noodleseed-cli 0.1.10 → 0.1.12

package/node_modules/@noodle-borg/service/dist/service.js

@@ -4,8 +4,8 @@ import { createJwtVerifier, protectedResourceMetadata, } from '@noodle-borg/auth
 import { compile, InMemoryCatalog } from '@noodle-borg/compiler';
 import { compileConnectors } from '@noodle-borg/connector-defs';
 import { InMemoryConnectorRegistry, MapServiceBroker, SecretBox, staticMasterKeyProvider, } from '@noodle-borg/runtime';
-import { applySecurityHeaders, createMcpRouter, effectiveProto, enforceHttps, mintCallerKey, noopLogger, verifyCallerKey, } from '@noodle-borg/transport-http';
-import { allowAllGate, GoogleControlPlaneGate, } from './auth/deploy-gate.js';
+import { applySecurityHeaders, createMcpRouter, effectiveProto, enforceHttps, noopLogger, } from '@noodle-borg/transport-http';
+import { allowAllGate, GoogleControlPlaneGate, NoodleOAuthControlPlaneGate, } from './auth/deploy-gate.js';
 import { isAuthServerPath } from './oauth/paths.js';
 import { InMemoryConfigStore, InMemoryControlPlaneStore, JsonFileArtifactStore, resolveConfigScope, scopeChain, validateConfigName, validateConfigScope, validateOrgRole, validateSlug, validateTenantRef, } from './store.js';
 const DEFAULT_MAX_BODY = 1 << 20;
@@ -44,18 +44,11 @@ export class ServerRegistry {
         this.#store = store;
         this.#configStore = configStore ?? new InMemoryConfigStore();
     }
-    async deploy(tenant, manifest, connectors, actor, accessMode = 'caller-key', 
-    /**
-     * When true and a prior active deployment exists for this tenant, reuse its caller-key **hash** instead
-     * of minting a new key (the plaintext is unrecoverable, so none is returned). Used by `noodle dev`
-     * to keep the local key stable across hot-reloads; the HTTP deploy route never sets it, so production
-     * redeploys keep rotating the key.
-     */
-    reuseCallerKey = false) {
+    async deploy(tenant, manifest, connectors, actor, accessMode) {
         const safeTenant = validateTenantRef(tenant);
         // Identity-based access modes gate the data plane on verified identity, so the deploy must have an
         // authenticated actor to establish ownership/audit provenance and avoid unauthored protected servers.
-        if (isIdentityAccessMode(accessMode) && actor === undefined) {
+        if (accessMode !== undefined && actor === undefined) {
             return {
                 ok: false,
                 errors: [
@@ -71,18 +64,10 @@ export class ServerRegistry {
         if (!built.ok)
             return { ok: false, errors: built.errors };
         const deploymentId = mintDeploymentId(built.served.artifact.server.name);
-        // `caller-key`: mint a per-server caller key, store only its hash, return the key once — unless
-        // `reuseCallerKey` is set and a prior active deployment exists, in which case keep its hash (no plaintext
-        // to return). Identity modes: no shared key at all — callers authenticate with verified identity.
-        const reusedHash = accessMode === 'caller-key' && reuseCallerKey
-            ? await this.#activeCallerKeyHash(safeTenant)
-            : undefined;
-        const callerKey = accessMode === 'caller-key' && reusedHash === undefined ? mintCallerKey() : undefined;
-        const callerKeyHash = callerKey?.hash ?? reusedHash;
         const version = Date.now();
         const ownerSubject = accessMode === 'owner-only' ? actor?.subject : undefined;
         // Persist before registering so a write failure fails the deploy closed (nothing is served that would
-        // silently vanish on restart). The plaintext caller key is never persisted — only its hash (ADR 0030).
