonResult(formatPerson(result.data));\n      }\n\n      case 'productive_get_current_user': {\n        if (credentials.userId) {\n          const result = await api.getPerson(credentials.userId);\n          return jsonResult(formatPerson(result.data));\n        }\n        return jsonResult({\n          message: 'User ID not configured. Set userId in credentials to use this tool.',\n          organizationId: credentials.organizationId,\n        });\n      }\n\n      default:\n        return errorResult(`Unknown tool: ${name}`);\n    }\n  } catch (error) {\n    const message = error instanceof Error ? error.message : String(error);\n    return errorResult(message);\n  }\n}\n"],"names":["cliFormatTimeEntry","cliFormatProject","cliFormatTask","cliFormatPerson","cliFormatService","cliFormatListResponse"],"mappings":";AA6BA,MAAM,qBAAoC;AAAA,EACxC,wBAAwB;AAAA,EACxB,mBAAmB;AAAA,EACnB,WAAW;AACb;AAKO,SAAS,gBACd,OACA,WACyB;AACzB,SAAOA,kBAAmB,OAAO,kBAAkB;AACrD;AAKO,SAAS,cACd,SACA,WACyB;AACzB,SAAOC,gBAAiB,SAAS,kBAAkB;AACrD;AAMO,SAAS,WACd,MACA,UACyB;AACzB,SAAOC,aAAc,MAAM,EAAE,GAAG,oBAAoB,UAAU;AAChE;AAKO,SAAS,aACd,QACA,WACyB;AACzB,SAAOC,eAAgB,QAAQ,kBAAkB;AACnD;AAKO,SAAS,cACd,SACA,WACyB;AACzB,SAAOC,gBAAiB,SAAS,kBAAkB;AACrD;AAUO,SAAS,mBACd,MACA,WACA,MACA,UAC2C;AAE3C,QAAM,mBAAmB,CAAC,MAAuB,aAA6B;AAC5E,WAAO,UAAU,MAAM,QAAQ;AAAA,EACjC;AAEA,QAAM,SAASC,qBAAsB,MAAM,kBAAkB,MAAM;AAAA,IACjE,GAAG;AAAA,IACH;AAAA,EAAA,CACD;AAED,SAAO;AACT;ACzFA,SAAS,WAAW,MAA2B;AAC7C,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,EAAA,CAAG;AAAA,EAAA;AAEnE;AAKA,SAAS,YAAY,SAA6B;AAChD,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,UAAU,OAAO,IAAI;AAAA,IACrD,SAAS;AAAA,EAAA;AAEb;AAUA,eAAsB,2BACpB,MACA,MACA,aACqB;AAErB,QAAM,MAAM,IAAI,cAAc;AAAA,IAC5B,UAAU,YAAY;AAAA,IACtB,gBAAgB,YAAY;AAAA,EAAA,CACH;AAE3B,MAAI;AACF,YAAQ,MAAA;AAAA,MACN,KAAK,4BAA4B;AAC/B,cAAM,SAAS,MAAM,IAAI,YAAY,IAA6C;AAClF,eAAO,WAAW,mBAAmB,OAAO,MAAM,eAAe,OAAO,IAAI,CAAC;AAAA,MAC/E;AAAA,MAEA,KAAK,0BAA0B;AAC7B,cAAM,SAAS,MAAM,IAAI,WAAY,KAAwB,EAAE;AAC/D,eAAO,WAAW,cAAc,OAAO,IAAI,CAAC;AAAA,MAC9C;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,SAAS,MAAM,IAAI,eAAe,IAAgD;AACxF,eAAO,WAAW,mBAAmB,OAAO,MAAM,iBAAiB,OAAO,IAAI,CAAC;AAAA,MACjF;AAAA,MAEA,KAAK,6BAA6B;AAChC,cAAM,SAAS,MAAM,IAAI,aAAc,KAAwB,EAAE;AACjE,eAAO,WAAW,gBAAgB,OAAO,IAAI,CAAC;AAAA,MAChD;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,SAAS,MAAM,IAAI;AAAA,UACvB;AAAA,QAAA;AAEF,eAAO,WAAW;AAAA,UAChB,SAAS;AAAA,UACT,GAAG,gBAAgB,OAAO,IAAI;AAAA,QAAA,CAC/B;AAAA,MACH;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,EAAE,IAAI,GAAG,KAAA,IAAS;AACxB,cAAM,SAAS,MAAM,IAAI,gBAAgB,IAAI,IAAiD;AAC9F,eAAO,WAAW;AAAA,UAChB,SAAS;AAAA,UACT,GAAG,gBAAgB,OAAO,IAAI;AAAA,QAAA,CAC/B;AAAA,MACH;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,IAAI,gBAAiB,KAAwB,EAAE;AACrD,eAAO,WAAW,EAAE,SAAS,MAAM,SAAS,sBAAsB;AAAA,MACpE;AAAA,MAEA,KAAK,yBAAyB;AAC5B,cAAM,SAAS,QAA8C,CAAA;AAE7D,eAAO,UAAU,CAAC,WAAW,iBAAiB;AAC9C,cAAM,SAAS,MAAM,IAAI,SAAS,MAAM;AACxC,eAAO,WAAW;AAAA,UAChB,OAAO;AAAA,UACP;AAAA,UACA,OAAO;AAAA,UACP,OAAO;AAAA,QAAA,CACR;AAAA,MACH;AAAA,MAEA,KAAK,uBAAuB;AAC1B,cAAM,SAAS,MAAM,IAAI,QAAS,KAAwB,IAAI;AAAA,UAC5D,SAAS,CAAC,WAAW,iBAAiB;AAAA,QAAA,CACvC;AACD,eAAO,WAAW,WAAW,OAAO,MAAM,OAAO,QAAQ,CAAC;AAAA,MAC5D;AAAA,MAEA,KAAK,4BAA4B;AAC/B,cAAM,SAAS,MAAM,IAAI,YAAY,IAA6C;AAClF,eAAO,WAAW,mBAAmB,OAAO,MAAM,eAAe,OAAO,IAAI,CAAC;AAAA,MAC/E;AAAA,MAEA,KAAK,0BAA0B;AAC7B,cAAM,SAAS,MAAM,IAAI,UAAU,IAA2C;AAC9E,eAAO,WAAW,mBAAmB,OAAO,MAAM,cAAc,OAAO,IAAI,CAAC;AAAA,MAC9E;AAAA,MAEA,KAAK,yBAAyB;AAC5B,cAAM,SAAS,MAAM,IAAI,UAAW,KAAwB,EAAE;AAC9D,eAAO,WAAW,aAAa,OAAO,IAAI,CAAC;AAAA,MAC7C;AAAA,MAEA,KAAK,+BAA+B;AAClC,YAAI,YAAY,QAAQ;AACtB,gBAAM,SAAS,MAAM,IAAI,UAAU,YAAY,MAAM;AACrD,iBAAO,WAAW,aAAa,OAAO,IAAI,CAAC;AAAA,QAC7C;AACA,eAAO,WAAW;AAAA,UAChB,SAAS;AAAA,UACT,gBAAgB,YAAY;AAAA,QAAA,CAC7B;AAAA,MACH;AAAA,MAEA;AACE,eAAO,YAAY,iBAAiB,IAAI,EAAE;AAAA,IAAA;AAAA,EAEhD,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,WAAO,YAAY,OAAO;AAAA,EAC5B;AACF;"}
+{"version":3,"file":"handlers.js","sources":["../src/formatters.ts","../src/handlers.ts"],"sourcesContent":["/**\n * Response formatters for agent-friendly output\n *\n * This module re-exports formatters from @studiometa/productive-cli\n * with MCP-specific defaults (no relationship IDs, no timestamps).\n */\n\nimport {\n  formatTimeEntry as cliFormatTimeEntry,\n  formatProject as cliFormatProject,\n  formatTask as cliFormatTask,\n  formatPerson as cliFormatPerson,\n  formatService as cliFormatService,\n  formatListResponse as cliFormatListResponse,\n  type JsonApiResource,\n  type JsonApiMeta,\n  type FormatOptions,\n  type FormattedPagination,\n} from '@studiometa/productive-cli';\n\n// Re-export types\nexport type { JsonApiResource, JsonApiMeta, FormatOptions, FormattedPagination };\n\n/**\n * MCP-specific format options\n * - No relationship IDs (cleaner output for agents)\n * - No timestamps (reduce noise)\n * - HTML stripping enabled\n */\nconst MCP_FORMAT_OPTIONS: FormatOptions = {\n  includeRelationshipIds: false,\n  includeTimestamps: false,\n  stripHtml: true,\n};\n\n/**\n * Format time entry for agent consumption\n */\nexport function formatTimeEntry(\n  entry: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatTimeEntry(entry, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format project for agent consumption\n */\nexport function formatProject(\n  project: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatProject(project, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format task for agent consumption\n * Tasks use included resources to resolve project/company names\n */\nexport function formatTask(\n  task: JsonApiResource,\n  included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatTask(task, { ...MCP_FORMAT_OPTIONS, included });\n}\n\n/**\n * Format person for agent consumption\n */\nexport function formatPerson(\n  person: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatPerson(person, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format service for agent consumption\n */\nexport function formatService(\n  service: JsonApiResource,\n  _included?: JsonApiResource[]\n): Record<string, unknown> {\n  return cliFormatService(service, MCP_FORMAT_OPTIONS);\n}\n\n/**\n * Format list response with pagination\n *\n * @param data - Array of JSON:API resources\n * @param formatter - Formatter function (item, included?) => T\n * @param meta - Pagination metadata\n * @param included - Included resources for relationship resolution\n */\nexport function formatListResponse<T>(\n  data: JsonApiResource[],\n  formatter: (item: JsonApiResource, included?: JsonApiResource[]) => T,\n  meta?: JsonApiMeta,\n  included?: JsonApiResource[]\n): { data: T[]; meta?: FormattedPagination } {\n  // Create a wrapper that converts (item, options?) signature to (item, included?) signature\n  const wrappedFormatter = (item: JsonApiResource, _options?: FormatOptions) => {\n    return formatter(item, included);\n  };\n\n  const result = cliFormatListResponse(data, wrappedFormatter, meta, {\n    ...MCP_FORMAT_OPTIONS,\n    included,\n  });\n\n  return result as { data: T[]; meta?: FormattedPagination };\n}\n","/**\n * Tool execution handlers for Productive MCP server\n * These are shared between stdio and HTTP transports\n */\n\nimport { ProductiveApi } from '@studiometa/productive-cli';\nimport type { CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport type { ProductiveCredentials } from './auth.js';\nimport {\n  formatTimeEntry,\n  formatTask,\n  formatProject,\n  formatPerson,\n  formatService,\n  formatListResponse,\n} from './formatters.js';\n\nexport type ToolResult = CallToolResult;\n\n/**\n * Helper to create a successful JSON response\n */\nfunction jsonResult(data: unknown): ToolResult {\n  return {\n    content: [{ type: 'text', text: JSON.stringify(data, null, 2) }],\n  };\n}\n\n/**\n * Helper to create an error response\n */\nfunction errorResult(message: string): ToolResult {\n  return {\n    content: [{ type: 'text', text: `Error: ${message}` }],\n    isError: true,\n  };\n}\n\n/**\n * Execute a tool with the given credentials and arguments\n *\n * @param name - Tool name\n * @param args - Tool arguments\n * @param credentials - Productive API credentials\n * @returns Tool execution result\n */\nexport async function executeToolWithCredentials(\n  name: string,\n  args: Record<string, unknown>,\n  credentials: ProductiveCredentials\n): Promise<ToolResult> {\n  // Initialize API client with provided credentials\n  // Note: getConfig expects CLI-style keys (token, org-id) not camelCase\n  const api = new ProductiveApi({\n    token: credentials.apiToken,\n    'org-id': credentials.organizationId,\n    'user-id': credentials.userId,\n  } as Record<string, string>);\n\n  try {\n    switch (name) {\n      case 'productive_list_projects': {\n        const result = await api.getProjects(args as Parameters<typeof api.getProjects>[0]);\n        return jsonResult(formatListResponse(result.data, formatProject, result.meta));\n      }\n\n      case 'productive_get_project': {\n        const result = await api.getProject((args as { id: string }).id);\n        return jsonResult(formatProject(result.data));\n      }\n\n      case 'productive_list_time_entries': {\n        const result = await api.getTimeEntries(args as Parameters<typeof api.getTimeEntries>[0]);\n        return jsonResult(formatListResponse(result.data, formatTimeEntry, result.meta));\n      }\n\n      case 'productive_get_time_entry': {\n        const result = await api.getTimeEntry((args as { id: string }).id);\n        return jsonResult(formatTimeEntry(result.data));\n      }\n\n      case 'productive_create_time_entry': {\n        const result = await api.createTimeEntry(\n          args as Parameters<typeof api.createTimeEntry>[0]\n        );\n        return jsonResult({\n          success: true,\n          ...formatTimeEntry(result.data),\n        });\n      }\n\n      case 'productive_update_time_entry': {\n        const { id, ...data } = args as { id: string } & Record<string, unknown>;\n        const result = await api.updateTimeEntry(id, data as Parameters<typeof api.updateTimeEntry>[1]);\n        return jsonResult({\n          success: true,\n          ...formatTimeEntry(result.data),\n        });\n      }\n\n      case 'productive_delete_time_entry': {\n        await api.deleteTimeEntry((args as { id: string }).id);\n        return jsonResult({ success: true, message: 'Time entry deleted' });\n      }\n\n      case 'productive_list_tasks': {\n        const params = args as Parameters<typeof api.getTasks>[0] || {};\n        // Always include project and company for context\n        params.include = ['project', 'project.company'];\n        const result = await api.getTasks(params);\n        return jsonResult(formatListResponse(\n          result.data,\n          formatTask,\n          result.meta,\n          result.included\n        ));\n      }\n\n      case 'productive_get_task': {\n        const result = await api.getTask((args as { id: string }).id, {\n          include: ['project', 'project.company'],\n        });\n        return jsonResult(formatTask(result.data, result.included));\n      }\n\n      case 'productive_list_services': {\n        const result = await api.getServices(args as Parameters<typeof api.getServices>[0]);\n        return jsonResult(formatListResponse(result.data, formatService, result.meta));\n      }\n\n      case 'productive_list_people': {\n        const result = await api.getPeople(args as Parameters<typeof api.getPeople>[0]);\n        return jsonResult(formatListResponse(result.data, formatPerson, result.meta));\n      }\n\n      case 'productive_get_person': {\n        const result = await api.getPerson((args as { id: string }).id);\n        return jsonResult(formatPerson(result.data));\n      }\n\n      case 'productive_get_current_user': {\n        if (credentials.userId) {\n          const result = await api.getPerson(credentials.userId);\n          return jsonResult(formatPerson(result.data));\n        }\n        return jsonResult({\n          message: 'User ID not configured. Set userId in credentials to use this tool.',\n          organizationId: credentials.organizationId,\n        });\n      }\n\n      default:\n        return errorResult(`Unknown tool: ${name}`);\n    }\n  } catch (error) {\n    const message = error instanceof Error ? error.message : String(error);\n    return errorResult(message);\n  }\n}\n"],"names":["cliFormatTimeEntry","cliFormatProject","cliFormatTask","cliFormatPerson","cliFormatService","cliFormatListResponse"],"mappings":";AA6BA,MAAM,qBAAoC;AAAA,EACxC,wBAAwB;AAAA,EACxB,mBAAmB;AAAA,EACnB,WAAW;AACb;AAKO,SAAS,gBACd,OACA,WACyB;AACzB,SAAOA,kBAAmB,OAAO,kBAAkB;AACrD;AAKO,SAAS,cACd,SACA,WACyB;AACzB,SAAOC,gBAAiB,SAAS,kBAAkB;AACrD;AAMO,SAAS,WACd,MACA,UACyB;AACzB,SAAOC,aAAc,MAAM,EAAE,GAAG,oBAAoB,UAAU;AAChE;AAKO,SAAS,aACd,QACA,WACyB;AACzB,SAAOC,eAAgB,QAAQ,kBAAkB;AACnD;AAKO,SAAS,cACd,SACA,WACyB;AACzB,SAAOC,gBAAiB,SAAS,kBAAkB;AACrD;AAUO,SAAS,mBACd,MACA,WACA,MACA,UAC2C;AAE3C,QAAM,mBAAmB,CAAC,MAAuB,aAA6B;AAC5E,WAAO,UAAU,MAAM,QAAQ;AAAA,EACjC;AAEA,QAAM,SAASC,qBAAsB,MAAM,kBAAkB,MAAM;AAAA,IACjE,GAAG;AAAA,IACH;AAAA,EAAA,CACD;AAED,SAAO;AACT;ACzFA,SAAS,WAAW,MAA2B;AAC7C,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,EAAA,CAAG;AAAA,EAAA;AAEnE;AAKA,SAAS,YAAY,SAA6B;AAChD,SAAO;AAAA,IACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,UAAU,OAAO,IAAI;AAAA,IACrD,SAAS;AAAA,EAAA;AAEb;AAUA,eAAsB,2BACpB,MACA,MACA,aACqB;AAGrB,QAAM,MAAM,IAAI,cAAc;AAAA,IAC5B,OAAO,YAAY;AAAA,IACnB,UAAU,YAAY;AAAA,IACtB,WAAW,YAAY;AAAA,EAAA,CACE;AAE3B,MAAI;AACF,YAAQ,MAAA;AAAA,MACN,KAAK,4BAA4B;AAC/B,cAAM,SAAS,MAAM,IAAI,YAAY,IAA6C;AAClF,eAAO,WAAW,mBAAmB,OAAO,MAAM,eAAe,OAAO,IAAI,CAAC;AAAA,MAC/E;AAAA,MAEA,KAAK,0BAA0B;AAC7B,cAAM,SAAS,MAAM,IAAI,WAAY,KAAwB,EAAE;AAC/D,eAAO,WAAW,cAAc,OAAO,IAAI,CAAC;AAAA,MAC9C;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,SAAS,MAAM,IAAI,eAAe,IAAgD;AACxF,eAAO,WAAW,mBAAmB,OAAO,MAAM,iBAAiB,OAAO,IAAI,CAAC;AAAA,MACjF;AAAA,MAEA,KAAK,6BAA6B;AAChC,cAAM,SAAS,MAAM,IAAI,aAAc,KAAwB,EAAE;AACjE,eAAO,WAAW,gBAAgB,OAAO,IAAI,CAAC;AAAA,MAChD;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,SAAS,MAAM,IAAI;AAAA,UACvB;AAAA,QAAA;AAEF,eAAO,WAAW;AAAA,UAChB,SAAS;AAAA,UACT,GAAG,gBAAgB,OAAO,IAAI;AAAA,QAAA,CAC/B;AAAA,MACH;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,EAAE,IAAI,GAAG,KAAA,IAAS;AACxB,cAAM,SAAS,MAAM,IAAI,gBAAgB,IAAI,IAAiD;AAC9F,eAAO,WAAW;AAAA,UAChB,SAAS;AAAA,UACT,GAAG,gBAAgB,OAAO,IAAI;AAAA,QAAA,CAC/B;AAAA,MACH;AAAA,MAEA,KAAK,gCAAgC;AACnC,cAAM,IAAI,gBAAiB,KAAwB,EAAE;AACrD,eAAO,WAAW,EAAE,SAAS,MAAM,SAAS,sBAAsB;AAAA,MACpE;AAAA,MAEA,KAAK,yBAAyB;AAC5B,cAAM,SAAS,QAA8C,CAAA;AAE7D,eAAO,UAAU,CAAC,WAAW,iBAAiB;AAC9C,cAAM,SAAS,MAAM,IAAI,SAAS,MAAM;AACxC,eAAO,WAAW;AAAA,UAChB,OAAO;AAAA,UACP;AAAA,UACA,OAAO;AAAA,UACP,OAAO;AAAA,QAAA,CACR;AAAA,MACH;AAAA,MAEA,KAAK,uBAAuB;AAC1B,cAAM,SAAS,MAAM,IAAI,QAAS,KAAwB,IAAI;AAAA,UAC5D,SAAS,CAAC,WAAW,iBAAiB;AAAA,QAAA,CACvC;AACD,eAAO,WAAW,WAAW,OAAO,MAAM,OAAO,QAAQ,CAAC;AAAA,MAC5D;AAAA,MAEA,KAAK,4BAA4B;AAC/B,cAAM,SAAS,MAAM,IAAI,YAAY,IAA6C;AAClF,eAAO,WAAW,mBAAmB,OAAO,MAAM,eAAe,OAAO,IAAI,CAAC;AAAA,MAC/E;AAAA,MAEA,KAAK,0BAA0B;AAC7B,cAAM,SAAS,MAAM,IAAI,UAAU,IAA2C;AAC9E,eAAO,WAAW,mBAAmB,OAAO,MAAM,cAAc,OAAO,IAAI,CAAC;AAAA,MAC9E;AAAA,MAEA,KAAK,yBAAyB;AAC5B,cAAM,SAAS,MAAM,IAAI,UAAW,KAAwB,EAAE;AAC9D,eAAO,WAAW,aAAa,OAAO,IAAI,CAAC;AAAA,MAC7C;AAAA,MAEA,KAAK,+BAA+B;AAClC,YAAI,YAAY,QAAQ;AACtB,gBAAM,SAAS,MAAM,IAAI,UAAU,YAAY,MAAM;AACrD,iBAAO,WAAW,aAAa,OAAO,IAAI,CAAC;AAAA,QAC7C;AACA,eAAO,WAAW;AAAA,UAChB,SAAS;AAAA,UACT,gBAAgB,YAAY;AAAA,QAAA,CAC7B;AAAA,MACH;AAAA,MAEA;AACE,eAAO,YAAY,iBAAiB,IAAI,EAAE;AAAA,IAAA;AAAA,EAEhD,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,WAAO,YAAY,OAAO;AAAA,EAC5B;AACF;"}

