@wootsup/mcp 0.1.0 → 0.3.0

package/dist/sites/secret-resolver.d.ts

@@ -0,0 +1,47 @@
+import { type SiteEntryT } from "./schema.js";
+/**
+ * Resolve the `op` binary to an absolute path so it works under a stripped-down
+ * GUI PATH. Precedence: explicit `APIMAPPER_OP_BINARY` env override → first
+ * existing well-known absolute path → bare `op` (PATH).
+ */
+export declare function resolveOpBinary(env?: NodeJS.ProcessEnv): string;
+/** Resolved bearer + its provenance for downstream logs (never the token). */
+export interface ResolvedBearer {
+    readonly token: string;
+    readonly source: "plain" | "op";
+}
+/** Domain-tagged error so callers can branch on `code`. */
+export declare class SecretResolverError extends Error {
+    readonly code: string;
+    constructor(code: string, message: string);
+}
+/**
+ * Signature of `node:child_process.execFile` reduced to the callback we rely
+ * on. Injecting this lets tests provide a deterministic substitute without a
+ * `vi.mock('node:child_process')` side-effect.
+ */
+export type ExecFileLike = (file: string, args: readonly string[], options: {
+    timeout?: number;
+    maxBuffer?: number;
+}, callback: (error: (Error & {
+    code?: string | number;
+    signal?: string;
+}) | null, stdout: string, stderr: string) => void) => void;
+export interface ResolveSiteBearerOptions {
+    /** Injected execFile for tests. Defaults to Node's real execFile. */
+    execFile?: ExecFileLike;
+    /** Resolved `op` binary path. Defaults to {@link resolveOpBinary}. */
+    opBinary?: string;
+    /** Per-call timeout override. Defaults to {@link OP_TIMEOUT_MS}. */
+    timeoutMs?: number;
+}
+/**
+ * Resolve the bearer token for a site entry.
+ *
+ *   - `bearer` present  → returned verbatim (`source:'plain'`).
+ *   - `bearer_ref` set  → `op read <ref>` via execFile (`source:'op'`).
+ *   - neither           → throws SecretResolverError('BEARER_MISSING').
+ *
+ * Never logs the token; never mutates the input site.
+ */
+export declare function resolveSiteBearer(site: SiteEntryT, opts?: ResolveSiteBearerOptions): Promise<ResolvedBearer>;