+        // silently vanish on restart).
         if (this.#store) {
             const record = {
                 schemaVersion: 1,
@@ -95,8 +80,7 @@ export class ServerRegistry {
                 serverName: built.served.artifact.server.name,
                 createdAt: new Date().toISOString(),
                 ...(actor ? { createdBySubject: actor.subject, createdByEmail: actor.email } : {}),
-                accessMode,
-                ...(callerKeyHash ? { callerKeyHash } : {}),
+                ...(accessMode !== undefined ? { accessMode } : {}),
                 manifest,
                 ...(connectors !== undefined ? { connectors } : {}),
                 secrets: emptySecretEnvelope(),
@@ -124,8 +108,7 @@ export class ServerRegistry {
                 serverName: built.served.artifact.server.name,
                 createdAt: new Date().toISOString(),
                 ...(actor ? { createdBySubject: actor.subject, createdByEmail: actor.email } : {}),
-                accessMode,
-                ...(callerKeyHash ? { callerKeyHash } : {}),
+                ...(accessMode !== undefined ? { accessMode } : {}),
                 manifest,
                 ...(connectors !== undefined ? { connectors } : {}),
                 secrets: emptySecretEnvelope(),
@@ -133,41 +116,20 @@ export class ServerRegistry {
         }
         this.#servers.set(deploymentId, {
             served: built.served,
-            accessMode,
+            ...(accessMode !== undefined ? { accessMode } : {}),
             org: safeTenant.org,
-            ...(callerKeyHash ? { callerKeyHash } : {}),
             ...(ownerSubject !== undefined ? { ownerSubject } : {}),
         });
         this.#activeTenants.set(tenantKey(safeTenant), deploymentId);
         return {
             ok: true,
             deploymentId,
-            accessMode,
-            ...(callerKey ? { callerKey: callerKey.key } : {}),
-            ...(reusedHash !== undefined ? { callerKeyReused: true } : {}),
+            ...(accessMode !== undefined ? { accessMode } : {}),
         };
     }
-    /**
-     * The caller-key **hash** of the tenant's current active deployment, or `undefined` if none. Checks the
-     * in-memory registry first (the `dev` hot-reload path), then the durable store. Used only by the
-     * `reuseCallerKey` deploy path to keep a key stable across redeploys without ever handling its plaintext.
-     */
-    async #activeCallerKeyHash(tenant) {
-        const cachedId = this.#activeTenants.get(tenantKey(tenant));
-        if (cachedId !== undefined) {
-            const hash = this.#servers.get(cachedId)?.callerKeyHash;
-            if (hash !== undefined)
-                return hash;
-        }
-        if (this.#store) {
-            const record = await this.#store.getActiveByTenant(tenant);
-            return record?.callerKeyHash;
-        }
-        return undefined;
-    }
     /**
      * Rebuild every persisted server into memory on startup. Each record is replayed through the same
-     * compile path as a fresh deploy, reusing its stored id and caller-key hash. A record that no longer
+     * compile path as a fresh deploy, reusing its stored id and access metadata. A record that no longer
      * compiles (e.g. source/catalog drift) is skipped and reported — the remaining servers still recover.