package/dist/http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAOL,KAAK,GAAG,EACT,MAAM,IAAI,CAAC;AAMZ;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;;;;EAM5F;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;EAMhF;AAED;;GAEG;AACH,wBAAgB,gBAAgB;;;;;;;;;EAW/B;AAED;;GAEG;AACH,wBAAgB,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE9B;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,GAAG,CAyHnC"}
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAOL,KAAK,GAAG,EACT,MAAM,IAAI,CAAC;AAcZ;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;;;;EAM5F;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,GAAE,MAAM,GAAG,MAAM,GAAG,IAAW;;;;EAMhF;AAED;;GAEG;AACH,wBAAgB,gBAAgB;;;;;;;;;EAW/B;AAED;;GAEG;AACH,wBAAgB,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE9B;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,GAAG,CAgInC"}

package/dist/http.js

@@ -2,6 +2,8 @@ import { createApp, createRouter, defineEventHandler, getHeader, setResponseHead
 import { TOOLS } from "./tools.js";
 import { executeToolWithCredentials } from "./handlers.js";
 import { parseAuthHeader } from "./auth.js";
+import { V as VERSION } from "./version-uWLfG4Z0.js";
+import { oauthMetadataHandler, registerHandler, authorizeGetHandler, authorizePostHandler, tokenHandler } from "./oauth.js";
 function jsonRpcError(code, message, id = null) {
   return {
     jsonrpc: "2.0",
@@ -21,7 +23,7 @@ function handleInitialize() {
     protocolVersion: "2024-11-05",
     serverInfo: {
       name: "productive-mcp",
-      version: "0.1.0"
+      version: VERSION
     },
     capabilities: {
       tools: {}
@@ -34,10 +36,15 @@ function handleToolsList() {
 function createHttpApp() {
   const app = createApp();
   const router = createRouter();
+  router.get("/.well-known/oauth-authorization-server", oauthMetadataHandler);
+  router.post("/register", registerHandler);
+  router.get("/authorize", authorizeGetHandler);
+  router.post("/authorize", authorizePostHandler);
+  router.post("/token", tokenHandler);
   router.get(
     "/",
     defineEventHandler(() => {
-      return { status: "ok", service: "productive-mcp", version: "0.1.0" };
+      return { status: "ok", service: "productive-mcp", version: VERSION };
     })
   );
   router.get(

