@studiometa/productive-mcp 0.8.4 → 0.9.0

package/README.md

@@ -3,66 +3,30 @@
 [![npm version](https://img.shields.io/npm/v/@studiometa/productive-mcp?style=flat&colorB=3e63dd&colorA=414853)](https://www.npmjs.com/package/@studiometa/productive-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat&colorB=3e63dd&colorA=414853)](https://opensource.org/licenses/MIT)
 
-MCP (Model Context Protocol) server for [Productive.io](https://productive.io) API integration. Enables Claude Desktop and other MCP clients to interact with Productive.io for project management, time tracking, and task management.
+MCP (Model Context Protocol) server for [Productive.io](https://productive.io). Enables Claude Desktop and other MCP clients to interact with Productive.io for project management, time tracking, task management, and reporting.
 
 ## Features
 
-- ✅ Full Productive.io API access via MCP
-- 🔧 Support for projects, tasks, time entries, services, and people
-- 🔐 Two modes: local (stdio) and remote (HTTP)
-- 🔑 **OAuth 2.0 support** for Claude Desktop custom connectors
-- 🌐 Deploy once, share with your team via Claude Desktop custom connectors
-- 🐳 Docker-ready for easy deployment
-- ⚡ **Token-optimized** - Single tool design minimizes context usage (~180 tokens)
-- 📦 Built on [@studiometa/productive-cli](../productive-cli)
+- Single unified `productive` tool — minimal token overhead (~170 tokens)
+- Smart ID resolution — use emails and project numbers instead of numeric IDs
+- Two modes: **local (stdio)** for personal use, **remote (HTTP)** for teams
+- OAuth 2.0 support for Claude Desktop custom connectors
+- Built-in `help` action for self-documentation
 
-## Usage Modes
+## Mode 1: Local (stdio)
 
-This package supports two modes:
-
-| Mode              | Command                 | Use Case                                     |
-| ----------------- | ----------------------- | -------------------------------------------- |
-| **Local (stdio)** | `productive-mcp`        | Personal use via Claude Desktop config       |
-| **Remote (HTTP)** | `productive-mcp-server` | Team use via Claude Desktop custom connector |
-
----
-
-## Mode 1: Local (stdio) - Personal Use
-
-Use this mode when you want to run the MCP server locally on your machine.
-
-### Installation
+Run the MCP server locally on your machine.
 
 ```bash
 npm install -g @studiometa/productive-mcp
 ```
 
-### Claude Desktop Configuration
-
-Edit your Claude Desktop config:
+Add to your Claude Desktop config:
 
 - **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json`
 - **Windows**: `%APPDATA%/Claude/claude_desktop_config.json`
 - **Linux**: `~/.config/Claude/claude_desktop_config.json`
 
-```json
-{
-  "mcpServers": {
-    "productive": {
-      "command": "productive-mcp"
-    }
-  }
-}
-```
-
-Restart Claude Desktop, then ask Claude:
-
-> "Configure my Productive.io credentials"
-
-Claude will guide you through the setup.
-
-### Alternative: Environment Variables
-
 ```json
 {
   "mcpServers": {
@@ -78,127 +42,58 @@ Claude will guide you through the setup.
 }
 ```
 
----
-
-## Mode 2: Remote (HTTP) - Team Use
-
-Deploy once, share with your entire team via Claude Desktop's **custom connector** feature.
+Alternatively, omit the `env` block and ask Claude to configure credentials interactively.
 
-### How It Works
+## Mode 2: Remote (HTTP)
 
-The server supports **OAuth 2.0** for seamless Claude Desktop integration:
+Deploy once, share with your team via Claude Desktop's custom connector feature.
 