      */
     async recover() {
@@ -177,6 +139,19 @@ export class ServerRegistry {
         const failed = [];
         let recovered = 0;
         for (const record of records) {
+            if (record.accessMode === undefined) {
+                failed.push({
+                    deploymentId: record.deploymentId,
+                    errors: [
+                        {
+                            code: 'unsupported_legacy_access_mode',
+                            path: 'accessMode',
+                            message: 'caller-key deployments are no longer supported; redeploy with owner-only or org-members access',
+                        },
+                    ],
+                });
+                continue;
+            }
             const built = await this.#compileTarget(recordTenant(record), record.manifest, record.connectors);
             if (!built.ok) {
                 failed.push({ deploymentId: record.deploymentId, errors: built.errors });
@@ -285,43 +260,66 @@ export class ServerRegistry {
             .sort((a, b) => b.deploymentVersion - a.deploymentVersion)
             .map(recordSummary);
     }
-    async rotateCallerKey(tenant) {
-        const safe = validateTenantRef(tenant);
-        const active = this.#store
-            ? await this.#store.getActiveByTenant(safe)
-            : [...this.#records.values()]
-                .filter((record) => record.active &&
-                record.orgSlug === safe.org &&
-                record.appSlug === safe.app &&
-                record.environment === safe.env)
-                .sort((a, b) => b.deploymentVersion - a.deploymentVersion)[0];
-        if (!active || (active.accessMode ?? 'caller-key') !== 'caller-key')
+    async getStatus(ref, baseUrl) {
+        const safe = validateTenantRef(ref);
+        const record = await this.#activeRecord(safe);
+        if (record === undefined)
             return undefined;
-        const minted = mintCallerKey();
-        const updated = this.#store
-            ? await this.#store.updateActiveCallerKey(safe, minted.hash)
-            : { ...active, callerKeyHash: minted.hash };
-        if (!updated)
+        const built = await this.#compileTarget(recordTenant(record), record.manifest, record.connectors);
+        const missingSecrets = built.ok ? [] : missingSecretNames(built.errors);
+        const unhealthy = !built.ok && missingSecrets.length === 0;
+        return {
+            target: safe,
+            deployment: {
+                deploymentId: record.deploymentId,
+                endpointUrl: tenantMcpUrl(baseUrl, safe),
+                active: record.active,
+                serverName: record.serverName,
+                createdAt: record.createdAt,
+                ...(record.createdByEmail !== undefined ? { createdByEmail: record.createdByEmail } : {}),
+                accessMode: record.accessMode ?? 'owner-only',
+            },
+            health: {
+                state: built.ok ? 'ready' : unhealthy ? 'unhealthy' : 'missing-config',
+            },
+            config: {
+                ok: missingSecrets.length === 0,
+                missingSecrets,
+            },
+        };
+    }
+    async updateAccess(ref, accessMode) {
+        const safe = validateTenantRef(ref);
+        const record = await this.#activeRecord(safe);
+        if (record === undefined)
             return undefined;
+        const updated = { ...record, accessMode };
+        if (this.#store)
+            await this.#store.updateActiveAccess(safe, accessMode);
         this.#records.set(updated.deploymentId, updated);
-        const cached = this.#servers.get(updated.deploymentId);
-        if (cached) {
-            this.#servers.set(updated.deploymentId, { ...cached, callerKeyHash: minted.hash });
+        const existing = this.#servers.get(updated.deploymentId);
+        if (existing)
+            this.#servers.set(updated.deploymentId, servedTargetFor(updated, existing.served));
+        this.#activeTenants.set(tenantKey(safe), updated.deploymentId);
+        return updated;
+    }
+    async #activeRecord(ref) {
+        const cachedId = this.#activeTenants.get(tenantKey(ref));
+        if (cachedId !== undefined) {
+            const cached = this.#records.get(cachedId);
+            if (cached !== undefined)
+                return cached;
+            if (this.#store)
+                return this.#store.get(cachedId);
         }
-        return { key: minted.key, deployment: recordSummary(updated) };
-    }
-    async verifyActiveCallerKey(tenant, token) {
-        const safe = validateTenantRef(tenant);
-        const active = this.#store
-            ? await this.#store.getActiveByTenant(safe)
-            : [...this.#records.values()]
-                .filter((record) => record.active &&
-                record.orgSlug === safe.org &&
-                record.appSlug === safe.app &&
-                record.environment === safe.env)
-                .sort((a, b) => b.deploymentVersion - a.deploymentVersion)[0];
-        const hash = active?.callerKeyHash;
-        return hash !== undefined && verifyCallerKey(token, hash);
+        if (this.#store)
+            return this.#store.getActiveByTenant(ref);
+        return [...this.#records.values()]
+            .filter((record) => record.active &&
+            record.orgSlug === ref.org &&
+            record.appSlug === ref.app &&
+            record.environment === ref.env)
+            .sort((a, b) => b.deploymentVersion - a.deploymentVersion)[0];
     }
     get configStore() {
         return this.#configStore;
@@ -352,16 +350,17 @@ export class ServerRegistry {
 }
 /**
  * Build the front-door {@link ServedTarget} for a persisted record: its access mode plus the credential the
- * front-door checks — a caller-key hash (`caller-key`), the owner subject (`owner-only`), or the tenant org
- * (`org-members`). A legacy record with no `accessMode` reads as `caller-key`.