package/dist/sites/secret-resolver.js

@@ -0,0 +1,150 @@
+// src/sites/secret-resolver.ts — Phase 3.
+//
+// Produce a bearer token for a SiteEntryT at call time, supporting either a
+// plain in-file token (`bearer`) or a 1Password Secret Reference (`bearer_ref`)
+// resolved through the `op` CLI. Mirrors the YT Builder defence model
+// (yt-builder-mcp/packages/mcp/src/sites/secret-resolver.ts), kept simple:
+//
+//   - `execFile`, NEVER `exec`/`spawn` with `shell:true`. `op read <ref>` runs
+//     as a direct argv invocation — no shell, no metacharacter expansion. The
+//     schema enforces OP_REF_REGEX on load; we re-enforce it here as
+//     defence-in-depth (a hand-edited sites.json could otherwise sneak a
+//     payload past validation).
+//   - Hard timeout so a biometric-stalled `op` can't wedge the agent loop.
+//   - Pluggable `execFile` for testing — no global child_process monkey-patch.
+import { execFile as nodeExecFile } from "node:child_process";
+import { existsSync } from "node:fs";
+import { OP_REF_REGEX } from "./schema.js";
+/** Hard cap for any single `op read` invocation. */
+const OP_TIMEOUT_MS = 5_000;
+/**
+ * Common absolute install locations for the 1Password CLI. GUI-spawned MCP
+ * hosts (Claude Desktop, etc.) launch the server subprocess with a minimal
+ * PATH that usually omits `/opt/homebrew/bin` and `/usr/local/bin`, so a bare
+ * `op` resolves to ENOENT even when `op` works in the user's shell. Probe these
+ * absolute paths before falling back to PATH.
+ */
+const OP_BINARY_CANDIDATES = [
+    "/opt/homebrew/bin/op",
+    "/usr/local/bin/op",
+    "/usr/bin/op",
+];
+/**
+ * Resolve the `op` binary to an absolute path so it works under a stripped-down
+ * GUI PATH. Precedence: explicit `APIMAPPER_OP_BINARY` env override → first
+ * existing well-known absolute path → bare `op` (PATH).
+ */
+export function resolveOpBinary(env = process.env) {
+    const override = (env.APIMAPPER_OP_BINARY ?? "").trim();
+    if (override.length > 0)
+        return override;
+    for (const candidate of OP_BINARY_CANDIDATES) {
+        try {
+            if (existsSync(candidate))
+                return candidate;
+        }
+        catch {
+            // ignore stat errors and keep probing
+        }
+    }
+    return "op";
+}
+/** Domain-tagged error so callers can branch on `code`. */
+export class SecretResolverError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "SecretResolverError";
+        Object.setPrototypeOf(this, SecretResolverError.prototype);
+    }
+}
+/** Default adapter wrapping Node's real `execFile` with utf8 encoding. */
+const defaultExecFile = (file, args, options, callback) => {
+    nodeExecFile(file, args, { ...options, encoding: "utf8" }, (err, stdout, stderr) => {
+        callback(err, stdout, stderr);
+    });
+};
+const OP_EXIT_CODE_HINTS = {
+    6: "Not signed in to 1Password CLI. Run `op signin` and retry.",
+    1: "Generic op CLI error — verify the secret reference exists and the vault is accessible.",
+};
+/**
+ * Resolve the bearer token for a site entry.
+ *
+ *   - `bearer` present  → returned verbatim (`source:'plain'`).
+ *   - `bearer_ref` set  → `op read <ref>` via execFile (`source:'op'`).
+ *   - neither           → throws SecretResolverError('BEARER_MISSING').
+ *
+ * Never logs the token; never mutates the input site.
+ */
+export async function resolveSiteBearer(site, opts = {}) {
+    if (site.bearer !== undefined && site.bearer.length > 0) {
+        return { token: site.bearer, source: "plain" };
+    }
+    const ref = site.bearer_ref;
+    if (ref === undefined || ref.length === 0) {
+        throw new SecretResolverError("BEARER_MISSING", `Site '${site.site_id}' has neither an inline 'bearer' nor a 'bearer_ref'.`);
+    }
+    // Defence-in-depth: re-validate the ref shape BEFORE it reaches a subprocess
+    // argv. The schema enforces this on load; a hand-edited sites.json could
+    // bypass that.
+    if (!OP_REF_REGEX.test(ref)) {
+        throw new SecretResolverError("OP_REF_INVALID", `Site '${site.site_id}' has an invalid 'bearer_ref' shape — must match op://<vault>/<item>/<field>.`);
+    }
+    const execFile = opts.execFile ?? defaultExecFile;
+    const opBinary = opts.opBinary ?? resolveOpBinary();
+    const timeoutMs = opts.timeoutMs ?? OP_TIMEOUT_MS;
+    const stdout = await runOpRead(execFile, opBinary, ref, timeoutMs, site.site_id);
+    const token = stdout.trim();
+    if (token.length === 0) {
+        throw new SecretResolverError("OP_EMPTY_OUTPUT", `op returned empty output for '${ref}' — verify the field exists and is non-empty.`);
+    }
+    return { token, source: "op" };
+}
+/** Invoke `op read <ref>` with a hard timeout that survives a stalled child. */
+function runOpRead(execFile, opBinary, ref, timeoutMs, siteId) {
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const timer = setTimeout(() => {
+            if (settled)
+                return;
+            settled = true;
+            reject(new SecretResolverError("OP_TIMEOUT", `op read '${ref}' exceeded ${timeoutMs}ms — is 1Password CLI hung on a biometric prompt?`));
+        }, timeoutMs);
+        if (typeof timer.unref === "function")
+            timer.unref();
+        execFile(opBinary, ["read", ref], { timeout: timeoutMs, maxBuffer: 1024 * 64 }, (err, stdout, stderr) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            if (err) {
+                reject(mapExecError(err, stderr, ref, siteId));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+function mapExecError(err, stderr, ref, siteId) {
+    const codeStr = typeof err.code === "string" ? err.code : "";
+    const codeNum = typeof err.code === "number" ? err.code : NaN;
+    if (codeStr === "ENOENT") {
+        return new SecretResolverError("OP_CLI_MISSING", `op CLI not found for site '${siteId}' — install 1Password CLI (or set APIMAPPER_OP_BINARY), ` +
+            "or use an inline 'bearer' field instead of 'bearer_ref'.");
+    }
+    const stderrLower = (stderr || "").toLowerCase();
+    if (stderrLower.includes("isn't an item") || stderrLower.includes("item not found")) {
+        return new SecretResolverError("OP_ITEM_NOT_FOUND", `1Password item not found at '${ref}'. Verify the ref points to an existing item.`);
+    }
+    if (Number.isFinite(codeNum)) {
+        const hint = OP_EXIT_CODE_HINTS[codeNum];
+        if (codeNum === 6) {
+            return new SecretResolverError("OP_NOT_SIGNED_IN", hint ?? "op exited 6 — not signed in.");
+        }
+        return new SecretResolverError("OP_EXEC_FAILED", `op read '${ref}' failed with exit ${codeNum}: ${(stderr || "").trim() || (hint ?? "no stderr")}`);
+    }
+    return new SecretResolverError("OP_EXEC_FAILED", `op read '${ref}' failed: ${err.message}`);
+}
+//# sourceMappingURL=secret-resolver.js.map