-1. Deploy the HTTP server to a URL (e.g., `https://productive.mcp.example.com`)
-2. Add the custom connector in Claude Desktop with OAuth enabled
-3. When connecting, users are presented with a login form to enter their Productive credentials
-4. Credentials are securely encrypted and exchanged via OAuth tokens
-
-No central credential storage required - each user's credentials are encrypted directly in their OAuth token.
-
-### Deploy the Server
-
-#### Option A: Docker
+### Deploy
 
 ```bash
-# Build
-docker build -t productive-mcp-server -f packages/productive-mcp/Dockerfile .
-
-# Run
-docker run -d \
-  --name productive-mcp-server \
-  --restart unless-stopped \
-  -p 3000:3000 \
-  productive-mcp-server
-```
+# Docker
+docker build -t productive-mcp-server -f packages/mcp/Dockerfile .
+docker run -d -p 3000:3000 -e OAUTH_SECRET="$(openssl rand -base64 32)" productive-mcp-server
 
-#### Option B: Node.js
-
-```bash
+# Or Node.js
 npm install -g @studiometa/productive-mcp
-
-# Start server
-PORT=3000 productive-mcp-server
-```
-
-#### Option C: Docker Compose
-
-```yaml
-version: '3.8'
-
-services:
-  productive-mcp:
-    build:
-      context: .
-      dockerfile: packages/productive-mcp/Dockerfile
-    restart: unless-stopped
-    ports:
-      - '3000:3000'
-    environment:
-      PORT: 3000
-      HOST: 0.0.0.0
-      OAUTH_SECRET: 'your-random-secret-here' # Required for production!
+PORT=3000 OAUTH_SECRET="your-secret" productive-mcp-server
 ```
 
-### Environment Variables
-
-| Variable       | Required             | Description                            |
-| -------------- | -------------------- | -------------------------------------- |
-| `PORT`         | No                   | Server port (default: 3000)            |
-| `HOST`         | No                   | Bind address (default: 0.0.0.0)        |
-| `OAUTH_SECRET` | **Yes (production)** | Secret key for encrypting OAuth tokens |
-
-> ⚠️ **Important**: Always set `OAUTH_SECRET` in production. Generate a random secret:
->
-> ```bash
-> openssl rand -base64 32
-> ```
+> **Important**: Always set `OAUTH_SECRET` in production for secure OAuth token encryption.
 
-### Configure Claude Desktop Custom Connector
+### Configure Claude Desktop
 
-1. Open Claude Desktop Settings
-2. Go to **Custom Connectors** (beta)
-3. Click **Add custom connector**
-4. Configure:
-   - **Name**: `Productive`
-   - **Remote MCP server URL**: `https://productive.mcp.example.com/mcp`
-   - **Authorization URL**: `https://productive.mcp.example.com/authorize`
-   - **Token URL**: `https://productive.mcp.example.com/token`
-5. Claude will redirect you to a login form to enter your Productive credentials
-6. After login, you're connected and can start using Productive tools
+1. Open Claude Desktop **Settings → Custom Connectors**
+2. Add a custom connector:
+   - **Remote MCP server URL**: `https://your-server.example.com/mcp`
+   - **Authorization URL**: `https://your-server.example.com/authorize`
+   - **Token URL**: `https://your-server.example.com/token`
+3. Users log in with their own Productive credentials via the OAuth form
 
-### Alternative: Manual Bearer Token
-
-If you prefer not to use OAuth, you can generate a Bearer token manually:
-
-```bash
-# Format: base64(organizationId:apiToken:userId)
-echo -n "YOUR_ORG_ID:YOUR_API_TOKEN:YOUR_USER_ID" | base64
-```
-
-Example:
-
-```bash
-echo -n "12345:pk_abc123xyz:67890" | base64
-# Output: MTIzNDU6cGtfYWJjMTIzeHl6OjY3ODkw
-```
+The OAuth implementation is **stateless** — credentials are encrypted directly into the token, no database required.
 
 ### Server Endpoints
 
-| Endpoint                                  | Method | Description                         |
-| ----------------------------------------- | ------ | ----------------------------------- |
-| `/mcp`                                    | POST   | MCP JSON-RPC endpoint               |
-| `/health`                                 | GET    | Health check                        |
-| `/`                                       | GET    | Server info                         |
-| `/authorize`                              | GET    | OAuth authorization (login form)    |
-| `/authorize`                              | POST   | OAuth authorization (process login) |
-| `/token`                                  | POST   | OAuth token exchange                |
-| `/.well-known/oauth-authorization-server` | GET    | OAuth metadata                      |
+| Endpoint                                  | Method   | Description                      |
+| ----------------------------------------- | -------- | -------------------------------- |
+| `/mcp`                                    | POST     | MCP JSON-RPC endpoint            |
+| `/health`                                 | GET      | Health check                     |
+| `/authorize`                              | GET/POST | OAuth authorization (login form) |
+| `/token`                                  | POST     | OAuth token exchange             |
+| `/.well-known/oauth-authorization-server` | GET      | OAuth metadata                   |
 