+ * front-door checks. Legacy alpha records without an identity access mode are not served.
  */
 function servedTargetFor(record, served) {
-    const accessMode = record.accessMode ?? 'caller-key';
+    const accessMode = record.accessMode;
+    if (accessMode === undefined) {
+        throw new Error(`deployment ${record.deploymentId} has unsupported legacy access mode`);
+    }
     return {
         served,
         accessMode,
         org: record.orgSlug,
-        ...(record.callerKeyHash !== undefined ? { callerKeyHash: record.callerKeyHash } : {}),
         ...(accessMode === 'owner-only' && record.createdBySubject !== undefined
             ? { ownerSubject: record.createdBySubject }
             : {}),
@@ -377,8 +376,7 @@ function recordSummary(record) {
         serverName: record.serverName,
         createdAt: record.createdAt,
         ...(record.createdByEmail !== undefined ? { createdByEmail: record.createdByEmail } : {}),
-        accessMode: record.accessMode ?? 'caller-key',
-        hasCallerKey: record.callerKeyHash !== undefined,
+        accessMode: record.accessMode ?? 'owner-only',
     };
 }
 function recordTenant(record) {
@@ -455,7 +453,6 @@ export function createServiceHandler(registry, options = {}) {
                 return Promise.resolve(false);
             return controlPlane.isOrgMember({ org: input.org, subject: input.subject });
         },
-        verifyCallerKeyForTenant: (input) => registry.verifyActiveCallerKey(input.tenant, input.token),
         admissionGate: createAdmissionGate(logger),
         tenantLookup: (ref) => registry.getActiveByTenant(ref),
     });
@@ -504,12 +501,26 @@ export function createServiceHandler(registry, options = {}) {
             if (enforceHttps(req, res, tls))
                 return;
             const base = options.publicBaseUrl ?? baseFromRequest(req, tls);
+            const controlPlaneResource = normalizeServiceBase(options.publicBaseUrl ?? options.authServerIssuer ?? base);
+            const selfHostedOAuthLogin = options.authServerApp !== undefined &&
+                options.authServerIssuer !== undefined &&
+                options.verifyOwnerToken !== undefined;
             return sendJson(res, 200, {
                 ok: true,
                 service: base,
                 googleClientId: options.controlPlaneGoogleClientId ?? null,
+                ...(selfHostedOAuthLogin
+                    ? {
+                        authorizationServerIssuer: options.authServerIssuer,
+                        controlPlaneResource,
+                    }
+                    : {}),
                 allowedEmailDomain: options.controlPlaneAllowedEmailDomain ?? '@noodleseed.com',
-                authType: options.controlPlaneGoogleClientId ? 'google-oauth-pkce' : 'open-dev',
+                authType: selfHostedOAuthLogin
+                    ? 'noodle-oauth-pkce'
+                    : options.controlPlaneGoogleClientId
+                        ? 'google-oauth-pkce'
+                        : 'open-dev',
             });
         }
         const deployRef = parseTenantDeployPath(url.pathname);
@@ -518,8 +529,8 @@ export function createServiceHandler(registry, options = {}) {
             applySecurityHeaders(res, tls);
             if (enforceHttps(req, res, tls))
                 return;
-            // Admin boundary: authenticate the deployer before reading the body. The gate guards only
-            // management deploys — tenant MCP routes are governed separately (caller key, Slice 24).
+            // Admin boundary: authenticate the deployer before reading the body. The gate guards management
+            // deploys; tenant MCP routes are governed separately by identity-based data-plane auth.
             handleDeploy(req, res, registry, options, maxBody, deployRef, gate, controlPlane).catch((error) => {
                 // A thrown deploy failure (compile/seal/persist) must be observable, not a silent 500. The message
                 // is operational detail (a DB/KMS/connector fault), not a secret — values/keys are never included.