package/dist/sites/secret-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-resolver.js","sourceRoot":"","sources":["../../src/sites/secret-resolver.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,4EAA4E;AAC5E,gFAAgF;AAChF,sEAAsE;AACtE,2EAA2E;AAC3E,EAAE;AACF,+EAA+E;AAC/E,8EAA8E;AAC9E,qEAAqE;AACrE,yEAAyE;AACzE,gCAAgC;AAChC,2EAA2E;AAC3E,+EAA+E;AAE/E,OAAO,EAAE,QAAQ,IAAI,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EAAE,YAAY,EAAmB,MAAM,aAAa,CAAC;AAE5D,oDAAoD;AACpD,MAAM,aAAa,GAAG,KAAK,CAAC;AAE5B;;;;;;GAMG;AACH,MAAM,oBAAoB,GAAsB;IAC9C,sBAAsB;IACtB,mBAAmB;IACnB,aAAa;CACd,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,MAAyB,OAAO,CAAC,GAAG;IAClE,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACxD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzC,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;QAC7C,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,SAAS,CAAC;gBAAE,OAAO,SAAS,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAQD,2DAA2D;AAC3D,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAE1B;IADlB,YACkB,IAAY,EAC5B,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAQ;QAI5B,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAC7D,CAAC;CACF;AAkBD,0EAA0E;AAC1E,MAAM,eAAe,GAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE;IACtE,YAAY,CACV,IAAI,EACJ,IAAgB,EAChB,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAChC,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;QACtB,QAAQ,CACN,GAAmE,EACnE,MAAM,EACN,MAAM,CACP,CAAC;IACJ,CAAC,CACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,kBAAkB,GAA2B;IACjD,CAAC,EAAE,4DAA4D;IAC/D,CAAC,EAAE,wFAAwF;CAC5F,CAAC;AAWF;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,IAAgB,EAChB,OAAiC,EAAE;IAEnC,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACjD,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC;IAC5B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,mBAAmB,CAC3B,gBAAgB,EAChB,SAAS,IAAI,CAAC,OAAO,sDAAsD,CAC5E,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,yEAAyE;IACzE,eAAe;IACf,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,mBAAmB,CAC3B,gBAAgB,EAChB,SAAS,IAAI,CAAC,OAAO,+EAA+E,CACrG,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,eAAe,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,eAAe,EAAE,CAAC;IACpD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,aAAa,CAAC;IAElD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACjF,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,mBAAmB,CAC3B,iBAAiB,EACjB,iCAAiC,GAAG,+CAA+C,CACpF,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,gFAAgF;AAChF,SAAS,SAAS,CAChB,QAAsB,EACtB,QAAgB,EAChB,GAAW,EACX,SAAiB,EACjB,MAAc;IAEd,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,CACJ,IAAI,mBAAmB,CACrB,YAAY,EACZ,YAAY,GAAG,cAAc,SAAS,mDAAmD,CAC1F,CACF,CAAC;QACJ,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,UAAU;YAAE,KAAK,CAAC,KAAK,EAAE,CAAC;QAErD,QAAQ,CACN,QAAQ,EACR,CAAC,MAAM,EAAE,GAAG,CAAC,EACb,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,GAAG,EAAE,EAAE,EAC5C,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACtB,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CACnB,GAAwD,EACxD,MAAc,EACd,GAAW,EACX,MAAc;IAEd,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;IAE9D,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,IAAI,mBAAmB,CAC5B,gBAAgB,EAChB,8BAA8B,MAAM,0DAA0D;YAC5F,0DAA0D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,IAAI,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACpF,OAAO,IAAI,mBAAmB,CAC5B,mBAAmB,EACnB,gCAAgC,GAAG,+CAA+C,CACnF,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACzC,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YAClB,OAAO,IAAI,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,IAAI,8BAA8B,CAAC,CAAC;QAC7F,CAAC;QACD,OAAO,IAAI,mBAAmB,CAC5B,gBAAgB,EAChB,YAAY,GAAG,sBAAsB,OAAO,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC,EAAE,CAClG,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,mBAAmB,CAAC,gBAAgB,EAAE,YAAY,GAAG,aAAa,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;AAC9F,CAAC"}