package/dist/http.js.map

@@ -1 +1 @@
-{"version":3,"file":"http.js","sources":["../src/http.ts"],"sourcesContent":["/**\n * HTTP transport handlers for Productive MCP Server\n *\n * This module contains the app/router creation logic for the HTTP transport.\n * The actual server startup is in server.ts.\n */\n\nimport {\n  createApp,\n  createRouter,\n  defineEventHandler,\n  readBody,\n  getHeader,\n  setResponseHeader,\n  type App,\n} from 'h3';\n\nimport { TOOLS } from './tools.js';\nimport { executeToolWithCredentials } from './handlers.js';\nimport { parseAuthHeader } from './auth.js';\n\n/**\n * JSON-RPC error response\n */\nexport function jsonRpcError(code: number, message: string, id: string | number | null = null) {\n  return {\n    jsonrpc: '2.0',\n    error: { code, message },\n    id,\n  };\n}\n\n/**\n * JSON-RPC success response\n */\nexport function jsonRpcSuccess(result: unknown, id: string | number | null = null) {\n  return {\n    jsonrpc: '2.0',\n    result,\n    id,\n  };\n}\n\n/**\n * Handle the initialize JSON-RPC method\n */\nexport function handleInitialize() {\n  return {\n    protocolVersion: '2024-11-05',\n    serverInfo: {\n      name: 'productive-mcp',\n      version: '0.1.0',\n    },\n    capabilities: {\n      tools: {},\n    },\n  };\n}\n\n/**\n * Handle the tools/list JSON-RPC method\n */\nexport function handleToolsList() {\n  return { tools: TOOLS };\n}\n\n/**\n * Create the h3 application with all routes\n */\nexport function createHttpApp(): App {\n  const app = createApp();\n  const router = createRouter();\n\n  // Health check endpoint\n  router.get(\n    '/',\n    defineEventHandler(() => {\n      return { status: 'ok', service: 'productive-mcp', version: '0.1.0' };\n    })\n  );\n\n  router.get(\n    '/health',\n    defineEventHandler(() => {\n      return { status: 'ok' };\n    })\n  );\n\n  // MCP endpoint - handles JSON-RPC over HTTP\n  router.post(\n    '/mcp',\n    defineEventHandler(async (event) => {\n      // Parse authorization header\n      const authHeader = getHeader(event, 'authorization');\n      const credentials = parseAuthHeader(authHeader);\n\n      if (!credentials) {\n        setResponseHeader(event, 'Content-Type', 'application/json');\n        event.node.res.statusCode = 401;\n        return jsonRpcError(\n          -32001,\n          'Authentication required. Provide Bearer token with base64(organizationId:apiToken:userId)'\n        );\n      }\n\n      setResponseHeader(event, 'Content-Type', 'application/json');\n\n      // Parse JSON-RPC request\n      let body: { method?: string; params?: unknown; id?: string | number };\n      try {\n        body = await readBody(event);\n      } catch {\n        event.node.res.statusCode = 400;\n        return jsonRpcError(-32700, 'Parse error: Invalid JSON');\n      }\n\n      if (!body || typeof body !== 'object') {\n        event.node.res.statusCode = 400;\n        return jsonRpcError(-32700, 'Parse error: Invalid JSON');\n      }\n\n      const { method, params, id } = body;\n\n      try {\n        if (method === 'initialize') {\n          return jsonRpcSuccess(handleInitialize(), id ?? null);\n        }\n\n        if (method === 'tools/list') {\n          return jsonRpcSuccess(handleToolsList(), id ?? null);\n        }\n\n        if (method === 'tools/call') {\n          const { name, arguments: args } = params as {\n            name: string;\n            arguments?: Record<string, unknown>;\n          };\n          const result = await executeToolWithCredentials(name, args || {}, credentials);\n          return jsonRpcSuccess(result, id ?? null);\n        }\n\n        // Unknown method\n        return jsonRpcError(-32601, `Method not found: ${method}`, id ?? null);\n      } catch (error) {\n        const message = error instanceof Error ? error.message : String(error);\n        return jsonRpcError(-32603, `Internal error: ${message}`, id ?? null);\n      }\n    })\n  );\n\n  // SSE endpoint for server-sent events (optional, for streaming responses)\n  router.get(\n    '/mcp/sse',\n    defineEventHandler(async (event) => {\n      const authHeader = getHeader(event, 'authorization');\n      const credentials = parseAuthHeader(authHeader);\n\n      if (!credentials) {\n        event.node.res.statusCode = 401;\n        return { error: 'Authentication required' };\n      }\n\n      // Set SSE headers\n      setResponseHeader(event, 'Content-Type', 'text/event-stream');\n      setResponseHeader(event, 'Cache-Control', 'no-cache');\n      setResponseHeader(event, 'Connection', 'keep-alive');\n\n      // Generate session ID and send it\n      const sessionId = crypto.randomUUID();\n\n      // Send initial session event\n      event.node.res.write(`event: session\\ndata: ${JSON.stringify({ sessionId })}\\n\\n`);\n\n      // Keep connection alive\n      const keepAlive = setInterval(() => {\n        event.node.res.write(': keepalive\\n\\n');\n      }, 30000);\n\n      // Clean up on close\n      event.node.req.on('close', () => {\n        clearInterval(keepAlive);\n      });\n\n      // Don't end the response - keep it open for SSE\n      return new Promise(() => {});\n    })\n  );\n\n  app.use(router);\n  return app;\n}\n"],"names":[],"mappings":";;;;AAwBO,SAAS,aAAa,MAAc,SAAiB,KAA6B,MAAM;AAC7F,SAAO;AAAA,IACL,SAAS;AAAA,IACT,OAAO,EAAE,MAAM,QAAA;AAAA,IACf;AAAA,EAAA;AAEJ;AAKO,SAAS,eAAe,QAAiB,KAA6B,MAAM;AACjF,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA;AAAA,EAAA;AAEJ;AAKO,SAAS,mBAAmB;AACjC,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB,YAAY;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,IAAA;AAAA,IAEX,cAAc;AAAA,MACZ,OAAO,CAAA;AAAA,IAAC;AAAA,EACV;AAEJ;AAKO,SAAS,kBAAkB;AAChC,SAAO,EAAE,OAAO,MAAA;AAClB;AAKO,SAAS,gBAAqB;AACnC,QAAM,MAAM,UAAA;AACZ,QAAM,SAAS,aAAA;AAGf,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,MAAM;AACvB,aAAO,EAAE,QAAQ,MAAM,SAAS,kBAAkB,SAAS,QAAA;AAAA,IAC7D,CAAC;AAAA,EAAA;AAGH,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,MAAM;AACvB,aAAO,EAAE,QAAQ,KAAA;AAAA,IACnB,CAAC;AAAA,EAAA;AAIH,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,OAAO,UAAU;AAElC,YAAM,aAAa,UAAU,OAAO,eAAe;AACnD,YAAM,cAAc,gBAAgB,UAAU;AAE9C,UAAI,CAAC,aAAa;AAChB,0BAAkB,OAAO,gBAAgB,kBAAkB;AAC3D,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO;AAAA,UACL;AAAA,UACA;AAAA,QAAA;AAAA,MAEJ;AAEA,wBAAkB,OAAO,gBAAgB,kBAAkB;AAG3D,UAAI;AACJ,UAAI;AACF,eAAO,MAAM,SAAS,KAAK;AAAA,MAC7B,QAAQ;AACN,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO,aAAa,QAAQ,2BAA2B;AAAA,MACzD;AAEA,UAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO,aAAa,QAAQ,2BAA2B;AAAA,MACzD;AAEA,YAAM,EAAE,QAAQ,QAAQ,GAAA,IAAO;AAE/B,UAAI;AACF,YAAI,WAAW,cAAc;AAC3B,iBAAO,eAAe,oBAAoB,MAAM,IAAI;AAAA,QACtD;AAEA,YAAI,WAAW,cAAc;AAC3B,iBAAO,eAAe,mBAAmB,MAAM,IAAI;AAAA,QACrD;AAEA,YAAI,WAAW,cAAc;AAC3B,gBAAM,EAAE,MAAM,WAAW,KAAA,IAAS;AAIlC,gBAAM,SAAS,MAAM,2BAA2B,MAAM,QAAQ,CAAA,GAAI,WAAW;AAC7E,iBAAO,eAAe,QAAQ,MAAM,IAAI;AAAA,QAC1C;AAGA,eAAO,aAAa,QAAQ,qBAAqB,MAAM,IAAI,MAAM,IAAI;AAAA,MACvE,SAAS,OAAO;AACd,cAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,eAAO,aAAa,QAAQ,mBAAmB,OAAO,IAAI,MAAM,IAAI;AAAA,MACtE;AAAA,IACF,CAAC;AAAA,EAAA;AAIH,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,OAAO,UAAU;AAClC,YAAM,aAAa,UAAU,OAAO,eAAe;AACnD,YAAM,cAAc,gBAAgB,UAAU;AAE9C,UAAI,CAAC,aAAa;AAChB,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO,EAAE,OAAO,0BAAA;AAAA,MAClB;AAGA,wBAAkB,OAAO,gBAAgB,mBAAmB;AAC5D,wBAAkB,OAAO,iBAAiB,UAAU;AACpD,wBAAkB,OAAO,cAAc,YAAY;AAGnD,YAAM,YAAY,OAAO,WAAA;AAGzB,YAAM,KAAK,IAAI,MAAM;AAAA,QAAyB,KAAK,UAAU,EAAE,WAAW,CAAC;AAAA;AAAA,CAAM;AAGjF,YAAM,YAAY,YAAY,MAAM;AAClC,cAAM,KAAK,IAAI,MAAM,iBAAiB;AAAA,MACxC,GAAG,GAAK;AAGR,YAAM,KAAK,IAAI,GAAG,SAAS,MAAM;AAC/B,sBAAc,SAAS;AAAA,MACzB,CAAC;AAGD,aAAO,IAAI,QAAQ,MAAM;AAAA,MAAC,CAAC;AAAA,IAC7B,CAAC;AAAA,EAAA;AAGH,MAAI,IAAI,MAAM;AACd,SAAO;AACT;"}
+{"version":3,"file":"http.js","sources":["../src/http.ts"],"sourcesContent":["/**\n * HTTP transport handlers for Productive MCP Server\n *\n * This module contains the app/router creation logic for the HTTP transport.\n * The actual server startup is in server.ts.\n */\n\nimport {\n  createApp,\n  createRouter,\n  defineEventHandler,\n  readBody,\n  getHeader,\n  setResponseHeader,\n  type App,\n} from 'h3';\n\nimport { TOOLS } from './tools.js';\nimport { executeToolWithCredentials } from './handlers.js';\nimport { parseAuthHeader } from './auth.js';\nimport { VERSION } from './version.js';\nimport {\n  oauthMetadataHandler,\n  registerHandler,\n  authorizeGetHandler,\n  authorizePostHandler,\n  tokenHandler,\n} from './oauth.js';\n\n/**\n * JSON-RPC error response\n */\nexport function jsonRpcError(code: number, message: string, id: string | number | null = null) {\n  return {\n    jsonrpc: '2.0',\n    error: { code, message },\n    id,\n  };\n}\n\n/**\n * JSON-RPC success response\n */\nexport function jsonRpcSuccess(result: unknown, id: string | number | null = null) {\n  return {\n    jsonrpc: '2.0',\n    result,\n    id,\n  };\n}\n\n/**\n * Handle the initialize JSON-RPC method\n */\nexport function handleInitialize() {\n  return {\n    protocolVersion: '2024-11-05',\n    serverInfo: {\n      name: 'productive-mcp',\n      version: VERSION,\n    },\n    capabilities: {\n      tools: {},\n    },\n  };\n}\n\n/**\n * Handle the tools/list JSON-RPC method\n */\nexport function handleToolsList() {\n  return { tools: TOOLS };\n}\n\n/**\n * Create the h3 application with all routes\n */\nexport function createHttpApp(): App {\n  const app = createApp();\n  const router = createRouter();\n\n  // OAuth 2.0 endpoints for Claude Desktop integration (MCP auth spec)\n  router.get('/.well-known/oauth-authorization-server', oauthMetadataHandler);\n  router.post('/register', registerHandler); // Dynamic Client Registration (RFC 7591)\n  router.get('/authorize', authorizeGetHandler);\n  router.post('/authorize', authorizePostHandler);\n  router.post('/token', tokenHandler);\n\n  // Health check endpoint\n  router.get(\n    '/',\n    defineEventHandler(() => {\n      return { status: 'ok', service: 'productive-mcp', version: VERSION };\n    })\n  );\n\n  router.get(\n    '/health',\n    defineEventHandler(() => {\n      return { status: 'ok' };\n    })\n  );\n\n  // MCP endpoint - handles JSON-RPC over HTTP\n  router.post(\n    '/mcp',\n    defineEventHandler(async (event) => {\n      // Parse authorization header\n      const authHeader = getHeader(event, 'authorization');\n      const credentials = parseAuthHeader(authHeader);\n\n      if (!credentials) {\n        setResponseHeader(event, 'Content-Type', 'application/json');\n        event.node.res.statusCode = 401;\n        return jsonRpcError(\n          -32001,\n          'Authentication required. Provide Bearer token with base64(organizationId:apiToken:userId)'\n        );\n      }\n\n      setResponseHeader(event, 'Content-Type', 'application/json');\n\n      // Parse JSON-RPC request\n      let body: { method?: string; params?: unknown; id?: string | number };\n      try {\n        body = await readBody(event);\n      } catch {\n        event.node.res.statusCode = 400;\n        return jsonRpcError(-32700, 'Parse error: Invalid JSON');\n      }\n\n      if (!body || typeof body !== 'object') {\n        event.node.res.statusCode = 400;\n        return jsonRpcError(-32700, 'Parse error: Invalid JSON');\n      }\n\n      const { method, params, id } = body;\n\n      try {\n        if (method === 'initialize') {\n          return jsonRpcSuccess(handleInitialize(), id ?? null);\n        }\n\n        if (method === 'tools/list') {\n          return jsonRpcSuccess(handleToolsList(), id ?? null);\n        }\n\n        if (method === 'tools/call') {\n          const { name, arguments: args } = params as {\n            name: string;\n            arguments?: Record<string, unknown>;\n          };\n          const result = await executeToolWithCredentials(name, args || {}, credentials);\n          return jsonRpcSuccess(result, id ?? null);\n        }\n\n        // Unknown method\n        return jsonRpcError(-32601, `Method not found: ${method}`, id ?? null);\n      } catch (error) {\n        const message = error instanceof Error ? error.message : String(error);\n        return jsonRpcError(-32603, `Internal error: ${message}`, id ?? null);\n      }\n    })\n  );\n\n  // SSE endpoint for server-sent events (optional, for streaming responses)\n  router.get(\n    '/mcp/sse',\n    defineEventHandler(async (event) => {\n      const authHeader = getHeader(event, 'authorization');\n      const credentials = parseAuthHeader(authHeader);\n\n      if (!credentials) {\n        event.node.res.statusCode = 401;\n        return { error: 'Authentication required' };\n      }\n\n      // Set SSE headers\n      setResponseHeader(event, 'Content-Type', 'text/event-stream');\n      setResponseHeader(event, 'Cache-Control', 'no-cache');\n      setResponseHeader(event, 'Connection', 'keep-alive');\n\n      // Generate session ID and send it\n      const sessionId = crypto.randomUUID();\n\n      // Send initial session event\n      event.node.res.write(`event: session\\ndata: ${JSON.stringify({ sessionId })}\\n\\n`);\n\n      // Keep connection alive\n      const keepAlive = setInterval(() => {\n        event.node.res.write(': keepalive\\n\\n');\n      }, 30000);\n\n      // Clean up on close\n      event.node.req.on('close', () => {\n        clearInterval(keepAlive);\n      });\n\n      // Don't end the response - keep it open for SSE\n      return new Promise(() => {});\n    })\n  );\n\n  app.use(router);\n  return app;\n}\n"],"names":[],"mappings":";;;;;;AAgCO,SAAS,aAAa,MAAc,SAAiB,KAA6B,MAAM;AAC7F,SAAO;AAAA,IACL,SAAS;AAAA,IACT,OAAO,EAAE,MAAM,QAAA;AAAA,IACf;AAAA,EAAA;AAEJ;AAKO,SAAS,eAAe,QAAiB,KAA6B,MAAM;AACjF,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA;AAAA,EAAA;AAEJ;AAKO,SAAS,mBAAmB;AACjC,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB,YAAY;AAAA,MACV,MAAM;AAAA,MACN,SAAS;AAAA,IAAA;AAAA,IAEX,cAAc;AAAA,MACZ,OAAO,CAAA;AAAA,IAAC;AAAA,EACV;AAEJ;AAKO,SAAS,kBAAkB;AAChC,SAAO,EAAE,OAAO,MAAA;AAClB;AAKO,SAAS,gBAAqB;AACnC,QAAM,MAAM,UAAA;AACZ,QAAM,SAAS,aAAA;AAGf,SAAO,IAAI,2CAA2C,oBAAoB;AAC1E,SAAO,KAAK,aAAa,eAAe;AACxC,SAAO,IAAI,cAAc,mBAAmB;AAC5C,SAAO,KAAK,cAAc,oBAAoB;AAC9C,SAAO,KAAK,UAAU,YAAY;AAGlC,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,MAAM;AACvB,aAAO,EAAE,QAAQ,MAAM,SAAS,kBAAkB,SAAS,QAAA;AAAA,IAC7D,CAAC;AAAA,EAAA;AAGH,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,MAAM;AACvB,aAAO,EAAE,QAAQ,KAAA;AAAA,IACnB,CAAC;AAAA,EAAA;AAIH,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,OAAO,UAAU;AAElC,YAAM,aAAa,UAAU,OAAO,eAAe;AACnD,YAAM,cAAc,gBAAgB,UAAU;AAE9C,UAAI,CAAC,aAAa;AAChB,0BAAkB,OAAO,gBAAgB,kBAAkB;AAC3D,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO;AAAA,UACL;AAAA,UACA;AAAA,QAAA;AAAA,MAEJ;AAEA,wBAAkB,OAAO,gBAAgB,kBAAkB;AAG3D,UAAI;AACJ,UAAI;AACF,eAAO,MAAM,SAAS,KAAK;AAAA,MAC7B,QAAQ;AACN,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO,aAAa,QAAQ,2BAA2B;AAAA,MACzD;AAEA,UAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO,aAAa,QAAQ,2BAA2B;AAAA,MACzD;AAEA,YAAM,EAAE,QAAQ,QAAQ,GAAA,IAAO;AAE/B,UAAI;AACF,YAAI,WAAW,cAAc;AAC3B,iBAAO,eAAe,oBAAoB,MAAM,IAAI;AAAA,QACtD;AAEA,YAAI,WAAW,cAAc;AAC3B,iBAAO,eAAe,mBAAmB,MAAM,IAAI;AAAA,QACrD;AAEA,YAAI,WAAW,cAAc;AAC3B,gBAAM,EAAE,MAAM,WAAW,KAAA,IAAS;AAIlC,gBAAM,SAAS,MAAM,2BAA2B,MAAM,QAAQ,CAAA,GAAI,WAAW;AAC7E,iBAAO,eAAe,QAAQ,MAAM,IAAI;AAAA,QAC1C;AAGA,eAAO,aAAa,QAAQ,qBAAqB,MAAM,IAAI,MAAM,IAAI;AAAA,MACvE,SAAS,OAAO;AACd,cAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,eAAO,aAAa,QAAQ,mBAAmB,OAAO,IAAI,MAAM,IAAI;AAAA,MACtE;AAAA,IACF,CAAC;AAAA,EAAA;AAIH,SAAO;AAAA,IACL;AAAA,IACA,mBAAmB,OAAO,UAAU;AAClC,YAAM,aAAa,UAAU,OAAO,eAAe;AACnD,YAAM,cAAc,gBAAgB,UAAU;AAE9C,UAAI,CAAC,aAAa;AAChB,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO,EAAE,OAAO,0BAAA;AAAA,MAClB;AAGA,wBAAkB,OAAO,gBAAgB,mBAAmB;AAC5D,wBAAkB,OAAO,iBAAiB,UAAU;AACpD,wBAAkB,OAAO,cAAc,YAAY;AAGnD,YAAM,YAAY,OAAO,WAAA;AAGzB,YAAM,KAAK,IAAI,MAAM;AAAA,QAAyB,KAAK,UAAU,EAAE,WAAW,CAAC;AAAA;AAAA,CAAM;AAGjF,YAAM,YAAY,YAAY,MAAM;AAClC,cAAM,KAAK,IAAI,MAAM,iBAAiB;AAAA,MACxC,GAAG,GAAK;AAGR,YAAM,KAAK,IAAI,GAAG,SAAS,MAAM;AAC/B,sBAAc,SAAS;AAAA,MACzB,CAAC;AAGD,aAAO,IAAI,QAAQ,MAAM;AAAA,MAAC,CAAC;AAAA,IAC7B,CAAC;AAAA,EAAA;AAGH,MAAI,IAAI,MAAM;AACd,SAAO;AACT;"}