----
+### Environment Variables
+
+| Variable       | Required         | Description                        |
+| -------------- | ---------------- | ---------------------------------- |
+| `PORT`         | No               | Server port (default: 3000)        |
+| `HOST`         | No               | Bind address (default: 0.0.0.0)    |
+| `OAUTH_SECRET` | Yes (production) | Secret for encrypting OAuth tokens |
 
 ## The `productive` Tool
 
-The MCP server exposes a single unified tool optimized for minimal token usage:
+A single unified tool for all Productive.io operations:
 
 ```
 productive(resource, action, ...)
@@ -206,287 +101,64 @@ productive(resource, action, ...)
 
 ### Resources & Actions
 
-| Resource   | Actions                                     | Description        |
-| ---------- | ------------------------------------------- | ------------------ |
-| `projects` | `list`, `get`                               | Project management |
-| `time`     | `list`, `get`, `create`, `update`, `delete` | Time tracking      |
-| `tasks`    | `list`, `get`                               | Task management    |
-| `services` | `list`                                      | Budget line items  |
-| `people`   | `list`, `get`, `me`                         | Team members       |
-
-### Parameters
-
-| Parameter    | Type    | Description                                                             |
-| ------------ | ------- | ----------------------------------------------------------------------- |
-| `resource`   | string  | **Required**. One of: `projects`, `time`, `tasks`, `services`, `people` |
-| `action`     | string  | **Required**. Action to perform (see table above)                       |
-| `id`         | string  | Resource ID (required for `get`, `update`, `delete`)                    |
-| `filter`     | object  | Filter criteria for `list` actions                                      |
-| `page`       | number  | Page number for pagination                                              |
-| `per_page`   | number  | Items per page (default: 20, max: 200)                                  |
-| `compact`    | boolean | Compact output mode (default: true)                                     |
-| `person_id`  | string  | Person ID (for time entry creation)                                     |
-| `service_id` | string  | Service ID (for time entry creation)                                    |
-| `time`       | number  | Time in minutes (for time entries)                                      |
-| `date`       | string  | Date in YYYY-MM-DD format                                               |
-| `note`       | string  | Note/description                                                        |
-
-### Filter Options
-
-#### Projects
-
-- `company_id` - Filter by company
-- `project_manager_id` - Filter by project manager
-
-#### Time Entries
-
-- `person_id` - Filter by person
-- `project_id` - Filter by project
-- `service_id` - Filter by service
-- `after` - After date (YYYY-MM-DD)
-- `before` - Before date (YYYY-MM-DD)
-
-#### Tasks
-
-- `project_id` - Filter by project
-- `assignee_id` - Filter by assignee
-- `task_list_id` - Filter by task list
-
-#### Services
-
-- `project_id` - Filter by project
-- `deal_id` - Filter by deal
-
-#### People
-
-- `archived` - Include archived (boolean)
+| Resource    | Actions                                     |
+| ----------- | ------------------------------------------- |
+| `projects`  | `list`, `get`                               |
+| `time`      | `list`, `get`, `create`, `update`, `delete` |
+| `tasks`     | `list`, `get`, `create`, `update`           |
+| `services`  | `list`                                      |
+| `people`    | `list`, `get`, `me`                         |
+| `companies` | `list`, `get`, `create`, `update`           |
+| `comments`  | `list`, `get`, `create`, `update`           |
+| `timers`    | `list`, `get`, `start`, `stop`              |
+| `deals`     | `list`, `get`, `create`, `update`           |
+| `bookings`  | `list`, `get`, `create`, `update`           |
+| `reports`   | `get` (11 report types)                     |
+
+Use `action="help"` with any resource for detailed documentation on available parameters and filters.
+
+### Common Parameters
+
+| Parameter           | Type     | Description                                                   |
+| ------------------- | -------- | ------------------------------------------------------------- |
+| `resource`          | string   | **Required** — resource name (see table above)                |
+| `action`            | string   | **Required** — action to perform                              |
+| `id`                | string   | Resource ID (for `get`, `update`, `delete`)                   |
+| `filter`            | object   | Filter criteria for `list` actions                            |
+| `page` / `per_page` | number   | Pagination (default: 20 items per page, max: 200)             |
+| `compact`           | boolean  | Compact output (default: true for list, false for get)        |
+| `include`           | string[] | Related resources to include (e.g. `["project", "assignee"]`) |
+| `query`             | string   | Text search for `list` actions                                |
 
 ### Configuration Tools (Local mode only)
 
-| Tool                    | Description                                              |
-| ----------------------- | -------------------------------------------------------- |
-| `productive_configure`  | Configure credentials (organizationId, apiToken, userId) |
-| `productive_get_config` | View current configuration (token masked)                |
-
----
+| Tool                    | Description                                        |
+| ----------------------- | -------------------------------------------------- |
+| `productive_configure`  | Set credentials (organizationId, apiToken, userId) |
+| `productive_get_config` | View current configuration (token masked)          |
 
 ## Usage Examples
 
-### First Time Setup (Local Mode)
-
 ```
-You: "Configure my Productive.io credentials"
-Claude: "I'll help you set up. Please provide your Organization ID and API Token..."
-```
-
-### List Projects
+"Show me all projects"
+→ productive(resource="projects", action="list")
 