@@ -576,23 +587,34 @@ export function createServiceHandler(registry, options = {}) {
             });
             return;
         }
-        const deploymentsRef = parseDeploymentsPath(url.pathname);
-        if (deploymentsRef !== undefined && req.method === 'GET') {
+        const statusRef = parseTenantStatusPath(url.pathname);
+        if (statusRef !== undefined && req.method === 'GET') {
             applySecurityHeaders(res, tls);
             if (enforceHttps(req, res, tls))
                 return;
-            handleDeployments(req, res, registry, gate, controlPlane, deploymentsRef, url).catch(() => {
+            handleDeploymentStatus(req, res, registry, gate, controlPlane, statusRef, options).catch(() => {
                 if (!res.headersSent)
                     sendJson(res, 500, { error: 'internal error' });
             });
             return;
         }
-        const keysRef = parseKeysPath(url.pathname);
-        if (keysRef !== undefined && (req.method === 'GET' || req.method === 'POST')) {
+        const accessRef = parseTenantAccessPath(url.pathname);
+        if (accessRef !== undefined && req.method === 'PATCH') {
             applySecurityHeaders(res, tls);
             if (enforceHttps(req, res, tls))
                 return;
-            handleKeys(req, res, registry, gate, controlPlane, keysRef).catch(() => {
+            handleAccessUpdate(req, res, registry, gate, controlPlane, maxBody, accessRef).catch(() => {
+                if (!res.headersSent)
+                    sendJson(res, 500, { error: 'internal error' });
+            });
+            return;
+        }
+        const deploymentsRef = parseDeploymentsPath(url.pathname);
+        if (deploymentsRef !== undefined && req.method === 'GET') {
+            applySecurityHeaders(res, tls);
+            if (enforceHttps(req, res, tls))
+                return;
+            handleDeployments(req, res, registry, gate, controlPlane, deploymentsRef, url).catch(() => {
                 if (!res.headersSent)
                     sendJson(res, 500, { error: 'internal error' });
             });
@@ -615,7 +637,7 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         return sendJson(res, 413, { error: 'request body too large' });
     let manifest;
     let connectors;
-    let accessMode = 'caller-key';
+    let accessMode = 'owner-only';
     try {
         const parsed = JSON.parse(body.text);
         if (typeof parsed.manifest !== 'string')
@@ -631,7 +653,10 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         }
         if (parsed.accessMode !== undefined) {
             if (!isAccessMode(parsed.accessMode)) {
-                throw new Error('"accessMode" must be "caller-key", "owner-only", or "org-members"');
+                if (parsed.accessMode === 'caller-key') {
+                    throw new Error('caller-key access has been removed; use owner-only or org-members');
+                }
+                throw new Error('"accessMode" must be "owner-only" or "org-members"');
             }
             accessMode = parsed.accessMode;
         }
@@ -657,7 +682,7 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         });
         return sendJson(res, 400, { ok: false, errors: result.errors });
     }
-    // Counts only — never secret names or values, never the minted caller key or its hash.
+    // Counts only — never secret names or values.
     logger.info('deploy.ok', {
         deploymentId: result.deploymentId,
         org: tenant.org,
@@ -676,13 +701,10 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         url: tenant.env === 'prod'
             ? `${base}/o/${tenant.org}/${tenant.app}/mcp`
             : `${base}/o/${tenant.org}/${tenant.app}/${tenant.env}/mcp`,
-        // Caller-key deploys only: shown once, callers send `Authorization: Bearer <callerKey>` (only the hash
-        // is stored). Identity-based deploys mint no key — callers authenticate with their own identity.