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AAgBnE;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CA6C1C;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAKtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AAiBnE;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CA6C1C;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAKtD"}

package/dist/index.js

@@ -3,11 +3,12 @@ import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { ListToolsRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema, CallToolRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import { getAvailableTools, getAvailablePrompts, handlePrompt, handleToolCall } from "./stdio.js";
+import { V as VERSION } from "./version-uWLfG4Z0.js";
 function createStdioServer() {
   const server = new Server(
     {
       name: "productive-mcp",
-      version: "0.1.0"
+      version: VERSION
     },
     {
       capabilities: {

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sources":["../src/index.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * Productive MCP Server - Stdio Transport\n *\n * This is the local execution mode using stdio transport.\n * For remote HTTP deployment, use server.ts instead.\n *\n * Usage:\n *   npx @studiometa/productive-mcp\n *\n * Or in Claude Desktop config:\n *   {\n *     \"mcpServers\": {\n *       \"productive\": {\n *         \"command\": \"npx\",\n *         \"args\": [\"@studiometa/productive-mcp\"]\n *       }\n *     }\n *   }\n */\n\nimport { Server } from '@modelcontextprotocol/sdk/server/index.js';\nimport { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';\nimport {\n  CallToolRequestSchema,\n  ListToolsRequestSchema,\n  ListPromptsRequestSchema,\n  GetPromptRequestSchema,\n} from '@modelcontextprotocol/sdk/types.js';\n\nimport {\n  getAvailableTools,\n  getAvailablePrompts,\n  handleToolCall,\n  handlePrompt,\n} from './stdio.js';\n\n/**\n * Create and configure the MCP server\n */\nexport function createStdioServer(): Server {\n  const server = new Server(\n    {\n      name: 'productive-mcp',\n      version: '0.1.0',\n    },\n    {\n      capabilities: {\n        tools: {},\n        prompts: {},\n      },\n    }\n  );\n\n  // List available tools (including stdio-only configuration tools)\n  server.setRequestHandler(ListToolsRequestSchema, async () => {\n    return { tools: getAvailableTools() };\n  });\n\n  // List available prompts\n  server.setRequestHandler(ListPromptsRequestSchema, async () => {\n    return { prompts: getAvailablePrompts() };\n  });\n\n  // Get prompt\n  server.setRequestHandler(GetPromptRequestSchema, async (request) => {\n    return handlePrompt(request.params.name);\n  });\n\n  // Handle tool calls\n  server.setRequestHandler(CallToolRequestSchema, async (request) => {\n    const { name, arguments: args } = request.params;\n\n    try {\n      return await handleToolCall(name, (args as Record<string, unknown>) || {});\n    } catch (error) {\n      const message = error instanceof Error ? error.message : String(error);\n      return {\n        content: [{ type: 'text', text: `Error: ${message}` }],\n        isError: true,\n      };\n    }\n  });\n\n  return server;\n}\n\n/**\n * Start the stdio server\n */\nexport async function startStdioServer(): Promise<void> {\n  const server = createStdioServer();\n  const transport = new StdioServerTransport();\n  await server.connect(transport);\n  console.error('Productive MCP server running on stdio');\n}\n\n// Start server when run directly\nconst isMainModule = import.meta.url === `file://${process.argv[1]}` ||\n  process.argv[1]?.endsWith('/productive-mcp') ||\n  process.argv[1]?.endsWith('\\\\productive-mcp');\n\nif (isMainModule) {\n  startStdioServer().catch((error) => {\n    console.error('Fatal error:', error);\n    process.exit(1);\n  });\n}\n"],"names":[],"mappings":";;;;;AAyCO,SAAS,oBAA4B;AAC1C,QAAM,SAAS,IAAI;AAAA,IACjB;AAAA,MACE,MAAM;AAAA,MACN,SAAS;AAAA,IAAA;AAAA,IAEX;AAAA,MACE,cAAc;AAAA,QACZ,OAAO,CAAA;AAAA,QACP,SAAS,CAAA;AAAA,MAAC;AAAA,IACZ;AAAA,EACF;AAIF,SAAO,kBAAkB,wBAAwB,YAAY;AAC3D,WAAO,EAAE,OAAO,oBAAkB;AAAA,EACpC,CAAC;AAGD,SAAO,kBAAkB,0BAA0B,YAAY;AAC7D,WAAO,EAAE,SAAS,sBAAoB;AAAA,EACxC,CAAC;AAGD,SAAO,kBAAkB,wBAAwB,OAAO,YAAY;AAClE,WAAO,aAAa,QAAQ,OAAO,IAAI;AAAA,EACzC,CAAC;AAGD,SAAO,kBAAkB,uBAAuB,OAAO,YAAY;AACjE,UAAM,EAAE,MAAM,WAAW,KAAA,IAAS,QAAQ;AAE1C,QAAI;AACF,aAAO,MAAM,eAAe,MAAO,QAAoC,CAAA,CAAE;AAAA,IAC3E,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,aAAO;AAAA,QACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,UAAU,OAAO,IAAI;AAAA,QACrD,SAAS;AAAA,MAAA;AAAA,IAEb;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAKA,eAAsB,mBAAkC;AACtD,QAAM,SAAS,kBAAA;AACf,QAAM,YAAY,IAAI,qBAAA;AACtB,QAAM,OAAO,QAAQ,SAAS;AAC9B,UAAQ,MAAM,wCAAwC;AACxD;AAGA,MAAM,eAAe,YAAY,QAAQ,UAAU,QAAQ,KAAK,CAAC,CAAC,MAChE,QAAQ,KAAK,CAAC,GAAG,SAAS,iBAAiB,KAC3C,QAAQ,KAAK,CAAC,GAAG,SAAS,kBAAkB;AAE9C,IAAI,cAAc;AAChB,mBAAA,EAAmB,MAAM,CAAC,UAAU;AAClC,YAAQ,MAAM,gBAAgB,KAAK;AACnC,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;"}
+{"version":3,"file":"index.js","sources":["../src/index.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * Productive MCP Server - Stdio Transport\n *\n * This is the local execution mode using stdio transport.\n * For remote HTTP deployment, use server.ts instead.\n *\n * Usage:\n *   npx @studiometa/productive-mcp\n *\n * Or in Claude Desktop config:\n *   {\n *     \"mcpServers\": {\n *       \"productive\": {\n *         \"command\": \"npx\",\n *         \"args\": [\"@studiometa/productive-mcp\"]\n *       }\n *     }\n *   }\n */\n\nimport { Server } from '@modelcontextprotocol/sdk/server/index.js';\nimport { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';\nimport {\n  CallToolRequestSchema,\n  ListToolsRequestSchema,\n  ListPromptsRequestSchema,\n  GetPromptRequestSchema,\n} from '@modelcontextprotocol/sdk/types.js';\n\nimport {\n  getAvailableTools,\n  getAvailablePrompts,\n  handleToolCall,\n  handlePrompt,\n} from './stdio.js';\nimport { VERSION } from './version.js';\n\n/**\n * Create and configure the MCP server\n */\nexport function createStdioServer(): Server {\n  const server = new Server(\n    {\n      name: 'productive-mcp',\n      version: VERSION,\n    },\n    {\n      capabilities: {\n        tools: {},\n        prompts: {},\n      },\n    }\n  );\n\n  // List available tools (including stdio-only configuration tools)\n  server.setRequestHandler(ListToolsRequestSchema, async () => {\n    return { tools: getAvailableTools() };\n  });\n\n  // List available prompts\n  server.setRequestHandler(ListPromptsRequestSchema, async () => {\n    return { prompts: getAvailablePrompts() };\n  });\n\n  // Get prompt\n  server.setRequestHandler(GetPromptRequestSchema, async (request) => {\n    return handlePrompt(request.params.name);\n  });\n\n  // Handle tool calls\n  server.setRequestHandler(CallToolRequestSchema, async (request) => {\n    const { name, arguments: args } = request.params;\n\n    try {\n      return await handleToolCall(name, (args as Record<string, unknown>) || {});\n    } catch (error) {\n      const message = error instanceof Error ? error.message : String(error);\n      return {\n        content: [{ type: 'text', text: `Error: ${message}` }],\n        isError: true,\n      };\n    }\n  });\n\n  return server;\n}\n\n/**\n * Start the stdio server\n */\nexport async function startStdioServer(): Promise<void> {\n  const server = createStdioServer();\n  const transport = new StdioServerTransport();\n  await server.connect(transport);\n  console.error('Productive MCP server running on stdio');\n}\n\n// Start server when run directly\nconst isMainModule = import.meta.url === `file://${process.argv[1]}` ||\n  process.argv[1]?.endsWith('/productive-mcp') ||\n  process.argv[1]?.endsWith('\\\\productive-mcp');\n\nif (isMainModule) {\n  startStdioServer().catch((error) => {\n    console.error('Fatal error:', error);\n    process.exit(1);\n  });\n}\n"],"names":[],"mappings":";;;;;;AA0CO,SAAS,oBAA4B;AAC1C,QAAM,SAAS,IAAI;AAAA,IACjB;AAAA,MACE,MAAM;AAAA,MACN,SAAS;AAAA,IAAA;AAAA,IAEX;AAAA,MACE,cAAc;AAAA,QACZ,OAAO,CAAA;AAAA,QACP,SAAS,CAAA;AAAA,MAAC;AAAA,IACZ;AAAA,EACF;AAIF,SAAO,kBAAkB,wBAAwB,YAAY;AAC3D,WAAO,EAAE,OAAO,oBAAkB;AAAA,EACpC,CAAC;AAGD,SAAO,kBAAkB,0BAA0B,YAAY;AAC7D,WAAO,EAAE,SAAS,sBAAoB;AAAA,EACxC,CAAC;AAGD,SAAO,kBAAkB,wBAAwB,OAAO,YAAY;AAClE,WAAO,aAAa,QAAQ,OAAO,IAAI;AAAA,EACzC,CAAC;AAGD,SAAO,kBAAkB,uBAAuB,OAAO,YAAY;AACjE,UAAM,EAAE,MAAM,WAAW,KAAA,IAAS,QAAQ;AAE1C,QAAI;AACF,aAAO,MAAM,eAAe,MAAO,QAAoC,CAAA,CAAE;AAAA,IAC3E,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AACrE,aAAO;AAAA,QACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,UAAU,OAAO,IAAI;AAAA,QACrD,SAAS;AAAA,MAAA;AAAA,IAEb;AAAA,EACF,CAAC;AAED,SAAO;AACT;AAKA,eAAsB,mBAAkC;AACtD,QAAM,SAAS,kBAAA;AACf,QAAM,YAAY,IAAI,qBAAA;AACtB,QAAM,OAAO,QAAQ,SAAS;AAC9B,UAAQ,MAAM,wCAAwC;AACxD;AAGA,MAAM,eAAe,YAAY,QAAQ,UAAU,QAAQ,KAAK,CAAC,CAAC,MAChE,QAAQ,KAAK,CAAC,GAAG,SAAS,iBAAiB,KAC3C,QAAQ,KAAK,CAAC,GAAG,SAAS,kBAAkB;AAE9C,IAAI,cAAc;AAChB,mBAAA,EAAmB,MAAM,CAAC,UAAU;AAClC,YAAQ,MAAM,gBAAgB,KAAK;AACnC,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;"}

package/dist/oauth.d.ts

@@ -0,0 +1,95 @@
+/**
+ * OAuth 2.0 endpoints for Claude Desktop integration
+ *
+ * Implements OAuth 2.1 with PKCE as specified in the MCP authorization spec.
+ * Uses stateless encrypted tokens - no server-side storage required.
+ *
+ * Spec: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization
+ *
+ * Flow:
+ * 1. Claude redirects user to /authorize with OAuth params (including PKCE)
+ * 2. User enters Productive credentials in login form
+ * 3. Server encrypts credentials + PKCE challenge into authorization code
+ * 4. Redirects back to Claude with the code
+ * 5. Claude exchanges code for access token via /token (with code_verifier)
+ * 6. Server validates PKCE and returns access token
+ */
+/**
+ * OAuth metadata for discovery (RFC 8414)
+ * GET /.well-known/oauth-authorization-server
+ *
+ * MCP clients MUST check this endpoint first for server capabilities.
+ */
+export declare const oauthMetadataHandler: import("h3").EventHandler<import("h3").EventHandlerRequest, {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    response_types_supported: string[];
+    grant_types_supported: string[];
+    code_challenge_methods_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    registration_endpoint: string;
+    scopes_supported: string[];
+    service_documentation: string;
+}>;
+/**
+ * Dynamic Client Registration endpoint (RFC 7591)
+ * POST /register
+ *
+ * MCP servers SHOULD support DCR to allow clients to register automatically.
+ * Since we use stateless tokens, we accept any registration and return
+ * a generated client_id.
+ */
+export declare const registerHandler: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    error: string;
+    error_description: string;
+    client_id?: undefined;
+    client_name?: undefined;
+    redirect_uris?: undefined;
+    token_endpoint_auth_method?: undefined;
+    grant_types?: undefined;
+    response_types?: undefined;
+} | {
+    client_id: string;
+    client_name: string;
+    redirect_uris: string[];
+    token_endpoint_auth_method: string;
+    grant_types: string[];
+    response_types: string[];
+    error?: undefined;
+    error_description?: undefined;
+}>>;
+/**
+ * Authorization endpoint - shows login form
+ * GET /authorize
+ */
+export declare const authorizeGetHandler: import("h3").EventHandler<import("h3").EventHandlerRequest, string | Promise<void>>;
+/**
+ * Authorization endpoint - process login
+ * POST /authorize
+ */
+export declare const authorizePostHandler: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<string | void>>;
+/**
+ * Token endpoint - exchange code for access token
+ * POST /token
+ *
+ * Supports:
+ * - authorization_code grant (with PKCE validation)
+ * - refresh_token grant
+ */
+export declare const tokenHandler: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
+    error: string;
+    error_description: string;
+    access_token?: undefined;
+    token_type?: undefined;
+    expires_in?: undefined;
+    refresh_token?: undefined;
+} | {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token: string;
+    error?: undefined;
+    error_description?: undefined;
+}>>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAcH;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;;;EAyB/B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;GAoC1B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB,qFA+C9B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,oBAAoB,qFAgE/B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;GA+FvB,CAAC"}