-```
-You: "Show me all projects"
-Claude uses: productive(resource="projects", action="list")
-```
+"Log 2 hours today on service 456"
+→ productive(resource="time", action="create", service_id="456", time=120, date="2025-01-15")
 
-### Get Project Details
+"What did I work on last week?"
+→ productive(resource="time", action="list", filter={person_id: "me", after: "2025-01-08", before: "2025-01-14"})
 
+"Show tasks for project 789"
+→ productive(resource="tasks", action="list", filter={project_id: "789"})
 ```
-You: "Get details for project 12345"
-Claude uses: productive(resource="projects", action="get", id="12345")
-```
-
-### Create Time Entry
-
-```
-You: "Log 2 hours today on service 456"
-Claude uses: productive(resource="time", action="create", person_id="...", service_id="456", time=120, date="2024-01-15")
-```
-
-### List My Time Entries
-
-```
-You: "What did I work on last week?"
-Claude uses: productive(resource="time", action="list", filter={person_id: "...", after: "2024-01-08", before: "2024-01-14"})
-```
-
-### Get Current User
-
-```
-You: "Who am I logged in as?"
-Claude uses: productive(resource="people", action="me")
-```
-
-### List Tasks for a Project
-
-```
-You: "Show tasks for project 789"
-Claude uses: productive(resource="tasks", action="list", filter={project_id: "789"})
-```
-
----
-
-## Get Your Productive.io Credentials
-
-1. Log into [Productive.io](https://productive.io)
-2. Go to **Settings → Integrations → API**
-3. Generate an API token
-4. Note your Organization ID (visible in URL or API settings)
-5. Note your User ID (click your profile, visible in URL)
-
----
-
-## Development
-
-```bash
-# Clone the repository
-git clone https://github.com/studiometa/productive-tools
-cd productive-tools
-
-# Install dependencies
-npm install
-
-# Build all packages
-npm run build
-
-# Or build only MCP package
-npm run build -w @studiometa/productive-mcp
-
-# Development mode (watch)
-npm run dev -w @studiometa/productive-mcp
-
-# Run tests
-npm test -w @studiometa/productive-mcp
-
-# Test local server
-node packages/productive-mcp/dist/index.js
-
-# Test HTTP server
-node packages/productive-mcp/dist/server.js
-```
-
-### Testing the HTTP Server
-
-```bash
-# Start the server
-PORT=3000 node packages/productive-mcp/dist/server.js
-
-# Generate a test token
-TOKEN=$(echo -n "YOUR_ORG_ID:YOUR_API_TOKEN:YOUR_USER_ID" | base64)
-
-# Test health endpoint
-curl http://localhost:3000/health
-
-# Test MCP endpoint - list tools
-curl -X POST http://localhost:3000/mcp \
-  -H "Authorization: Bearer $TOKEN" \
-  -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}'
-
-# List projects
-curl -X POST http://localhost:3000/mcp \
-  -H "Authorization: Bearer $TOKEN" \
-  -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"productive","arguments":{"resource":"projects","action":"list"}},"id":2}'
-
-# Get a specific project
-curl -X POST http://localhost:3000/mcp \
-  -H "Authorization: Bearer $TOKEN" \
-  -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"productive","arguments":{"resource":"projects","action":"get","id":"12345"}},"id":3}'
-```
-
----
-
-## Troubleshooting
-
-### Local mode: Credentials not found
-
-```bash
-# Check environment variables
-echo $PRODUCTIVE_ORG_ID
-echo $PRODUCTIVE_API_TOKEN
-
-# Or use the configure tool via Claude