package/dist/skill-instructions.d.ts

@@ -8,7 +8,7 @@ export declare const FALLBACK_INSTRUCTIONS = "Use this MCP to manage API Mapper
  *
  * Topics MUST stay in sync with SKILL_TOPICS in modules/apimapper/get-skill.ts.
  */
-export declare const SKILL_TOPIC_POINTER = "\n\n## Available skill topics\n\nFor deeper guidance on specific aspects of API Mapper, call:\n  apimapper_get_skill({ topic })\n\nAvailable topics:\n- getting-started \u2014 Quickstart, common tools, common pitfalls\n- oauth \u2014 Wiring OAuth-protected sources (Google, Pexels, Instagram, Notion, ...)\n- yootheme \u2014 Publish flows as YOOtheme sources; Save-vs-Publish\n- joomla \u2014 Joomla 3-tier auth, com_ajax envelope, system plugin layout\n- troubleshooting \u2014 HTTP status triage, flow issues, credential states\n";
+export declare const SKILL_TOPIC_POINTER = "\n\n## Available skill topics\n\nFor deeper guidance on specific aspects of API Mapper, call:\n  apimapper_get_skill({ topic })\n\nAvailable topics:\n- getting-started \u2014 Quickstart, common tools, common pitfalls\n- oauth \u2014 Wiring OAuth-protected sources (Google, Pexels, Instagram, Notion, ...)\n- yootheme \u2014 Publish flows as YOOtheme sources; Save-vs-Publish\n- joomla \u2014 Joomla 3-tier auth, com_ajax envelope, system plugin layout\n- troubleshooting \u2014 HTTP status triage, flow issues, credential states\n- render \u2014 Render a flow as a diagram (viz-type, flow-diagram output)\n- jmespath-pitfalls \u2014 The 9 traps + date-primitive functions (date_weekday, date_iso_to_time, date_iso_to_date, time_in_window) + depth-cap warning\n- merge-two-sources-on-key \u2014 Joining two sources on a shared key, including date-primitive bridging for weekday-name \u2194 ISO-datetime joins\n- conditional-style-multi-items \u2014 Per-row YOOtheme styles driven by a row field (text_color, panel_style)\n- library-template-discovery \u2014 Inspect a library template's contract before activating\n";
 /**
  * Loads MCP server instructions from skills/apimapper/SKILL.md.
  *

package/dist/skill-instructions.js

@@ -30,6 +30,11 @@ Available topics:
 - yootheme — Publish flows as YOOtheme sources; Save-vs-Publish
 - joomla — Joomla 3-tier auth, com_ajax envelope, system plugin layout
 - troubleshooting — HTTP status triage, flow issues, credential states
+- render — Render a flow as a diagram (viz-type, flow-diagram output)
+- jmespath-pitfalls — The 9 traps + date-primitive functions (date_weekday, date_iso_to_time, date_iso_to_date, time_in_window) + depth-cap warning
+- merge-two-sources-on-key — Joining two sources on a shared key, including date-primitive bridging for weekday-name ↔ ISO-datetime joins
+- conditional-style-multi-items — Per-row YOOtheme styles driven by a row field (text_color, panel_style)
+- library-template-discovery — Inspect a library template's contract before activating
 `;
 /**
  * Loads MCP server instructions from skills/apimapper/SKILL.md.