package/dist/oauth.js

@@ -0,0 +1,492 @@
+import { createHash } from "node:crypto";
+import { defineEventHandler, setResponseHeader, readBody, getQuery, sendRedirect } from "h3";
+import { createAuthCode, decodeAuthCode } from "./crypto.js";
+import { createAuthToken } from "./auth.js";
+const oauthMetadataHandler = defineEventHandler((event) => {
+  const host = event.node.req.headers.host || "localhost:3000";
+  const protocol = event.node.req.headers["x-forwarded-proto"] || "http";
+  const baseUrl = `${protocol}://${host}`;
+  setResponseHeader(event, "Content-Type", "application/json");
+  setResponseHeader(event, "Cache-Control", "public, max-age=3600");
+  return {
+    // Required fields per RFC 8414
+    issuer: baseUrl,
+    authorization_endpoint: `${baseUrl}/authorize`,
+    token_endpoint: `${baseUrl}/token`,
+    response_types_supported: ["code"],
+    // OAuth 2.1 / MCP requirements
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    code_challenge_methods_supported: ["S256"],
+    token_endpoint_auth_methods_supported: ["none"],
+    // Public client
+    // Optional but useful
+    registration_endpoint: `${baseUrl}/register`,
+    scopes_supported: ["productive"],
+    service_documentation: "https://github.com/studiometa/productive-tools"
+  };
+});
+const registerHandler = defineEventHandler(async (event) => {
+  setResponseHeader(event, "Content-Type", "application/json");
+  let body;
+  try {
+    body = await readBody(event);
+  } catch {
+    event.node.res.statusCode = 400;
+    return {
+      error: "invalid_request",
+      error_description: "Invalid JSON body"
+    };
+  }
+  const clientName = body.client_name || "MCP Client";
+  const redirectUris = body.redirect_uris || [];
+  const clientId = Buffer.from(
+    JSON.stringify({
+      name: clientName,
+      ts: Date.now()
+    })
+  ).toString("base64url");
+  event.node.res.statusCode = 201;
+  return {
+    client_id: clientId,
+    client_name: clientName,
+    redirect_uris: redirectUris,
+    token_endpoint_auth_method: "none",
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"]
+  };
+});
+const authorizeGetHandler = defineEventHandler((event) => {
+  const query = getQuery(event);
+  query.client_id;
+  const redirectUri = query.redirect_uri;
+  const state = query.state;
+  const codeChallenge = query.code_challenge;
+  const codeChallengeMethod = query.code_challenge_method;
+  query.scope;
+  if (!redirectUri) {
+    setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+    event.node.res.statusCode = 400;
+    return renderErrorPage("Missing required parameter: redirect_uri");
+  }
+  if (!codeChallenge) {
+    const errorUrl = new URL(redirectUri);
+    errorUrl.searchParams.set("error", "invalid_request");
+    errorUrl.searchParams.set("error_description", "code_challenge is required");
+    if (state) errorUrl.searchParams.set("state", state);
+    return sendRedirect(event, errorUrl.toString());
+  }
+  if (codeChallengeMethod && codeChallengeMethod !== "S256") {
+    const errorUrl = new URL(redirectUri);
+    errorUrl.searchParams.set("error", "invalid_request");
+    errorUrl.searchParams.set("error_description", "Only S256 code_challenge_method is supported");
+    if (state) errorUrl.searchParams.set("state", state);
+    return sendRedirect(event, errorUrl.toString());
+  }
+  setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+  return renderLoginForm({
+    redirectUri,
+    state,
+    codeChallenge,
+    codeChallengeMethod: codeChallengeMethod || "S256"
+  });
+});
+const authorizePostHandler = defineEventHandler(async (event) => {
+  const body = await readBody(event);
+  const {
+    orgId,
+    apiToken,
+    userId,
+    redirectUri,
+    state,
+    codeChallenge,
+    codeChallengeMethod
+  } = body;
+  if (!redirectUri) {
+    setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+    event.node.res.statusCode = 400;
+    return renderErrorPage("Missing redirect_uri parameter");
+  }
+  try {
+    const uri = new URL(redirectUri);
+    const isLocalhost = uri.hostname === "localhost" || uri.hostname === "127.0.0.1";
+    const isHttps = uri.protocol === "https:";
+    if (!isLocalhost && !isHttps) {
+      event.node.res.statusCode = 400;
+      return renderErrorPage("redirect_uri must be HTTPS or localhost");
+    }
+  } catch {
+    event.node.res.statusCode = 400;
+    return renderErrorPage("Invalid redirect_uri format");
+  }
+  if (!orgId || !apiToken) {
+    setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+    return renderLoginForm({
+      redirectUri,
+      state,
+      codeChallenge,
+      codeChallengeMethod,
+      error: "Organization ID and API Token are required"
+    });
+  }
+  const code = createAuthCode({
+    orgId,
+    apiToken,
+    userId: userId || void 0,
+    codeChallenge,
+    codeChallengeMethod: codeChallengeMethod || "S256"
+  });
+  const redirectUrl = new URL(redirectUri);
+  redirectUrl.searchParams.set("code", code);
+  if (state) {
+    redirectUrl.searchParams.set("state", state);
+  }
+  return sendRedirect(event, redirectUrl.toString());
+});
+const tokenHandler = defineEventHandler(async (event) => {
+  setResponseHeader(event, "Content-Type", "application/json");
+  let body;
+  const contentType = event.node.req.headers["content-type"] || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    const rawBody = await readBody(event);
+    if (typeof rawBody === "string") {
+      body = Object.fromEntries(new URLSearchParams(rawBody));
+    } else {
+      body = rawBody;
+    }
+  } else {
+    body = await readBody(event);
+  }
+  const { grant_type, code, code_verifier, refresh_token } = body;
+  if (grant_type === "refresh_token") {
+    return handleRefreshToken(event, refresh_token);
+  }
+  if (grant_type !== "authorization_code") {
+    event.node.res.statusCode = 400;
+    return {
+      error: "unsupported_grant_type",
+      error_description: "Supported grant types: authorization_code, refresh_token"
+    };
+  }
+  if (!code) {
+    event.node.res.statusCode = 400;
+    return {
+      error: "invalid_request",
+      error_description: "Missing authorization code"
+    };
+  }
+  if (!code_verifier) {
+    event.node.res.statusCode = 400;
+    return {
+      error: "invalid_request",
+      error_description: "Missing code_verifier (PKCE required)"
+    };
+  }
+  try {
+    const payload = decodeAuthCode(code);
+    if (payload.codeChallenge) {
+      const expectedChallenge = createS256Challenge(code_verifier);
+      if (expectedChallenge !== payload.codeChallenge) {
+        event.node.res.statusCode = 400;
+        return {
+          error: "invalid_grant",
+          error_description: "Invalid code_verifier"
+        };
+      }
+    }
+    const accessToken = createAuthToken({
+      organizationId: payload.orgId,
+      apiToken: payload.apiToken,
+      userId: payload.userId
+    });
+    const refreshToken = createAuthCode(
+      {
+        orgId: payload.orgId,
+        apiToken: payload.apiToken,
+        userId: payload.userId
+      },
+      86400 * 30
+      // 30 days
+    );
+    return {
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: 3600,
+      // 1 hour (access tokens should be short-lived)
+      refresh_token: refreshToken
+    };
+  } catch (error) {
+    event.node.res.statusCode = 400;
+    return {
+      error: "invalid_grant",
+      error_description: error instanceof Error ? error.message : "Invalid authorization code"
+    };
+  }
+});
+function handleRefreshToken(event, refreshToken) {
+  if (!refreshToken) {
+    event.node.res.statusCode = 400;
+    return {
+      error: "invalid_request",
+      error_description: "Missing refresh_token"
+    };
+  }
+  try {
+    const payload = decodeAuthCode(refreshToken);
+    const accessToken = createAuthToken({
+      organizationId: payload.orgId,
+      apiToken: payload.apiToken,
+      userId: payload.userId
+    });
+    const newRefreshToken = createAuthCode(
+      {
+        orgId: payload.orgId,
+        apiToken: payload.apiToken,
+        userId: payload.userId
+      },
+      86400 * 30
+      // 30 days
+    );
+    return {
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: 3600,
+      refresh_token: newRefreshToken
+    };
+  } catch (error) {
+    event.node.res.statusCode = 400;
+    return {
+      error: "invalid_grant",
+      error_description: error instanceof Error ? error.message : "Invalid refresh token"
+    };
+  }
+}
+function createS256Challenge(codeVerifier) {
+  return createHash("sha256").update(codeVerifier).digest("base64url");
+}
+function renderLoginForm(params) {
+  const { redirectUri, state, codeChallenge, codeChallengeMethod, error } = params;
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Connect to Productive.io</title>
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .container {
+      background: white;
+      border-radius: 16px;
+      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+      padding: 40px;
+      width: 100%;
+      max-width: 420px;
+    }
+    .logo {
+      text-align: center;
+      margin-bottom: 24px;
+    }
+    .logo svg {
+      width: 48px;
+      height: 48px;
+    }
+    h1 {
+      text-align: center;
+      color: #1a1a2e;
+      font-size: 24px;
+      margin-bottom: 8px;
+    }
+    .subtitle {
+      text-align: center;
+      color: #666;
+      font-size: 14px;
+      margin-bottom: 32px;
+    }
+    .error {
+      background: #fee2e2;
+      border: 1px solid #fecaca;
+      color: #dc2626;
+      padding: 12px 16px;
+      border-radius: 8px;
+      margin-bottom: 24px;
+      font-size: 14px;
+    }
+    .form-group {
+      margin-bottom: 20px;
+    }
+    label {
+      display: block;
+      font-size: 14px;
+      font-weight: 500;
+      color: #374151;
+      margin-bottom: 6px;
+    }
+    input {
+      width: 100%;
+      padding: 12px 16px;
+      border: 1px solid #d1d5db;
+      border-radius: 8px;
+      font-size: 16px;
+      transition: border-color 0.2s, box-shadow 0.2s;
+    }
+    input:focus {
+      outline: none;
+      border-color: #667eea;
+      box-shadow: 0 0 0 3px rgba(102, 126, 234, 0.2);
+    }
+    input::placeholder {
+      color: #9ca3af;
+    }
+    .help-text {
+      font-size: 12px;
+      color: #6b7280;
+      margin-top: 4px;
+    }
+    button {
+      width: 100%;
+      padding: 14px 24px;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      color: white;
+      border: none;
+      border-radius: 8px;
+      font-size: 16px;
+      font-weight: 600;
+      cursor: pointer;
+      transition: transform 0.2s, box-shadow 0.2s;
+    }
+    button:hover {
+      transform: translateY(-1px);
+      box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);
+    }
+    button:active {
+      transform: translateY(0);
+    }
+    .footer {
+      text-align: center;
+      margin-top: 24px;
+      font-size: 12px;
+      color: #9ca3af;
+    }
+    .footer a {
+      color: #667eea;
+      text-decoration: none;
+    }
+    .footer a:hover {
+      text-decoration: underline;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      <svg viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+        <path d="M12 2L2 7L12 12L22 7L12 2Z" stroke="#667eea" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+        <path d="M2 17L12 22L22 17" stroke="#764ba2" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+        <path d="M2 12L12 17L22 12" stroke="#667eea" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+      </svg>
+    </div>
+    <h1>Connect to Productive.io</h1>
+    <p class="subtitle">Enter your Productive.io credentials to connect with Claude</p>
+    
+    ${error ? `<div class="error">${escapeHtml(error)}</div>` : ""}
+    
+    <form method="POST" action="/authorize">
+      <input type="hidden" name="redirectUri" value="${escapeHtml(redirectUri || "")}">
+      <input type="hidden" name="state" value="${escapeHtml(state || "")}">
+      <input type="hidden" name="codeChallenge" value="${escapeHtml(codeChallenge || "")}">
+      <input type="hidden" name="codeChallengeMethod" value="${escapeHtml(codeChallengeMethod || "S256")}">
+      
+      <div class="form-group">
+        <label for="orgId">Organization ID *</label>
+        <input type="text" id="orgId" name="orgId" required placeholder="e.g., 12345">
+        <p class="help-text">Found in Settings → API integrations</p>
+      </div>
+      
+      <div class="form-group">
+        <label for="apiToken">API Token *</label>
+        <input type="password" id="apiToken" name="apiToken" required placeholder="pk_...">