-        ...(result.callerKey !== undefined ? { callerKey: result.callerKey } : {}),
     });
 }
 function isAccessMode(value) {
-    return value === 'caller-key' || value === 'owner-only' || value === 'org-members';
+    return value === 'owner-only' || value === 'org-members';
 }
 function isIdentityAccessMode(accessMode) {
     return accessMode === 'owner-only' || accessMode === 'org-members';
@@ -782,7 +804,7 @@ async function handleMembers(req, res, gate, controlPlane, maxBody, ref) {
     return sendJson(res, 404, { error: 'not found' });
 }
 async function handleConfigValues(req, res, gate, controlPlane, configStore, maxBody, ref) {
-    const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: false });
+    const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: true });
     if (identity === false)
         return;
     if (ref.invalid !== undefined)
@@ -829,30 +851,66 @@ async function handleConfigValues(req, res, gate, controlPlane, configStore, max
     }
     return sendJson(res, 404, { error: 'not found' });
 }
-async function handleDeployments(req, res, registry, gate, controlPlane, ref, url) {
+async function authorizeTenantControl(req, res, gate, controlPlane, org) {
     const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: true });
     if (identity === false)
-        return;
+        return false;
     if (!identity.superAdmin) {
-        const member = await controlPlane.isOrgMember({ org: ref.org, subject: identity.subject });
-        if (!member)
-            return sendForbidden(res, 'forbidden');
+        const member = await controlPlane.isOrgMember({ org, subject: identity.subject });
+        if (!member) {
+            sendForbidden(res, 'forbidden');
+            return false;
+        }
     }
-    const app = url.searchParams.get('app') ?? undefined;
-    const env = url.searchParams.get('env') ?? undefined;
+    return identity;
+}
+async function handleDeploymentStatus(req, res, registry, gate, controlPlane, tenant, options) {
+    const identity = await authorizeTenantControl(req, res, gate, controlPlane, tenant.org);
+    if (identity === false)
+        return;
     try {
-        const deployments = await registry.listDeployments({
-            org: ref.org,
-            ...(app !== undefined ? { app } : {}),
-            ...(env !== undefined ? { env } : {}),
+        const base = options.publicBaseUrl ?? baseFromRequest(req, options.tls ?? {});
+        const status = await registry.getStatus(tenant, base);
+        if (status === undefined)
+            return sendJson(res, 404, { error: 'no active deployment' });
+        return sendJson(res, 200, { ok: true, ...status });
+    }
+    catch (error) {
+        return sendJson(res, 400, { error: error.message });
+    }
+}
+async function handleAccessUpdate(req, res, registry, gate, controlPlane, maxBody, tenant) {
+    const identity = await authorizeTenantControl(req, res, gate, controlPlane, tenant.org);
+    if (identity === false)
+        return;
+    const body = await readJsonBody(req, maxBody);
+    if (!body.ok)
+        return sendJson(res, body.status, { error: body.error });
+    const parsed = body.value;
+    if (!isAccessMode(parsed.accessMode)) {
+        const message = parsed.accessMode === 'caller-key'
+            ? 'caller-key access has been removed; use owner-only or org-members'
+            : '"accessMode" must be "owner-only" or "org-members"';
+        return sendJson(res, 400, { error: message });
+    }
+    try {
+        const record = await registry.updateAccess(tenant, parsed.accessMode);
+        if (record === undefined)
+            return sendJson(res, 404, { error: 'no active deployment' });
+        return sendJson(res, 200, {
+            ok: true,
+            target: tenant,
+            deployment: {
+                deploymentId: record.deploymentId,
+                accessMode: record.accessMode ?? 'owner-only',
+            },
         });
-        return sendJson(res, 200, { ok: true, deployments });
     }
     catch (error) {
         return sendJson(res, 400, { error: error.message });
     }
 }
-async function handleKeys(req, res, registry, gate, controlPlane, ref) {
+async function handleDeployments(req, res, registry, gate, controlPlane, ref, url) {
     const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: true });
     if (identity === false)
         return;