package/dist/skill-instructions.js.map

@@ -1 +1 @@
-{"version":3,"file":"skill-instructions.js","sourceRoot":"","sources":["../src/skill-instructions.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,0EAA0E;AAC1E,yCAAyC;AACzC,EAAE;AACF,yEAAyE;AAEzE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEnD,MAAM,CAAC,MAAM,qBAAqB,GAChC,8FAA8F,CAAC;AAEjG,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG;;;;;;;;;;;;;CAalC,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,MAAM,OAAO,GAAG,OAAO,IAAI,WAAW,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAEnE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,qBAAqB,GAAG,mBAAmB,CAAC;IACrD,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,qBAAqB,GAAG,mBAAmB,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,qBAAqB,GAAG,mBAAmB,CAAC;IACrD,CAAC;IACD,yEAAyE;IACzE,qEAAqE;IACrE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,mBAAmB,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,iDAAiD;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,kEAAkE;IAClE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;IAC/C,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,qDAAqD;QACrD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,WAAW;IAClB,8DAA8D;IAC9D,qEAAqE;IACrE,wCAAwC;IACxC,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC7B,CAAC"}
+{"version":3,"file":"skill-instructions.js","sourceRoot":"","sources":["../src/skill-instructions.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,0EAA0E;AAC1E,yCAAyC;AACzC,EAAE;AACF,yEAAyE;AAEzE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEnD,MAAM,CAAC,MAAM,qBAAqB,GAChC,8FAA8F,CAAC;AAEjG,MAAM,UAAU,GAAG,GAAG,CAAC;AAEvB;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG;;;;;;;;;;;;;;;;;;CAkBlC,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,MAAM,OAAO,GAAG,OAAO,IAAI,WAAW,EAAE,CAAC;IACzC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;IAEnE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,qBAAqB,GAAG,mBAAmB,CAAC;IACrD,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,qBAAqB,GAAG,mBAAmB,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,qBAAqB,GAAG,mBAAmB,CAAC;IACrD,CAAC;IACD,yEAAyE;IACzE,qEAAqE;IACrE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,mBAAmB,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,iDAAiD;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC1C,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,kEAAkE;IAClE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;IAC/C,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,qDAAqD;QACrD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,WAAW;IAClB,8DAA8D;IAC9D,qEAAqE;IACrE,wCAAwC;IACxC,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC7B,CAAC"}

package/dist/transports/stdio.js

@@ -1,9 +1,9 @@
-// src/transports/stdio.ts — Phase 9.1.
+// src/transports/stdio.ts
 //
 // Thin factory that connects an McpServer to a StdioServerTransport so the
-// process speaks JSON-RPC over stdin/stdout. Extracted from src/index.ts as
-// part of the multi-transport split — Task 9.2 introduces an HTTP variant
-// using the same `connect*` shape.
+// process speaks JSON-RPC over stdin/stdout. stdio is the only transport the
+// MCP server ships — it runs over stdio for both the npm/npx path and the
+// Claude Desktop DXT bundle.
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 /**
  * Connect the given McpServer to a fresh `StdioServerTransport`.

package/dist/transports/stdio.js.map

@@ -1 +1 @@
-{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/transports/stdio.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,EAAE;AACF,2EAA2E;AAC3E,4EAA4E;AAC5E,0EAA0E;AAC1E,mCAAmC;AAGnC,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAEjF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAiB;IAClD,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}
+{"version":3,"file":"stdio.js","sourceRoot":"","sources":["../../src/transports/stdio.ts"],"names":[],"mappings":"AAAA,0BAA0B;AAC1B,EAAE;AACF,2EAA2E;AAC3E,6EAA6E;AAC7E,0EAA0E;AAC1E,6BAA6B;AAG7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AAEjF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAiB;IAClD,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}

package/dist/uninstall-skill.d.ts

@@ -0,0 +1,27 @@
+export interface UninstallSkillOptions {
+    /** Skills dir holding the `apimapper/` folder. Default: ~/.claude/skills/ */
+    targetSkillsDir?: string;
+    /** AGENTS.md file the marker was appended to. Default: ~/AGENTS.md */
+    targetAgentsFile?: string;
+}
+export interface UninstallSkillResult {
+    skillRemoved: boolean;
+    markerRemoved: boolean;
+}
+/**
+ * Strip the install-skill marker block from AGENTS.md content.
+ *
+ * install-skill appends a block of the shape:
+ *
+ *   \n\n## API Mapper MCP\n\n<MARKER_LINE>\n<one descriptive line>\n
+ *
+ * We remove the `## API Mapper MCP` heading (and any leading blank lines
+ * before it) through the descriptive line that follows the marker. The match
+ * is anchored on MARKER_LINE so an edited heading still gets cleaned as long
+ * as the marker is intact. Returns the cleaned text, or `null` if no marker
+ * was present (caller treats that as "nothing removed").
+ */
+export declare function stripMarkerBlock(content: string): string | null;
+export declare function uninstallSkill(options?: UninstallSkillOptions): Promise<UninstallSkillResult>;
+/** True iff the skill dir is present (drives the default skill-removal prompt). */
+export declare function isSkillInstalled(targetSkillsDir?: string): boolean;