-```
-
-### HTTP mode: 401 Unauthorized
-
-- Verify your token is correctly base64-encoded
-- Check that orgId:apiToken:userId are separated by colons
-- Ensure no newlines in the base64 output
-
-### Docker: View logs
-
-```bash
-docker logs productive-mcp-server -f
-```
-
-### Test server manually (local mode)
-
-```bash
-echo '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}' | productive-mcp
-```
-
----
 
 ## Requirements
 
-- Node.js 20+
+- Node.js 24+
 - Productive.io account with API access
-- Docker (optional, for server deployment)
-
-## Architecture
-
-```
-productive-mcp/
-├── src/
-│   ├── index.ts      # Stdio transport (local mode)
-│   ├── server.ts     # HTTP transport (remote mode)
-│   ├── http.ts       # HTTP routes and MCP endpoint
-│   ├── oauth.ts      # OAuth 2.0 endpoints
-│   ├── crypto.ts     # Encryption for stateless OAuth tokens
-│   ├── tools.ts      # Tool definitions (single unified tool)
-│   ├── handlers.ts   # Tool execution logic
-│   ├── formatters.ts # Response formatting with compact mode
-│   └── auth.ts       # Bearer token parsing
-├── Dockerfile
-└── README.md
-```
-
-### Token Optimization
-
-The server uses a single unified `productive` tool instead of multiple individual tools. This reduces the tool schema from ~1300 tokens to ~180 tokens (86% reduction), which:
-
-- Reduces context window usage
-- Minimizes compaction frequency
-- Improves response times
-
-### OAuth Flow (Stateless)
-
-The OAuth implementation is **stateless** - no database or session storage required:
-
-1. User visits `/authorize` → sees login form
-2. User enters Productive credentials (org ID, API token, user ID)
-3. Server encrypts credentials into the authorization code using `OAUTH_SECRET`
-4. Redirects back to Claude with the encrypted code
-5. Claude calls `/token` with the code
-6. Server decrypts the code → returns access token (base64 credentials)
-7. All MCP requests include this token in the `Authorization: Bearer` header
-
-This approach keeps the server stateless while securely passing credentials through the OAuth flow.
-
-## Related Packages
-
-- [@studiometa/productive-cli](../productive-cli) - CLI tool for Productive.io
-- [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/sdk) - Official MCP SDK
-- [h3](https://github.com/unjs/h3) - HTTP framework for the server
+- Docker (optional, for remote deployment)
 
 ## License
 
 MIT © [Studio Meta](https://www.studiometa.fr)
-
-## Links
-
-- [GitHub Repository](https://github.com/studiometa/productive-tools)
-- [Productive.io API Docs](https://developer.productive.io)
-- [MCP Documentation](https://modelcontextprotocol.io)
-- [Claude Desktop Custom Connectors](https://docs.anthropic.com)
-- [Issues](https://github.com/studiometa/productive-tools/issues)

package/dist/auth.js

@@ -1,40 +1,41 @@
+/**
+* Parse Bearer token containing Productive credentials
+* Token format: base64(organizationId:apiToken) or base64(organizationId:apiToken:userId)
+*
+* @param authHeader - Authorization header value (e.g., "Bearer base64...")
+* @returns Parsed credentials or null if invalid
+*/
 function parseAuthHeader(authHeader) {
-  if (!authHeader) {
-    return null;
-  }
-  const match = authHeader.match(/^Bearer\s+(.+)$/i);
-  if (!match) {
-    return null;
-  }