+        <p class="help-text">Generate at Settings → API integrations → Generate new token</p>
+      </div>
+      
+      <div class="form-group">
+        <label for="userId">User ID (optional)</label>
+        <input type="text" id="userId" name="userId" placeholder="e.g., 67890">
+        <p class="help-text">Required for creating time entries. Found in your profile URL.</p>
+      </div>
+      
+      <button type="submit">Connect to Productive</button>
+    </form>
+    
+    <p class="footer">
+      Your credentials are encrypted and sent directly to Claude.<br>
+      <a href="https://developer.productive.io" target="_blank">Productive.io API Documentation</a>
+    </p>
+  </div>
+</body>
+</html>`;
+}
+function renderErrorPage(message) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Error - Productive MCP</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #f3f4f6;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .container {
+      background: white;
+      border-radius: 16px;
+      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+      padding: 40px;
+      text-align: center;
+      max-width: 400px;
+    }
+    h1 {
+      color: #dc2626;
+      margin-bottom: 16px;
+    }
+    p {
+      color: #6b7280;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Error</h1>
+    <p>${escapeHtml(message)}</p>
+  </div>
+</body>
+</html>`;
+}
+function escapeHtml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+export {
+  authorizeGetHandler,
+  authorizePostHandler,
+  oauthMetadataHandler,
+  registerHandler,
+  tokenHandler
+};
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sources":["../src/oauth.ts"],"sourcesContent":["/**\n * OAuth 2.0 endpoints for Claude Desktop integration\n *\n * Implements OAuth 2.1 with PKCE as specified in the MCP authorization spec.\n * Uses stateless encrypted tokens - no server-side storage required.\n *\n * Spec: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization\n *\n * Flow:\n * 1. Claude redirects user to /authorize with OAuth params (including PKCE)\n * 2. User enters Productive credentials in login form\n * 3. Server encrypts credentials + PKCE challenge into authorization code\n * 4. Redirects back to Claude with the code\n * 5. Claude exchanges code for access token via /token (with code_verifier)\n * 6. Server validates PKCE and returns access token\n */\n\nimport { createHash } from 'node:crypto';\nimport {\n  defineEventHandler,\n  getQuery,\n  readBody,\n  sendRedirect,\n  setResponseHeader,\n  type H3Event,\n} from 'h3';\nimport { createAuthCode, decodeAuthCode } from './crypto.js';\nimport { createAuthToken } from './auth.js';\n\n/**\n * OAuth metadata for discovery (RFC 8414)\n * GET /.well-known/oauth-authorization-server\n *\n * MCP clients MUST check this endpoint first for server capabilities.\n */\nexport const oauthMetadataHandler = defineEventHandler((event: H3Event) => {\n  const host = event.node.req.headers.host || 'localhost:3000';\n  const protocol = event.node.req.headers['x-forwarded-proto'] || 'http';\n  const baseUrl = `${protocol}://${host}`;\n\n  setResponseHeader(event, 'Content-Type', 'application/json');\n  setResponseHeader(event, 'Cache-Control', 'public, max-age=3600');\n\n  return {\n    // Required fields per RFC 8414\n    issuer: baseUrl,\n    authorization_endpoint: `${baseUrl}/authorize`,\n    token_endpoint: `${baseUrl}/token`,\n    response_types_supported: ['code'],\n\n    // OAuth 2.1 / MCP requirements\n    grant_types_supported: ['authorization_code', 'refresh_token'],\n    code_challenge_methods_supported: ['S256'],\n    token_endpoint_auth_methods_supported: ['none'], // Public client\n\n    // Optional but useful\n    registration_endpoint: `${baseUrl}/register`,\n    scopes_supported: ['productive'],\n    service_documentation: 'https://github.com/studiometa/productive-tools',\n  };\n});\n\n/**\n * Dynamic Client Registration endpoint (RFC 7591)\n * POST /register\n *\n * MCP servers SHOULD support DCR to allow clients to register automatically.\n * Since we use stateless tokens, we accept any registration and return\n * a generated client_id.\n */\nexport const registerHandler = defineEventHandler(async (event: H3Event) => {\n  setResponseHeader(event, 'Content-Type', 'application/json');\n\n  let body: Record<string, unknown>;\n  try {\n    body = await readBody(event);\n  } catch {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Invalid JSON body',\n    };\n  }\n\n  // Extract client metadata\n  const clientName = (body.client_name as string) || 'MCP Client';\n  const redirectUris = (body.redirect_uris as string[]) || [];\n\n  // Generate a client_id based on the registration\n  // Since we're stateless, we encode minimal info in the client_id\n  const clientId = Buffer.from(\n    JSON.stringify({\n      name: clientName,\n      ts: Date.now(),\n    })\n  ).toString('base64url');\n\n  event.node.res.statusCode = 201;\n  return {\n    client_id: clientId,\n    client_name: clientName,\n    redirect_uris: redirectUris,\n    token_endpoint_auth_method: 'none',\n    grant_types: ['authorization_code', 'refresh_token'],\n    response_types: ['code'],\n  };\n});\n\n/**\n * Authorization endpoint - shows login form\n * GET /authorize\n */\nexport const authorizeGetHandler = defineEventHandler((event: H3Event) => {\n  const query = getQuery(event);\n\n  // Extract OAuth parameters\n  const clientId = query.client_id as string;\n  const redirectUri = query.redirect_uri as string;\n  const state = query.state as string;\n  const codeChallenge = query.code_challenge as string;\n  const codeChallengeMethod = query.code_challenge_method as string;\n  const scope = query.scope as string;\n\n  // Validate required parameters per OAuth 2.1\n  if (!redirectUri) {\n    setResponseHeader(event, 'Content-Type', 'text/html; charset=utf-8');\n    event.node.res.statusCode = 400;\n    return renderErrorPage('Missing required parameter: redirect_uri');\n  }\n\n  // PKCE is REQUIRED for public clients per MCP spec\n  if (!codeChallenge) {\n    // Redirect back with error per OAuth spec\n    const errorUrl = new URL(redirectUri);\n    errorUrl.searchParams.set('error', 'invalid_request');\n    errorUrl.searchParams.set('error_description', 'code_challenge is required');\n    if (state) errorUrl.searchParams.set('state', state);\n    return sendRedirect(event, errorUrl.toString());\n  }\n\n  if (codeChallengeMethod && codeChallengeMethod !== 'S256') {\n    const errorUrl = new URL(redirectUri);\n    errorUrl.searchParams.set('error', 'invalid_request');\n    errorUrl.searchParams.set('error_description', 'Only S256 code_challenge_method is supported');\n    if (state) errorUrl.searchParams.set('state', state);\n    return sendRedirect(event, errorUrl.toString());\n  }\n\n  setResponseHeader(event, 'Content-Type', 'text/html; charset=utf-8');\n\n  // Render login form\n  return renderLoginForm({\n    clientId,\n    redirectUri,\n    state,\n    codeChallenge,\n    codeChallengeMethod: codeChallengeMethod || 'S256',\n    scope,\n  });\n});\n\n/**\n * Authorization endpoint - process login\n * POST /authorize\n */\nexport const authorizePostHandler = defineEventHandler(async (event: H3Event) => {\n  const body = await readBody(event);\n\n  const {\n    orgId,\n    apiToken,\n    userId,\n    redirectUri,\n    state,\n    codeChallenge,\n    codeChallengeMethod,\n  } = body;\n\n  // Validate redirect URI first (security requirement)\n  if (!redirectUri) {\n    setResponseHeader(event, 'Content-Type', 'text/html; charset=utf-8');\n    event.node.res.statusCode = 400;\n    return renderErrorPage('Missing redirect_uri parameter');\n  }\n\n  // Validate redirect URI format (must be HTTPS or localhost)\n  try {\n    const uri = new URL(redirectUri);\n    const isLocalhost = uri.hostname === 'localhost' || uri.hostname === '127.0.0.1';\n    const isHttps = uri.protocol === 'https:';\n    if (!isLocalhost && !isHttps) {\n      event.node.res.statusCode = 400;\n      return renderErrorPage('redirect_uri must be HTTPS or localhost');\n    }\n  } catch {\n    event.node.res.statusCode = 400;\n    return renderErrorPage('Invalid redirect_uri format');\n  }\n\n  // Validate required credentials\n  if (!orgId || !apiToken) {\n    setResponseHeader(event, 'Content-Type', 'text/html; charset=utf-8');\n    return renderLoginForm({\n      redirectUri,\n      state,\n      codeChallenge,\n      codeChallengeMethod,\n      error: 'Organization ID and API Token are required',\n    });\n  }\n\n  // Create encrypted authorization code with PKCE challenge\n  const code = createAuthCode({\n    orgId,\n    apiToken,\n    userId: userId || undefined,\n    codeChallenge,\n    codeChallengeMethod: codeChallengeMethod || 'S256',\n  });\n\n  // Build redirect URL with authorization code\n  const redirectUrl = new URL(redirectUri);\n  redirectUrl.searchParams.set('code', code);\n  if (state) {\n    redirectUrl.searchParams.set('state', state);\n  }\n\n  // Redirect back to Claude\n  return sendRedirect(event, redirectUrl.toString());\n});\n\n/**\n * Token endpoint - exchange code for access token\n * POST /token\n *\n * Supports:\n * - authorization_code grant (with PKCE validation)\n * - refresh_token grant\n */\nexport const tokenHandler = defineEventHandler(async (event: H3Event) => {\n  setResponseHeader(event, 'Content-Type', 'application/json');\n\n  let body: Record<string, string>;\n  const contentType = event.node.req.headers['content-type'] || '';\n\n  if (contentType.includes('application/x-www-form-urlencoded')) {\n    const rawBody = await readBody(event);\n    if (typeof rawBody === 'string') {\n      body = Object.fromEntries(new URLSearchParams(rawBody));\n    } else {\n      body = rawBody;\n    }\n  } else {\n    body = await readBody(event);\n  }\n\n  const { grant_type, code, code_verifier, refresh_token } = body;\n\n  // Handle refresh token grant\n  if (grant_type === 'refresh_token') {\n    return handleRefreshToken(event, refresh_token);\n  }\n\n  // Validate authorization code grant\n  if (grant_type !== 'authorization_code') {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'unsupported_grant_type',\n      error_description: 'Supported grant types: authorization_code, refresh_token',\n    };\n  }\n\n  if (!code) {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing authorization code',\n    };\n  }\n\n  if (!code_verifier) {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing code_verifier (PKCE required)',\n    };\n  }\n\n  try {\n    // Decode the authorization code\n    const payload = decodeAuthCode(code);\n\n    // Validate PKCE: SHA256(code_verifier) must equal code_challenge\n    if (payload.codeChallenge) {\n      const expectedChallenge = createS256Challenge(code_verifier);\n      if (expectedChallenge !== payload.codeChallenge) {\n        event.node.res.statusCode = 400;\n        return {\n          error: 'invalid_grant',\n          error_description: 'Invalid code_verifier',\n        };\n      }\n    }\n\n    // Create access token (base64 encoded credentials)\n    const accessToken = createAuthToken({\n      organizationId: payload.orgId,\n      apiToken: payload.apiToken,\n      userId: payload.userId,\n    });\n\n    // Create refresh token (encrypted credentials, longer expiry)\n    const refreshToken = createAuthCode(\n      {\n        orgId: payload.orgId,\n        apiToken: payload.apiToken,\n        userId: payload.userId,\n      },\n      86400 * 30 // 30 days\n    );\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 3600, // 1 hour (access tokens should be short-lived)\n      refresh_token: refreshToken,\n    };\n  } catch (error) {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'invalid_grant',\n      error_description: error instanceof Error ? error.message : 'Invalid authorization code',\n    };\n  }\n});\n\n/**\n * Handle refresh token grant\n */\nfunction handleRefreshToken(event: H3Event, refreshToken: string | undefined) {\n  if (!refreshToken) {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'invalid_request',\n      error_description: 'Missing refresh_token',\n    };\n  }\n\n  try {\n    // Decode refresh token (it's just an encrypted auth code with longer expiry)\n    const payload = decodeAuthCode(refreshToken);\n\n    // Create new access token\n    const accessToken = createAuthToken({\n      organizationId: payload.orgId,\n      apiToken: payload.apiToken,\n      userId: payload.userId,\n    });\n\n    // Create new refresh token (rotate for security)\n    const newRefreshToken = createAuthCode(\n      {\n        orgId: payload.orgId,\n        apiToken: payload.apiToken,\n        userId: payload.userId,\n      },\n      86400 * 30 // 30 days\n    );\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: 3600,\n      refresh_token: newRefreshToken,\n    };\n  } catch (error) {\n    event.node.res.statusCode = 400;\n    return {\n      error: 'invalid_grant',\n      error_description: error instanceof Error ? error.message : 'Invalid refresh token',\n    };\n  }\n}\n\n/**\n * Create S256 PKCE challenge from verifier\n * SHA256(code_verifier) encoded as base64url\n */\nfunction createS256Challenge(codeVerifier: string): string {\n  return createHash('sha256').update(codeVerifier).digest('base64url');\n}\n\n/**\n * Render the login form HTML\n */\nfunction renderLoginForm(params: {\n  clientId?: string;\n  redirectUri?: string;\n  state?