@@ -861,47 +919,19 @@ async function handleKeys(req, res, registry, gate, controlPlane, ref) {
         if (!member)
             return sendForbidden(res, 'forbidden');
     }
-    if (req.method === 'GET' && ref.action === undefined) {
+    const app = url.searchParams.get('app') ?? undefined;
+    const env = url.searchParams.get('env') ?? undefined;
+    try {
         const deployments = await registry.listDeployments({
             org: ref.org,
-            app: ref.app,
-            env: ref.env,
-        });
-        return sendJson(res, 200, {
-            ok: true,
-            keys: deployments
-                .filter((deployment) => deployment.active && deployment.hasCallerKey)
-                .map((deployment) => ({
-                org: deployment.orgSlug,
-                app: deployment.appSlug,
-                env: deployment.environment,
-                deploymentId: deployment.deploymentId,
-                active: deployment.active,
-                createdAt: deployment.createdAt,
-            })),
+            ...(app !== undefined ? { app } : {}),
+            ...(env !== undefined ? { env } : {}),
         });
+        return sendJson(res, 200, { ok: true, deployments });
     }
-    if (req.method === 'POST' && ref.action === 'rotate') {
-        const rotated = await registry.rotateCallerKey(ref);
-        if (!rotated) {
-            return sendJson(res, 404, {
-                error: 'no active caller-key deployment found for this app environment',
-            });
-        }
-        return sendJson(res, 201, {
-            ok: true,
-            key: {
-                org: rotated.deployment.orgSlug,
-                app: rotated.deployment.appSlug,
-                env: rotated.deployment.environment,
-                deploymentId: rotated.deployment.deploymentId,
-                active: rotated.deployment.active,
-                createdAt: new Date().toISOString(),
-            },
-            callerKey: rotated.key,
-        });
+    catch (error) {
+        return sendJson(res, 400, { error: error.message });
     }
-    return sendJson(res, 404, { error: 'not found' });
 }
 async function authorizeControlPlane(req, res, gate, options) {
     const auth = await gate.authorize(req);
@@ -1006,17 +1036,22 @@ function parseDeploymentsPath(pathname) {
         return undefined;
     }
 }
-function parseKeysPath(pathname) {
-    const match = /^\/v1\/orgs\/([^/]+)\/apps\/([^/]+)\/envs\/([^/]+)\/keys(?:\/(rotate))?$/.exec(pathname);
+function parseTenantStatusPath(pathname) {
+    return parseTenantActionPath(pathname, 'status');
+}
+function parseTenantAccessPath(pathname) {
+    return parseTenantActionPath(pathname, 'access');
+}
+function parseTenantActionPath(pathname, action) {
+    const match = new RegExp(`^/v1/orgs/([^/]+)/apps/([^/]+)/envs/([^/]+)/${action}$`).exec(pathname);
     if (!match)
         return undefined;
     try {
-        const ref = validateTenantRef({
+        return validateTenantRef({
             org: decodeURIComponent(match[1]),
             app: decodeURIComponent(match[2]),
             env: decodeURIComponent(match[3]),
         });
-        return { ...ref, ...(match[4] === 'rotate' ? { action: 'rotate' } : {}) };
     }
     catch {
         return undefined;
@@ -1025,6 +1060,20 @@ function parseKeysPath(pathname) {
 function createAdmissionGate(_logger) {
     return async () => ({ allow: true });
 }
+function tenantMcpUrl(base, tenant) {
+    return tenant.env === 'prod'
+        ? `${base}/o/${tenant.org}/${tenant.app}/mcp`
+        : `${base}/o/${tenant.org}/${tenant.app}/${tenant.env}/mcp`;
+}
+function missingSecretNames(errors) {
+    const names = new Set();
+    for (const error of errors) {
+        if (error.code === 'missing_secret' && error.path.startsWith('secrets.')) {
+            names.add(error.path.slice('secrets.'.length));
+        }
+    }
+    return [...names].sort();
+}
 function baseFromRequest(req, tls) {
     const host = req.headers.host ?? 'localhost';
     return `${effectiveProto(req, tls.trustProxy ?? false)}://${host}`;
@@ -1032,22 +1081,7 @@ function baseFromRequest(req, tls) {
 /** Start the deploy service on its own `node:http` server (used by the `noodle-service` bin). */
 export async function serveService(options = {}) {
     const host = options.host ?? '127.0.0.1';
-    const gate = options.deployGate ??