-  const token = match[1];
-  try {
-    const decoded = Buffer.from(token, "base64").toString("utf-8");
-    const parts = decoded.split(":");
-    if (parts.length < 2) {
-      return null;
-    }
-    const [organizationId, apiToken, userId] = parts;
-    if (!organizationId || !apiToken) {
-      return null;
-    }
-    return {
-      organizationId,
-      apiToken,
-      userId: userId || void 0
-    };
-  } catch {
-    return null;
-  }
+	if (!authHeader) return null;
+	const match = authHeader.match(/^Bearer\s+(.+)$/i);
+	if (!match) return null;
+	const token = match[1];
+	try {
+		const parts = Buffer.from(token, "base64").toString("utf-8").split(":");
+		if (parts.length < 2) return null;
+		const [organizationId, apiToken, userId] = parts;
+		if (!organizationId || !apiToken) return null;
+		return {
+			organizationId,
+			apiToken,
+			userId: userId || void 0
+		};
+	} catch {
+		return null;
+	}
 }
+/**
+* Create a Bearer token from Productive credentials
+* Useful for documentation and testing
+*
+* @param credentials - Productive credentials
+* @returns Base64 encoded token (without "Bearer " prefix)
+*/
 function createAuthToken(credentials) {
-  const parts = [credentials.organizationId, credentials.apiToken];
-  if (credentials.userId) {
-    parts.push(credentials.userId);
-  }
-  return Buffer.from(parts.join(":")).toString("base64");
+	const parts = [credentials.organizationId, credentials.apiToken];
+	if (credentials.userId) parts.push(credentials.userId);
+	return Buffer.from(parts.join(":")).toString("base64");
 }
-export {
-  createAuthToken,
-  parseAuthHeader
-};
-//# sourceMappingURL=auth.js.map
+export { createAuthToken, parseAuthHeader };
+
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sources":["../src/auth.ts"],"sourcesContent":["/**\n * Authentication utilities for Productive MCP server\n */\n\nexport interface ProductiveCredentials {\n  organizationId: string;\n  apiToken: string;\n  userId?: string;\n}\n\n/**\n * Parse Bearer token containing Productive credentials\n * Token format: base64(organizationId:apiToken) or base64(organizationId:apiToken:userId)\n *\n * @param authHeader - Authorization header value (e.g., \"Bearer base64...\")\n * @returns Parsed credentials or null if invalid\n */\nexport function parseAuthHeader(\n  authHeader: string | undefined | null,\n): ProductiveCredentials | null {\n  if (!authHeader) {\n    return null;\n  }\n\n  const match = authHeader.match(/^Bearer\\s+(.+)$/i);\n  if (!match) {\n    return null;\n  }\n\n  const token = match[1];\n\n  try {\n    const decoded = Buffer.from(token, 'base64').toString('utf-8');\n    const parts = decoded.split(':');\n\n    if (parts.length < 2) {\n      return null;\n    }\n\n    const [organizationId, apiToken, userId] = parts;\n\n    if (!organizationId || !apiToken) {\n      return null;\n    }\n\n    return {\n      organizationId,\n      apiToken,\n      userId: userId || undefined,\n    };\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Create a Bearer token from Productive credentials\n * Useful for documentation and testing\n *\n * @param credentials - Productive credentials\n * @returns Base64 encoded token (without \"Bearer \" prefix)\n */\nexport function createAuthToken(credentials: ProductiveCredentials): string {\n  