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  scope?: string;\n  error?: string;\n}): string {\n  const { redirectUri, state, codeChallenge, codeChallengeMethod, error } = params;\n\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>Connect to Productive.io</title>\n  <style>\n    * {\n      box-sizing: border-box;\n      margin: 0;\n      padding: 0;\n    }\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);\n      padding: 40px;\n      width: 100%;\n      max-width: 420px;\n    }\n    .logo {\n      text-align: center;\n      margin-bottom: 24px;\n    }\n    .logo svg {\n      width: 48px;\n      height: 48px;\n    }\n    h1 {\n      text-align: center;\n      color: #1a1a2e;\n      font-size: 24px;\n      margin-bottom: 8px;\n    }\n    .subtitle {\n      text-align: center;\n      color: #666;\n      font-size: 14px;\n      margin-bottom: 32px;\n    }\n    .error {\n      background: #fee2e2;\n      border: 1px solid #fecaca;\n      color: #dc2626;\n      padding: 12px 16px;\n      border-radius: 8px;\n      margin-bottom: 24px;\n      font-size: 14px;\n    }\n    .form-group {\n      margin-bottom: 20px;\n    }\n    label {\n      display: block;\n      font-size: 14px;\n      font-weight: 500;\n      color: #374151;\n      margin-bottom: 6px;\n    }\n    input {\n      width: 100%;\n      padding: 12px 16px;\n      border: 1px solid #d1d5db;\n      border-radius: 8px;\n      font-size: 16px;\n      transition: border-color 0.2s, box-shadow 0.2s;\n    }\n    input:focus {\n      outline: none;\n      border-color: #667eea;\n      box-shadow: 0 0 0 3px rgba(102, 126, 234, 0.2);\n    }\n    input::placeholder {\n      color: #9ca3af;\n    }\n    .help-text {\n      font-size: 12px;\n      color: #6b7280;\n      margin-top: 4px;\n    }\n    button {\n      width: 100%;\n      padding: 14px 24px;\n      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);\n      color: white;\n      border: none;\n      border-radius: 8px;\n      font-size: 16px;\n      font-weight: 600;\n      cursor: pointer;\n      transition: transform 0.2s, box-shadow 0.2s;\n    }\n    button:hover {\n      transform: translateY(-1px);\n      box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);\n    }\n    button:active {\n      transform: translateY(0);\n    }\n    .footer {\n      text-align: center;\n      margin-top: 24px;\n      font-size: 12px;\n      color: #9ca3af;\n    }\n    .footer a {\n      color: #667eea;\n      text-decoration: none;\n    }\n    .footer a:hover {\n      text-decoration: underline;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <div class=\"logo\">\n      <svg viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http://www.w3.org/2000/svg\">\n        <path d=\"M12 2L2 7L12 12L22 7L12 2Z\" stroke=\"#667eea\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n        <path d=\"M2 17L12 22L22 17\" stroke=\"#764ba2\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n        <path d=\"M2 12L12 17L22 12\" stroke=\"#667eea\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"/>\n      </svg>\n    </div>\n    <h1>Connect to Productive.io</h1>\n    <p class=\"subtitle\">Enter your Productive.io credentials to connect with Claude</p>\n    \n    ${error ? `<div class=\"error\">${escapeHtml(error)}</div>` : ''}\n    \n    <form method=\"POST\" action=\"/authorize\">\n      <input type=\"hidden\" name=\"redirectUri\" value=\"${escapeHtml(redirectUri || '')}\">\n      <input type=\"hidden\" name=\"state\" value=\"${escapeHtml(state || '')}\">\n      <input type=\"hidden\" name=\"codeChallenge\" value=\"${escapeHtml(codeChallenge || '')}\">\n      <input type=\"hidden\" name=\"codeChallengeMethod\" value=\"${escapeHtml(codeChallengeMethod || 'S256')}\">\n      \n      <div class=\"form-group\">\n        <label for=\"orgId\">Organization ID *</label>\n        <input type=\"text\" id=\"orgId\" name=\"orgId\" required placeholder=\"e.g., 12345\">\n        <p class=\"help-text\">Found in Settings → API integrations</p>\n      </div>\n      \n      <div class=\"form-group\">\n        <label for=\"apiToken\">API Token *</label>\n        <input type=\"password\" id=\"apiToken\" name=\"apiToken\" required placeholder=\"pk_...\">\n        <p class=\"help-text\">Generate at Settings → API integrations → Generate new token</p>\n      </div>\n      \n      <div class=\"form-group\">\n        <label for=\"userId\">User ID (optional)</label>\n        <input type=\"text\" id=\"userId\" name=\"userId\" placeholder=\"e.g., 67890\">\n        <p class=\"help-text\">Required for creating time entries. Found in your profile URL.</p>\n      </div>\n      \n      <button type=\"submit\">Connect to Productive</button>\n    </form>\n    \n    <p class=\"footer\">\n      Your credentials are encrypted and sent directly to Claude.<br>\n      <a href=\"https://developer.productive.io\" target=\"_blank\">Productive.io API Documentation</a>\n    </p>\n  </div>\n</body>\n</html>`;\n}\n\n/**\n * Render error page\n */\nfunction renderErrorPage(message: string): string {\n  return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>Error - Productive MCP</title>\n  <style>\n    body {\n      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;\n      background: #f3f4f6;\n      min-height: 100vh;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      padding: 20px;\n    }\n    .container {\n      background: white;\n      border-radius: 16px;\n      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);\n      padding: 40px;\n      text-align: center;\n      max-width: 400px;\n    }\n    h1 {\n      color: #dc2626;\n      margin-bottom: 16px;\n    }\n    p {\n      color: #6b7280;\n    }\n  </style>\n</head>\n<body>\n  <div class=\"container\">\n    <h1>Error</h1>\n    <p>${escapeHtml(message)}</p>\n  </div>\n</body>\n</html>`;\n}\n\n/**\n * Escape HTML special characters\n */\nfunction escapeHtml(str: string): string {\n  return str\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#039;');\n}\n"],"names":[],"mappings":";;;;AAmCO,MAAM,uBAAuB,mBAAmB,CAAC,UAAmB;AACzE,QAAM,OAAO,MAAM,KAAK,IAAI,QAAQ,QAAQ;AAC5C,QAAM,WAAW,MAAM,KAAK,IAAI,QAAQ,mBAAmB,KAAK;AAChE,QAAM,UAAU,GAAG,QAAQ,MAAM,IAAI;AAErC,oBAAkB,OAAO,gBAAgB,kBAAkB;AAC3D,oBAAkB,OAAO,iBAAiB,sBAAsB;AAEhE,SAAO;AAAA;AAAA,IAEL,QAAQ;AAAA,IACR,wBAAwB,GAAG,OAAO;AAAA,IAClC,gBAAgB,GAAG,OAAO;AAAA,IAC1B,0BAA0B,CAAC,MAAM;AAAA;AAAA,IAGjC,uBAAuB,CAAC,sBAAsB,eAAe;AAAA,IAC7D,kCAAkC,CAAC,MAAM;AAAA,IACzC,uCAAuC,CAAC,MAAM;AAAA;AAAA;AAAA,IAG9C,uBAAuB,GAAG,OAAO;AAAA,IACjC,kBAAkB,CAAC,YAAY;AAAA,IAC/B,uBAAuB;AAAA,EAAA;AAE3B,CAAC;AAUM,MAAM,kBAAkB,mBAAmB,OAAO,UAAmB;AAC1E,oBAAkB,OAAO,gBAAgB,kBAAkB;AAE3D,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,SAAS,KAAK;AAAA,EAC7B,QAAQ;AACN,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB;AAAA,IAAA;AAAA,EAEvB;AAGA,QAAM,aAAc,KAAK,eAA0B;AACnD,QAAM,eAAgB,KAAK,iBAA8B,CAAA;AAIzD,QAAM,WAAW,OAAO;AAAA,IACtB,KAAK,UAAU;AAAA,MACb,MAAM;AAAA,MACN,IAAI,KAAK,IAAA;AAAA,IAAI,CACd;AAAA,EAAA,EACD,SAAS,WAAW;AAEtB,QAAM,KAAK,IAAI,aAAa;AAC5B,SAAO;AAAA,IACL,WAAW;AAAA,IACX,aAAa;AAAA,IACb,eAAe;AAAA,IACf,4BAA4B;AAAA,IAC5B,aAAa,CAAC,sBAAsB,eAAe;AAAA,IACnD,gBAAgB,CAAC,MAAM;AAAA,EAAA;AAE3B,CAAC;AAMM,MAAM,sBAAsB,mBAAmB,CAAC,UAAmB;AACxE,QAAM,QAAQ,SAAS,KAAK;AAGX,QAAM;AACvB,QAAM,cAAc,MAAM;AAC1B,QAAM,QAAQ,MAAM;AACpB,QAAM,gBAAgB,MAAM;AAC5B,QAAM,sBAAsB,MAAM;AACpB,QAAM;AAGpB,MAAI,CAAC,aAAa;AAChB,sBAAkB,OAAO,gBAAgB,0BAA0B;AACnE,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO,gBAAgB,0CAA0C;AAAA,EACnE;AAGA,MAAI,CAAC,eAAe;AAElB,UAAM,WAAW,IAAI,IAAI,WAAW;AACpC,aAAS,aAAa,IAAI,SAAS,iBAAiB;AACpD,aAAS,aAAa,IAAI,qBAAqB,4BAA4B;AAC3E,QAAI,MAAO,UAAS,aAAa,IAAI,SAAS,KAAK;AACnD,WAAO,aAAa,OAAO,SAAS,SAAA,CAAU;AAAA,EAChD;AAEA,MAAI,uBAAuB,wBAAwB,QAAQ;AACzD,UAAM,WAAW,IAAI,IAAI,WAAW;AACpC,aAAS,aAAa,IAAI,SAAS,iBAAiB;AACpD,aAAS,aAAa,IAAI,qBAAqB,8CAA8C;AAC7F,QAAI,MAAO,UAAS,aAAa,IAAI,SAAS,KAAK;AACnD,WAAO,aAAa,OAAO,SAAS,SAAA,CAAU;AAAA,EAChD;AAEA,oBAAkB,OAAO,gBAAgB,0BAA0B;AAGnE,SAAO,gBAAgB;AAAA,IAErB;AAAA,IACA;AAAA,IACA;AAAA,IACA,qBAAqB,uBAAuB;AAAA,EAE9C,CAAC;AACH,CAAC;AAMM,MAAM,uBAAuB,mBAAmB,OAAO,UAAmB;AAC/E,QAAM,OAAO,MAAM,SAAS,KAAK;AAEjC,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EAAA,IACE;AAGJ,MAAI,CAAC,aAAa;AAChB,sBAAkB,OAAO,gBAAgB,0BAA0B;AACnE,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO,gBAAgB,gCAAgC;AAAA,EACzD;AAGA,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,WAAW;AAC/B,UAAM,cAAc,IAAI,aAAa,eAAe,IAAI,aAAa;AACrE,UAAM,UAAU,IAAI,aAAa;AACjC,QAAI,CAAC,eAAe,CAAC,SAAS;AAC5B,YAAM,KAAK,IAAI,aAAa;AAC5B,aAAO,gBAAgB,yCAAyC;AAAA,IAClE;AAAA,EACF,QAAQ;AACN,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO,gBAAgB,6BAA6B;AAAA,EACtD;AAGA,MAAI,CAAC,SAAS,CAAC,UAAU;AACvB,sBAAkB,OAAO,gBAAgB,0BAA0B;AACnE,WAAO,gBAAgB;AAAA,MACrB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO;AAAA,IAAA,CACR;AAAA,EACH;AAGA,QAAM,OAAO,eAAe;AAAA,IAC1B;AAAA,IACA;AAAA,IACA,QAAQ,UAAU;AAAA,IAClB;AAAA,IACA,qBAAqB,uBAAuB;AAAA,EAAA,CAC7C;AAGD,QAAM,cAAc,IAAI,IAAI,WAAW;AACvC,cAAY,aAAa,IAAI,QAAQ,IAAI;AACzC,MAAI,OAAO;AACT,gBAAY,aAAa,IAAI,SAAS,KAAK;AAAA,EAC7C;AAGA,SAAO,aAAa,OAAO,YAAY,SAAA,CAAU;AACnD,CAAC;AAUM,MAAM,eAAe,mBAAmB,OAAO,UAAmB;AACvE,oBAAkB,OAAO,gBAAgB,kBAAkB;AAE3D,MAAI;AACJ,QAAM,cAAc,MAAM,KAAK,IAAI,QAAQ,cAAc,KAAK;AAE9D,MAAI,YAAY,SAAS,mCAAmC,GAAG;AAC7D,UAAM,UAAU,MAAM,SAAS,KAAK;AACpC,QAAI,OAAO,YAAY,UAAU;AAC/B,aAAO,OAAO,YAAY,IAAI,gBAAgB,OAAO,CAAC;AAAA,IACxD,OAAO;AACL,aAAO;AAAA,IACT;AAAA,EACF,OAAO;AACL,WAAO,MAAM,SAAS,KAAK;AAAA,EAC7B;AAEA,QAAM,EAAE,YAAY,MAAM,eAAe,kBAAkB;AAG3D,MAAI,eAAe,iBAAiB;AAClC,WAAO,mBAAmB,OAAO,aAAa;AAAA,EAChD;AAGA,MAAI,eAAe,sBAAsB;AACvC,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB;AAAA,IAAA;AAAA,EAEvB;AAEA,MAAI,CAAC,MAAM;AACT,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB;AAAA,IAAA;AAAA,EAEvB;AAEA,MAAI,CAAC,eAAe;AAClB,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB;AAAA,IAAA;AAAA,EAEvB;AAEA,MAAI;AAEF,UAAM,UAAU,eAAe,IAAI;AAGnC,QAAI,QAAQ,eAAe;AACzB,YAAM,oBAAoB,oBAAoB,aAAa;AAC3D,UAAI,sBAAsB,QAAQ,eAAe;AAC/C,cAAM,KAAK,IAAI,aAAa;AAC5B,eAAO;AAAA,UACL,OAAO;AAAA,UACP,mBAAmB;AAAA,QAAA;AAAA,MAEvB;AAAA,IACF;AAGA,UAAM,cAAc,gBAAgB;AAAA,MAClC,gBAAgB,QAAQ;AAAA,MACxB,UAAU,QAAQ;AAAA,MAClB,QAAQ,QAAQ;AAAA,IAAA,CACjB;AAGD,UAAM,eAAe;AAAA,MACnB;AAAA,QACE,OAAO,QAAQ;AAAA,QACf,UAAU,QAAQ;AAAA,QAClB,QAAQ,QAAQ;AAAA,MAAA;AAAA,MAElB,QAAQ;AAAA;AAAA,IAAA;AAGV,WAAO;AAAA,MACL,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,YAAY;AAAA;AAAA,MACZ,eAAe;AAAA,IAAA;AAAA,EAEnB,SAAS,OAAO;AACd,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAAA;AAAA,EAEhE;AACF,CAAC;AAKD,SAAS,mBAAmB,OAAgB,cAAkC;AAC5E,MAAI,CAAC,cAAc;AACjB,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB;AAAA,IAAA;AAAA,EAEvB;AAEA,MAAI;AAEF,UAAM,UAAU,eAAe,YAAY;AAG3C,UAAM,cAAc,gBAAgB;AAAA,MAClC,gBAAgB,QAAQ;AAAA,MACxB,UAAU,QAAQ;AAAA,MAClB,QAAQ,QAAQ;AAAA,IAAA,CACjB;AAGD,UAAM,kBAAkB;AAAA,MACtB;AAAA,QACE,OAAO,QAAQ;AAAA,QACf,UAAU,QAAQ;AAAA,QAClB,QAAQ,QAAQ;AAAA,MAAA;AAAA,MAElB,QAAQ;AAAA;AAAA,IAAA;AAGV,WAAO;AAAA,MACL,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,eAAe;AAAA,IAAA;AAAA,EAEnB,SAAS,OAAO;AACd,UAAM,KAAK,IAAI,aAAa;AAC5B,WAAO;AAAA,MACL,OAAO;AAAA,MACP,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAAA;AAAA,EAEhE;AACF;AAMA,SAAS,oBAAoB,cAA8B;AACzD,SAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AACrE;AAKA,SAAS,gBAAgB,QAQd;AACT,QAAM,EAAE,aAAa,OAAO,eAAe,qBAAqB,UAAU;AAE1E,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAuIH,QAAQ,sBAAsB,WAAW,KAAK,CAAC,WAAW,EAAE;AAAA;AAAA;AAAA,uDAGX,WAAW,eAAe,EAAE,CAAC;AAAA,iDACnC,WAAW,SAAS,EAAE,CAAC;AAAA,yDACf,WAAW,iBAAiB,EAAE,CAAC;AAAA,+DACzB,WAAW,uBAAuB,MAAM,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA8BxG;AAKA,SAAS,gBAAgB,SAAyB;AAChD,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAoCA,WAAW,OAAO,CAAC;AAAA;AAAA;AAAA;AAI5B;AAKA,SAAS,WAAW,KAAqB;AACvC,SAAO,IACJ,QAAQ,MAAM,OAAO,EACrB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,QAAQ,EACtB,QAAQ,MAAM,QAAQ;AAC3B;"}