package/dist/uninstall-skill.js

@@ -0,0 +1,89 @@
+// src/uninstall-skill.ts — reverse of install-skill.ts.
+//
+// uninstallSkill() removes the copied skills/apimapper/ directory and strips
+// the marker block that install-skill appended to AGENTS.md. Idempotent: a
+// missing skill dir or absent marker is a clean no-op. Preserves every other
+// skill + all other AGENTS.md content.
+import { existsSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { MARKER_LINE } from "./install-skill.js";
+/**
+ * Strip the install-skill marker block from AGENTS.md content.
+ *
+ * install-skill appends a block of the shape:
+ *
+ *   \n\n## API Mapper MCP\n\n<MARKER_LINE>\n<one descriptive line>\n
+ *
+ * We remove the `## API Mapper MCP` heading (and any leading blank lines
+ * before it) through the descriptive line that follows the marker. The match
+ * is anchored on MARKER_LINE so an edited heading still gets cleaned as long
+ * as the marker is intact. Returns the cleaned text, or `null` if no marker
+ * was present (caller treats that as "nothing removed").
+ */
+export function stripMarkerBlock(content) {
+    if (!content.includes(MARKER_LINE))
+        return null;
+    const lines = content.split("\n");
+    const markerIdx = lines.findIndex((l) => l.trim() === MARKER_LINE.trim());
+    if (markerIdx === -1) {
+        // Marker present inline but not on its own line — fall back to a plain
+        // substring strip of the marker line itself.
+        return content.split(MARKER_LINE).join("");
+    }
+    // Walk backwards to include the `## API Mapper MCP` heading and the blank
+    // lines that separated it from the previous content.
+    let start = markerIdx;
+    // Skip a blank line directly above the marker (between heading and marker).
+    if (start > 0 && lines[start - 1].trim() === "")
+        start -= 1;
+    // Include the heading line if it is the install-skill heading.
+    if (start > 0 && lines[start - 1].trim() === "## API Mapper MCP")
+        start -= 1;
+    // Swallow leading blank separator lines above the heading.
+    while (start > 0 && lines[start - 1].trim() === "")
+        start -= 1;
+    // Walk forward to include the descriptive line(s) after the marker, up to
+    // the next blank line or EOF.
+    let end = markerIdx + 1;
+    while (end < lines.length && lines[end].trim() !== "")
+        end += 1;
+    const head = lines.slice(0, start);
+    const tail = lines.slice(end);
+    let next = [...head, ...tail].join("\n");
+    // Normalise: collapse a triple+ newline seam left by the excision and keep
+    // a single trailing newline if the original had one.
+    next = next.replace(/\n{3,}/g, "\n\n");
+    if (content.endsWith("\n") && next.length > 0 && !next.endsWith("\n")) {
+        next += "\n";
+    }
+    return next;
+}
+export async function uninstallSkill(options = {}) {
+    const targetSkillsDir = options.targetSkillsDir ?? join(homedir(), ".claude", "skills");
+    const targetAgentsFile = options.targetAgentsFile ?? join(homedir(), "AGENTS.md");
+    // 1. Remove the skill dir.
+    let skillRemoved = false;
+    const skillDir = join(targetSkillsDir, "apimapper");
+    if (existsSync(skillDir)) {
+        rmSync(skillDir, { recursive: true, force: true });
+        skillRemoved = true;
+    }
+    // 2. Strip the marker block from AGENTS.md (do NOT create it if absent).
+    let markerRemoved = false;
+    if (existsSync(targetAgentsFile)) {
+        const existing = readFileSync(targetAgentsFile, "utf8");
+        const stripped = stripMarkerBlock(existing);
+        if (stripped !== null) {
+            writeFileSync(targetAgentsFile, stripped, "utf8");
+            markerRemoved = true;
+        }
+    }
+    return { skillRemoved, markerRemoved };
+}
+/** True iff the skill dir is present (drives the default skill-removal prompt). */
+export function isSkillInstalled(targetSkillsDir) {
+    const dir = targetSkillsDir ?? join(homedir(), ".claude", "skills");
+    return existsSync(join(dir, "apimapper"));
+}
+//# sourceMappingURL=uninstall-skill.js.map