const parts = [credentials.organizationId, credentials.apiToken];\n  if (credentials.userId) {\n    parts.push(credentials.userId);\n  }\n  return Buffer.from(parts.join(':')).toString('base64');\n}\n"],"names":[],"mappings":"AAiBO,SAAS,gBACd,YAC8B;AAC9B,MAAI,CAAC,YAAY;AACf,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,WAAW,MAAM,kBAAkB;AACjD,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,MAAM,CAAC;AAErB,MAAI;AACF,UAAM,UAAU,OAAO,KAAK,OAAO,QAAQ,EAAE,SAAS,OAAO;AAC7D,UAAM,QAAQ,QAAQ,MAAM,GAAG;AAE/B,QAAI,MAAM,SAAS,GAAG;AACpB,aAAO;AAAA,IACT;AAEA,UAAM,CAAC,gBAAgB,UAAU,MAAM,IAAI;AAE3C,QAAI,CAAC,kBAAkB,CAAC,UAAU;AAChC,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,QAAQ,UAAU;AAAA,IAAA;AAAA,EAEtB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AASO,SAAS,gBAAgB,aAA4C;AAC1E,QAAM,QAAQ,CAAC,YAAY,gBAAgB,YAAY,QAAQ;AAC/D,MAAI,YAAY,QAAQ;AACtB,UAAM,KAAK,YAAY,MAAM;AAAA,EAC/B;AACA,SAAO,OAAO,KAAK,MAAM,KAAK,GAAG,CAAC,EAAE,SAAS,QAAQ;AACvD;"}
+{"version":3,"file":"auth.js","names":[],"sources":["../src/auth.ts"],"sourcesContent":["/**\n * Authentication utilities for Productive MCP server\n */\n\nexport interface ProductiveCredentials {\n  organizationId: string;\n  apiToken: string;\n  userId?: string;\n}\n\n/**\n * Parse Bearer token containing Productive credentials\n * Token format: base64(organizationId:apiToken) or base64(organizationId:apiToken:userId)\n *\n * @param authHeader - Authorization header value (e.g., \"Bearer base64...\")\n * @returns Parsed credentials or null if invalid\n */\nexport function parseAuthHeader(\n  authHeader: string | undefined | null,\n): ProductiveCredentials | null {\n  if (!authHeader) {\n    return null;\n  }\n\n  const match = authHeader.match(/^Bearer\\s+(.+)$/i);\n  if (!match) {\n    return null;\n  }\n\n  const token = match[1];\n\n  try {\n    const decoded = Buffer.from(token, 'base64').toString('utf-8');\n    const parts = decoded.split(':');\n\n    if (parts.length < 2) {\n      return null;\n    }\n\n    const [organizationId, apiToken, userId] = parts;\n\n    if (!organizationId || !apiToken) {\n      return null;\n    }\n\n    return {\n      organizationId,\n      apiToken,\n      userId: userId || undefined,\n    };\n  } catch {\n    return null;\n  }\n}\n\n/**\n * Create a Bearer token from Productive credentials\n * Useful for documentation and testing\n *\n * @param credentials - Productive credentials\n * @returns Base64 encoded token (without \"Bearer \" prefix)\n */\nexport function createAuthToken(credentials: ProductiveCredentials): string {\n  const parts = [credentials.organizationId, credentials.apiToken];\n  if (credentials.userId) {\n    parts.push(credentials.userId);\n  }\n  return Buffer.from(parts.join(':')).toString('base64');\n}\n"],"mappings":";;;;;;;AAiBA,SAAgB,gBACd,YAC8B;AAC9B,KAAI,CAAC,WACH,QAAO;CAGT,MAAM,QAAQ,WAAW,MAAM,mBAAmB;AAClD,KAAI,CAAC,MACH,QAAO;CAGT,MAAM,QAAQ,MAAM;AAEpB,KAAI;EAEF,MAAM,QADU,OAAO,KAAK,OAAO,SAAS,CAAC,SAAS,QAAQ,CACxC,MAAM,IAAI;AAEhC,MAAI,MAAM,SAAS,EACjB,QAAO;EAGT,MAAM,CAAC,gBAAgB,UAAU,UAAU;AAE3C,MAAI,CAAC,kBAAkB,CAAC,SACtB,QAAO;AAGT,SAAO;GACL;GACA;GACA,QAAQ,UAAU,KAAA;GACnB;SACK;AACN,SAAO;;;;;;;;;;AAWX,SAAgB,gBAAgB,aAA4C;CAC1E,MAAM,QAAQ,CAAC,YAAY,gBAAgB,YAAY,SAAS;AAChE,KAAI,YAAY,OACd,OAAM,KAAK,YAAY,OAAO;AAEhC,QAAO,OAAO,KAAK,MAAM,KAAK,IAAI,CAAC,CAAC,SAAS,SAAS"}