package/dist/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAC;AAOtD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,GAAE,MAAqB,EAC3B,IAAI,GAAE,MAAqB,GAC1B,OAAO,CAAC,MAAM,CAAC,CAsBjB"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAgB,KAAK,MAAM,EAAE,MAAM,WAAW,CAAC;AAQtD;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,GAAE,MAAqB,EAC3B,IAAI,GAAE,MAAqB,GAC1B,OAAO,CAAC,MAAM,CAAC,CAmCjB"}

package/dist/server.js

@@ -2,6 +2,7 @@
 import { createServer } from "node:http";
 import { toNodeListener } from "h3";
 import { createHttpApp } from "./http.js";
+import { V as VERSION } from "./version-uWLfG4Z0.js";
 const DEFAULT_PORT = 3e3;
 const DEFAULT_HOST = "0.0.0.0";
 function startHttpServer(port = DEFAULT_PORT, host = DEFAULT_HOST) {
@@ -10,18 +11,31 @@ function startHttpServer(port = DEFAULT_PORT, host = DEFAULT_HOST) {
     const server = createServer(toNodeListener(app));
     server.listen(port, host, () => {
       const displayHost = host === "0.0.0.0" ? "localhost" : host;
-      console.log(`Productive MCP server running at http://${displayHost}:${port}`);
+      console.log(`Productive MCP server v${VERSION}`);
+      console.log(`Node.js ${process.version}`);
+      console.log("");
+      console.log(`Running at http://${displayHost}:${port}`);
       console.log("");
       console.log("Endpoints:");
       console.log(`  POST http://${displayHost}:${port}/mcp - MCP JSON-RPC endpoint`);
       console.log(`  GET  http://${displayHost}:${port}/health - Health check`);
       console.log("");
+      console.log("OAuth 2.0 (MCP auth spec compliant):");
+      console.log(`  GET  http://${displayHost}:${port}/.well-known/oauth-authorization-server`);
+      console.log(`  POST http://${displayHost}:${port}/register - Dynamic Client Registration`);
+      console.log(`  GET  http://${displayHost}:${port}/authorize - Authorization endpoint`);
+      console.log(`  POST http://${displayHost}:${port}/token - Token endpoint`);
+      console.log("");
       console.log("Authentication:");
-      console.log("  Pass Bearer token in Authorization header");
-      console.log("  Token format: base64(organizationId:apiToken:userId)");
+      console.log("  Option 1: OAuth flow (Claude Desktop will handle this automatically)");
+      console.log("  Option 2: Bearer token in Authorization header");
+      console.log("            Token format: base64(organizationId:apiToken:userId)");
       console.log("");
-      console.log("Generate token:");
-      console.log('  echo -n "ORG_ID:API_TOKEN:USER_ID" | base64');
+      if (!process.env.OAUTH_SECRET) {
+        console.log("⚠️  WARNING: OAUTH_SECRET not set. Set it in production!");
+        console.log('   export OAUTH_SECRET="your-random-secret-here"');
+        console.log("");
+      }
       resolve(server);
     });
   });

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sources":["../src/server.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * Productive MCP Server - HTTP Transport\n *\n * This is the remote HTTP server mode for Claude Desktop custom connectors.\n * Credentials are passed via Bearer token in the Authorization header.\n *\n * Token format: base64(organizationId:apiToken) or base64(organizationId:apiToken:userId)\n *\n * Generate your token:\n *   echo -n \"YOUR_ORG_ID:YOUR_API_TOKEN:YOUR_USER_ID\" | base64\n *\n * Usage:\n *   productive-mcp-server\n *   PORT=3000 productive-mcp-server\n *\n * Claude Desktop custom connector config:\n *   Name: Productive\n *   URL: https://productive.mcp.ikko.dev\n *   (No OAuth needed - uses Bearer token)\n */\n\nimport { createServer, type Server } from 'node:http';\nimport { toNodeListener } from 'h3';\nimport { createHttpApp } from './http.js';\n\nconst DEFAULT_PORT = 3000;\nconst DEFAULT_HOST = '0.0.0.0';\n\n/**\n * Start the HTTP server\n */\nexport function startHttpServer(\n  port: number = DEFAULT_PORT,\n  host: string = DEFAULT_HOST\n): Promise<Server> {\n  return new Promise((resolve) => {\n    const app = createHttpApp();\n    const server = createServer(toNodeListener(app));\n\n    server.listen(port, host, () => {\n      const displayHost = host === '0.0.0.0' ? 'localhost' : host;\n      console.log(`Productive MCP server running at http://${displayHost}:${port}`);\n      console.log('');\n      console.log('Endpoints:');\n      console.log(`  POST http://${displayHost}:${port}/mcp - MCP JSON-RPC endpoint`);\n      console.log(`  GET  http://${displayHost}:${port}/health - Health check`);\n      console.log('');\n      console.log('Authentication:');\n      console.log('  Pass Bearer token in Authorization header');\n      console.log('  Token format: base64(organizationId:apiToken:userId)');\n      console.log('');\n      console.log('Generate token:');\n      console.log('  echo -n \"ORG_ID:API_TOKEN:USER_ID\" | base64');\n      resolve(server);\n    });\n  });\n}\n\n// Start server when run directly\nconst isMainModule =\n  import.meta.url === `file://${process.argv[1]}` ||\n  process.argv[1]?.endsWith('/productive-mcp-server') ||\n  process.argv[1]?.endsWith('\\\\productive-mcp-server');\n\nif (isMainModule) {\n  const port = Number.parseInt(process.env.PORT || String(DEFAULT_PORT), 10);\n  const host = process.env.HOST || DEFAULT_HOST;\n\n  startHttpServer(port, host).catch((error) => {\n    console.error('Fatal error:', error);\n    process.exit(1);\n  });\n}\n"],"names":[],"mappings":";;;;AA2BA,MAAM,eAAe;AACrB,MAAM,eAAe;AAKd,SAAS,gBACd,OAAe,cACf,OAAe,cACE;AACjB,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,UAAM,MAAM,cAAA;AACZ,UAAM,SAAS,aAAa,eAAe,GAAG,CAAC;AAE/C,WAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,YAAM,cAAc,SAAS,YAAY,cAAc;AACvD,cAAQ,IAAI,2CAA2C,WAAW,IAAI,IAAI,EAAE;AAC5E,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,YAAY;AACxB,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,8BAA8B;AAC9E,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,wBAAwB;AACxE,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,iBAAiB;AAC7B,cAAQ,IAAI,6CAA6C;AACzD,cAAQ,IAAI,wDAAwD;AACpE,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,iBAAiB;AAC7B,cAAQ,IAAI,+CAA+C;AAC3D,cAAQ,MAAM;AAAA,IAChB,CAAC;AAAA,EACH,CAAC;AACH;AAGA,MAAM,eACJ,YAAY,QAAQ,UAAU,QAAQ,KAAK,CAAC,CAAC,MAC7C,QAAQ,KAAK,CAAC,GAAG,SAAS,wBAAwB,KAClD,QAAQ,KAAK,CAAC,GAAG,SAAS,yBAAyB;AAErD,IAAI,cAAc;AAChB,QAAM,OAAO,OAAO,SAAS,QAAQ,IAAI,QAAQ,OAAO,YAAY,GAAG,EAAE;AACzE,QAAM,OAAO,QAAQ,IAAI,QAAQ;AAEjC,kBAAgB,MAAM,IAAI,EAAE,MAAM,CAAC,UAAU;AAC3C,YAAQ,MAAM,gBAAgB,KAAK;AACnC,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;"}
+{"version":3,"file":"server.js","sources":["../src/server.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * Productive MCP Server - HTTP Transport\n *\n * This is the remote HTTP server mode for Claude Desktop custom connectors.\n * Credentials are passed via Bearer token in the Authorization header.\n *\n * Token format: base64(organizationId:apiToken) or base64(organizationId:apiToken:userId)\n *\n * Generate your token:\n *   echo -n \"YOUR_ORG_ID:YOUR_API_TOKEN:YOUR_USER_ID\" | base64\n *\n * Usage:\n *   productive-mcp-server\n *   PORT=3000 productive-mcp-server\n *\n * Claude Desktop custom connector config:\n *   Name: Productive\n *   URL: https://productive.mcp.ikko.dev\n *   (No OAuth needed - uses Bearer token)\n */\n\nimport { createServer, type Server } from 'node:http';\nimport { toNodeListener } from 'h3';\nimport { createHttpApp } from './http.js';\nimport { VERSION } from './version.js';\n\nconst DEFAULT_PORT = 3000;\nconst DEFAULT_HOST = '0.0.0.0';\n\n/**\n * Start the HTTP server\n */\nexport function startHttpServer(\n  port: number = DEFAULT_PORT,\n  host: string = DEFAULT_HOST\n): Promise<Server> {\n  return new Promise((resolve) => {\n    const app = createHttpApp();\n    const server = createServer(toNodeListener(app));\n\n    server.listen(port, host, () => {\n      const displayHost = host === '0.0.0.0' ? 'localhost' : host;\n      console.log(`Productive MCP server v${VERSION}`);\n      console.log(`Node.js ${process.version}`);\n      console.log('');\n      console.log(`Running at http://${displayHost}:${port}`);\n      console.log('');\n      console.log('Endpoints:');\n      console.log(`  POST http://${displayHost}:${port}/mcp - MCP JSON-RPC endpoint`);\n      console.log(`  GET  http://${displayHost}:${port}/health - Health check`);\n      console.log('');\n      console.log('OAuth 2.0 (MCP auth spec compliant):');\n      console.log(`  GET  http://${displayHost}:${port}/.well-known/oauth-authorization-server`);\n      console.log(`  POST http://${displayHost}:${port}/register - Dynamic Client Registration`);\n      console.log(`  GET  http://${displayHost}:${port}/authorize - Authorization endpoint`);\n      console.log(`  POST http://${displayHost}:${port}/token - Token endpoint`);\n      console.log('');\n      console.log('Authentication:');\n      console.log('  Option 1: OAuth flow (Claude Desktop will handle this automatically)');\n      console.log('  Option 2: Bearer token in Authorization header');\n      console.log('            Token format: base64(organizationId:apiToken:userId)');\n      console.log('');\n      if (!process.env.OAUTH_SECRET) {\n        console.log('⚠️  WARNING: OAUTH_SECRET not set. Set it in production!');\n        console.log('   export OAUTH_SECRET=\"your-random-secret-here\"');\n        console.log('');\n      }\n      resolve(server);\n    });\n  });\n}\n\n// Start server when run directly\nconst isMainModule =\n  import.meta.url === `file://${process.argv[1]}` ||\n  process.argv[1]?.endsWith('/productive-mcp-server') ||\n  process.argv[1]?.endsWith('\\\\productive-mcp-server');\n\nif (isMainModule) {\n  const port = Number.parseInt(process.env.PORT || String(DEFAULT_PORT), 10);\n  const host = process.env.HOST || DEFAULT_HOST;\n\n  startHttpServer(port, host).catch((error) => {\n    console.error('Fatal error:', error);\n    process.exit(1);\n  });\n}\n"],"names":[],"mappings":";;;;;AA4BA,MAAM,eAAe;AACrB,MAAM,eAAe;AAKd,SAAS,gBACd,OAAe,cACf,OAAe,cACE;AACjB,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,UAAM,MAAM,cAAA;AACZ,UAAM,SAAS,aAAa,eAAe,GAAG,CAAC;AAE/C,WAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,YAAM,cAAc,SAAS,YAAY,cAAc;AACvD,cAAQ,IAAI,0BAA0B,OAAO,EAAE;AAC/C,cAAQ,IAAI,WAAW,QAAQ,OAAO,EAAE;AACxC,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,qBAAqB,WAAW,IAAI,IAAI,EAAE;AACtD,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,YAAY;AACxB,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,8BAA8B;AAC9E,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,wBAAwB;AACxE,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,sCAAsC;AAClD,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,yCAAyC;AACzF,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,yCAAyC;AACzF,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,qCAAqC;AACrF,cAAQ,IAAI,iBAAiB,WAAW,IAAI,IAAI,yBAAyB;AACzE,cAAQ,IAAI,EAAE;AACd,cAAQ,IAAI,iBAAiB;AAC7B,cAAQ,IAAI,wEAAwE;AACpF,cAAQ,IAAI,kDAAkD;AAC9D,cAAQ,IAAI,kEAAkE;AAC9E,cAAQ,IAAI,EAAE;AACd,UAAI,CAAC,QAAQ,IAAI,cAAc;AAC7B,gBAAQ,IAAI,0DAA0D;AACtE,gBAAQ,IAAI,kDAAkD;AAC9D,gBAAQ,IAAI,EAAE;AAAA,MAChB;AACA,cAAQ,MAAM;AAAA,IAChB,CAAC;AAAA,EACH,CAAC;AACH;AAGA,MAAM,eACJ,YAAY,QAAQ,UAAU,QAAQ,KAAK,CAAC,CAAC,MAC7C,QAAQ,KAAK,CAAC,GAAG,SAAS,wBAAwB,KAClD,QAAQ,KAAK,CAAC,GAAG,SAAS,yBAAyB;AAErD,IAAI,cAAc;AAChB,QAAM,OAAO,OAAO,SAAS,QAAQ,IAAI,QAAQ,OAAO,YAAY,GAAG,EAAE;AACzE,QAAM,OAAO,QAAQ,IAAI,QAAQ;AAEjC,kBAAgB,MAAM,IAAI,EAAE,MAAM,CAAC,UAAU;AAC3C,YAAQ,MAAM,gBAAgB,KAAK;AACnC,YAAQ,KAAK,CAAC;AAAA,EAChB,CAAC;AACH;"}

package/dist/version-uWLfG4Z0.js

@@ -0,0 +1,5 @@
+const VERSION = "0.4.6";
+export {
+  VERSION as V
+};
+//# sourceMappingURL=version-uWLfG4Z0.js.map

package/dist/version-uWLfG4Z0.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version-uWLfG4Z0.js","sources":["../src/version.ts"],"sourcesContent":["/**\n * Package version - injected from package.json at build time\n */\ndeclare const __VERSION__: string;\nexport const VERSION = __VERSION__;\n"],"names":[],"mappings":"AAIO,MAAM,UAAU;"}

package/dist/version.d.ts

@@ -0,0 +1,2 @@
+export declare const VERSION: string;
+//# sourceMappingURL=version.d.ts.map

package/dist/version.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.d.ts","sourceRoot":"","sources":["../src/version.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,OAAO,QAAc,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@studiometa/productive-mcp",
-  "version": "0.3.0",
+  "version": "0.4.6",
   "description": "MCP server for Productive.io API - Model Context Protocol integration for Claude Desktop",
   "type": "module",
   "publishConfig": {
@@ -25,6 +25,14 @@
       "import": "./dist/auth.js",
       "types": "./dist/auth.d.ts"
     },
+    "./crypto": {
+      "import": "./dist/crypto.js",
+      "types": "./dist/crypto.d.ts"
+    },
+    "./oauth": {
+      "import": "./dist/oauth.js",
+      "types": "./dist/oauth.d.ts"
+    },
     "./tools": {
       "import": "./dist/tools.js",
       "types": "./dist/tools.d.ts"
@@ -65,7 +73,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/studiometa/productive-cli",
+    "url": "https://github.com/studiometa/productive-tools",
     "directory": "packages/productive-mcp"
   },
   "engines": {