package/dist/uninstall-skill.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"uninstall-skill.js","sourceRoot":"","sources":["../src/uninstall-skill.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,6EAA6E;AAC7E,uCAAuC;AAEvC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAcjD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;QACrB,uEAAuE;QACvE,6CAA6C;QAC7C,OAAO,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,0EAA0E;IAC1E,qDAAqD;IACrD,IAAI,KAAK,GAAG,SAAS,CAAC;IACtB,4EAA4E;IAC5E,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,KAAK,IAAI,CAAC,CAAC;IAC5D,+DAA+D;IAC/D,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,mBAAmB;QAAE,KAAK,IAAI,CAAC,CAAC;IAC7E,2DAA2D;IAC3D,OAAO,KAAK,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,KAAK,IAAI,CAAC,CAAC;IAE/D,0EAA0E;IAC1E,8BAA8B;IAC9B,IAAI,GAAG,GAAG,SAAS,GAAG,CAAC,CAAC;IACxB,OAAO,GAAG,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,GAAG,IAAI,CAAC,CAAC;IAEhE,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,IAAI,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzC,2EAA2E;IAC3E,qDAAqD;IACrD,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACvC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACtE,IAAI,IAAI,IAAI,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,UAAiC,EAAE;IAEnC,MAAM,eAAe,GACnB,OAAO,CAAC,eAAe,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClE,MAAM,gBAAgB,GACpB,OAAO,CAAC,gBAAgB,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;IAE3D,2BAA2B;IAC3B,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACpD,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,YAAY,GAAG,IAAI,CAAC;IACtB,CAAC;IAED,yEAAyE;IACzE,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,YAAY,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,aAAa,CAAC,gBAAgB,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAClD,aAAa,GAAG,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;AACzC,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,gBAAgB,CAAC,eAAwB;IACvD,MAAM,GAAG,GAAG,eAAe,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACpE,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;AAC5C,CAAC"}

package/docs/architecture.md

@@ -11,17 +11,17 @@ internal plan-doc `~/Projekte/getimo/40-Plans/active/
    ┌──────────────────────────────────────────────────────────────┐
    │  AI client                                                   │
    │  (Claude Desktop · Claude Code · Cursor · VS Code · Cline · Codex CLI) │
-   └─────────────┬─────────────────────────────────┬──────────────┘
-                 │ stdio                            │ HTTP+OAuth2 PKCE
-                 │ (npx / DXT)                      │ (server-http.ts)
-                 ▼                                  ▼
+   └─────────────────────────────┬────────────────────────────────┘
+                                 │ stdio
+                                 │ (npx / DXT)
+                                 ▼
    ┌──────────────────────────────────────────────────────────────┐
    │  @wootsup/mcp (this package)                               │
    │                                                              │
    │  ┌──────────────┐  ┌──────────────┐  ┌──────────────────┐    │
    │  │ Transport    │→ │  Tool        │→ │  Platform router │    │
-   │  │  stdio /     │  │  registry    │  │  (WP / Joomla)   │    │
-   │  │  HTTP+OAuth  │  │  (~76 tools) │  │                  │    │
+   │  │  stdio        │  │  registry    │  │  (WP / Joomla)   │    │
+   │  │              │  │  (79 tools)  │  │                  │    │
    │  └──────────────┘  └──────────────┘  └──────────────────┘    │
    │           │              ▲                    │              │
    │           │              │                    │              │
@@ -54,11 +54,9 @@ internal plan-doc `~/Projekte/getimo/40-Plans/active/
 ## Five components
 
 1. **Transport layer** (`src/transports/`)
-   - `stdio.ts` — default; pipes JSON-RPC over stdin/stdout. Spawned
-     by the AI client.
-   - `http.ts` + `server-http.ts` — HTTP+SSE transport behind an
-     OAuth 2.0 PKCE-required authorization server. Bearer tokens are
-     site-bound; cross-origin requests are rejected.
+   - `stdio.ts` — the only transport. Pipes JSON-RPC over stdin/stdout.
+     Spawned by the AI client (npx / DXT). The server opens no network
+     listener.
 
 2. **Tool registry** (`src/modules/apimapper/`)
    - 15 register-files (connections, credentials, flows, graph,
@@ -86,7 +84,7 @@ internal plan-doc `~/Projekte/getimo/40-Plans/active/
 5. **Setup + skills** (`src/setup-cli.ts`, `skills/apimapper/`)
    - `@clack/prompts` interactive wizard.
    - Auto-detects AI clients, patches their MCP config idempotently.
-   - Ships the skill files (`SKILL.md` + 4 references) into
+   - Ships the skill files (`SKILL.md` + 9 reference docs) into
      `~/.claude/skills/apimapper/`.
 
 ## Auth flow (token issuance)
@@ -105,17 +103,19 @@ internal plan-doc `~/Projekte/getimo/40-Plans/active/
 At runtime, the server reads the token from the keychain on every
 launch — tokens never live in the client config file.
 