-        (options.googleClientId !== undefined
-            ? new GoogleControlPlaneGate({
-                audience: options.googleClientId,
-                admins: options.controlPlaneAdmins ?? [],
-                ...(options.controlPlaneAllowedEmailDomain !== undefined
-                    ? { allowedEmailDomain: options.controlPlaneAllowedEmailDomain }
-                    : {}),
-                ...(options.googleVerifier ? { verifier: options.googleVerifier } : {}),
-            })
-            : undefined);
-    // Fail closed: never expose an unauthenticated deploy endpoint on a non-loopback bind.
-    if (gate === undefined && !isLoopbackHost(host)) {
-        throw new Error(`refusing to bind a non-loopback host (${host}) without deploy authentication; ` +
-            'set NOODLE_GOOGLE_CLIENT_ID (or pass a deployGate)');
-    }
+    let gate = options.deployGate;
     const durableStoreRequested = options.dataDir !== undefined || options.databaseUrl !== undefined || options.cloudSql !== undefined;
     // Fail closed: any durable store must have a master-key custodian. Existing deploy records may still
     // contain encrypted legacy secret envelopes, and managed config secrets are encrypted independently.
@@ -1139,6 +1173,34 @@ export async function serveService(options = {}) {
                     keyResolver: await options.oauth.signer.verifierKey(),
                 });
     }
+    if (gate === undefined &&
+        resolvedVerifyOwnerToken !== undefined &&
+        resolvedAuthServerIssuer !== undefined) {
+        const allowedEmailDomain = options.controlPlaneAllowedEmailDomain ?? options.oauth?.allowedEmailDomain;
+        gate = new NoodleOAuthControlPlaneGate({
+            verifier: resolvedVerifyOwnerToken,
+            audience: normalizeOAuthResource(options.publicBaseUrl ?? resolvedAuthServerIssuer),
+            admins: options.controlPlaneAdmins ?? [],
+            ...(allowedEmailDomain !== undefined ? { allowedEmailDomain } : {}),
+        });
+    }
+    gate =
+        gate ??
+            (options.googleClientId !== undefined
+                ? new GoogleControlPlaneGate({
+                    audience: options.googleClientId,
+                    admins: options.controlPlaneAdmins ?? [],
+                    ...(options.controlPlaneAllowedEmailDomain !== undefined
+                        ? { allowedEmailDomain: options.controlPlaneAllowedEmailDomain }
+                        : {}),
+                    ...(options.googleVerifier ? { verifier: options.googleVerifier } : {}),
+                })
+                : undefined);
+    // Fail closed: never expose an unauthenticated deploy endpoint on a non-loopback bind.
+    if (gate === undefined && !isLoopbackHost(host)) {
+        throw new Error(`refusing to bind a non-loopback host (${host}) without deploy authentication; ` +
+            'set NOODLE_OAUTH_ISSUER/Google OAuth creds, NOODLE_GOOGLE_CLIENT_ID, or pass a deployGate');
+    }
     const registry = new ServerRegistry(store, secretBox, configStore);
     // Recovery is lazy by default (ADR 0036): each server recompiles on its first request, which is correct
     // on a multi-instance platform (any instance serves any deploy) and a cheaper cold start. `warmAll` opts
@@ -1227,6 +1289,19 @@ function sendForbidden(res, message) {
     res.writeHead(403, { 'content-type': 'application/json; charset=utf-8' });
     res.end(JSON.stringify({ error: message }));
 }
+function normalizeServiceBase(value) {
+    return value.replace(/\/+$/, '');
+}
+function normalizeOAuthResource(value) {
+    const normalized = normalizeServiceBase(value);
+    try {
+        const url = new URL(normalized);
+        return url.pathname === '/' && url.search === '' && url.hash === '' ? url.href : normalized;
+    }
+    catch {
+        return normalized;
+    }
+}
 /** Loopback hosts may run the control plane without auth; any other bind must configure auth. */
 function isLoopbackHost(host) {
     return host === '127.0.0.1' || host === '::1' || host === 'localhost';