-## Multi-transport rationale
+## Transport rationale
 
-| | stdio | HTTP+OAuth |
-|---|---|---|
-| Where it runs | User's machine | User's machine or remote |
-| Auth | Bearer from keychain | OAuth 2.0 PKCE bound to site |
-| Use case | Local dev, single user | Remote AI agents (future) |
-| Discovery | Static (one-tool-set) | Dynamic per session |
+The MCP server ships **stdio-only**:
 
-Both paths feed the same tool registry; the only difference is the
-transport adapter wired into `createServer()`.
+| | stdio |
+|---|---|
+| Where it runs | User's machine |
+| Auth | Bearer (`amk_*`) from keychain / profile |
+| Use case | Local dev, single user |
+| Discovery | Static (one tool-set) |
+
+The AI client spawns the server as a child process and speaks JSON-RPC
+over stdin/stdout; there is no HTTP, SSE, or remote transport.
 
 ## Multi-platform rationale
 

package/docs/customgraph-internal-migration.md

@@ -99,10 +99,10 @@ then delete.
 
    ```bash
    npm view @wootsup/mcp version
-   # Expect: 0.1.0-rc.1 (or whatever the published tag was)
+   # Expect: 0.2.0 (rc.X-wN.M tail retired — plain semver now)
 
    npm view @wootsup/mcp dist-tags
-   # Expect: { latest: ..., rc: '0.1.0-rc.1' } for the rc tag
+   # Expect: latest now carries 0.2.0 (rc dist-tag track retired)
    ```
 
 3. **Run the setup wizard with the published package**
@@ -154,8 +154,8 @@ then delete.
    status: ok
    platform: wordpress (or joomla)
    site_url: https://dev.wootsup.com/wordpress
-   plugin_version: 2.0.7
-   tool_count: 74
+   plugin_version: 2.0.13
+   tool_count: 79
    ```
 
 8. **Run the full smoke suite**

package/docs/security.md

@@ -16,12 +16,12 @@ reporting process and supported-version policy, see
 | T6 | Confused-deputy LLM (read-only token gets `*_delete` tools listed) | High | Med | Scope filter excludes destructive tools from tool-list when the token lacks the scope. |
 | T7 | Local-fs token theft (no keychain) | Med | Med | `0600` file mode; keychain default on macOS/Windows; SECURITY.md warns about multi-user environments. |
 | T8 | DXT supply-chain (malicious .dxt) | Low | Critical | DXT bundle uploaded as a signed GitHub Release asset; `apimapper-mcp-publish.yml` workflow publishes with `--provenance`. |
-| T9 | OAuth callback hijack (HTTP transport) | Med | High | PKCE-required (S256); state param checked; loopback callback only. |
+| T9 | Network exposure of the MCP server | n/a | n/a | Not applicable — the server is stdio-only and opens no network listener. |
 | T10 | TOCTOU on rotate (old token works after rotate UI shows success) | Low | Med | Rotation is atomic on the server; the response shows the new token only after the old one is invalidated. |
 
 ## Token rotation
 
-- **From admin UI:** API Mapper → Connections → MCP Access → **Rotate**.
+- **From admin UI:** API Mapper → **⋮** menu → Settings → MCP Access → **Rotate**.
 - **From CLI:** `apimapper_credential_*` tools do **not** rotate MCP keys
   themselves — by design, key rotation is an admin-UI gesture (not a
   tool the LLM can call) to prevent confused-deputy rotation. Rotation
@@ -68,25 +68,6 @@ signing key. The user-visible site title (rendered by the wizard from
 the server's response, not the URL bar) gives one more verification
 surface for the user.
 
-## OAuth 2.0 PKCE (HTTP transport)
-
-When `@wootsup/mcp` runs in HTTP mode:
-
-- **Grants supported:** `authorization_code` with PKCE-S256 only.
-- **Implicit grant:** disabled.
-- **`code` grant without PKCE:** rejected with `invalid_request`.
-- **Loopback callbacks only:** `redirect_uri` must be
-  `http://127.0.0.1:<port>/callback` or `http://localhost:<port>/callback`.
-- **State param:** required and verified.
-- **Origin header:** Bearer tokens are bound to the issuing site URL.
-  A request from a different `Origin` is rejected (`401`).
-- **Token TTL:** 1 hour. Refresh tokens are not issued — the client
-  re-runs the auth flow.
-
-See `src/server-http.ts` for the implementation and
-`src/server-http.test.ts` (2 tests) + `src/transports/http.test.ts`
-(10 tests) for the pinning.
-
 ## Keychain fallback security
 
 When `@napi-rs/keyring` cannot reach an OS keychain: