npm - noodleseed-cli - Versions diffs - 0.1.11 → 0.1.13 - Mend

noodleseed-cli 0.1.11 → 0.1.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

package/dist/agents.d.ts +3 -0
package/dist/agents.d.ts.map +1 -0
package/dist/agents.js +231 -0
package/dist/agents.js.map +1 -0
package/dist/bin.d.ts +3 -0
package/dist/bin.d.ts.map +1 -0
package/dist/bin.js +16 -0
package/dist/bin.js.map +1 -0
package/dist/cli.d.ts.map +1 -1
package/dist/cli.js +1102 -107
package/dist/cli.js.map +1 -1
package/dist/config.d.ts +2 -4
package/dist/config.d.ts.map +1 -1
package/dist/config.js +1 -1
package/dist/config.js.map +1 -1
package/dist/control-plane.d.ts +15 -1
package/dist/control-plane.d.ts.map +1 -1
package/dist/control-plane.js +90 -15
package/dist/control-plane.js.map +1 -1
package/dist/deploy.d.ts +3 -5
package/dist/deploy.d.ts.map +1 -1
package/dist/deploy.js +20 -7
package/dist/deploy.js.map +1 -1
package/dist/dev.d.ts +11 -5
package/dist/dev.d.ts.map +1 -1
package/dist/dev.js +7 -17
package/dist/dev.js.map +1 -1
package/dist/diagnostics.d.ts +9 -0
package/dist/diagnostics.d.ts.map +1 -0
package/dist/diagnostics.js +10 -0
package/dist/diagnostics.js.map +1 -0
package/dist/doctor.d.ts +7 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +396 -0
package/dist/doctor.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/node-version.d.ts +5 -0
package/dist/node-version.d.ts.map +1 -0
package/dist/node-version.js +17 -0
package/dist/node-version.js.map +1 -0
package/dist/openapi-import.d.ts +12 -0
package/dist/openapi-import.d.ts.map +1 -0
package/dist/openapi-import.js +95 -0
package/dist/openapi-import.js.map +1 -0
package/dist/project.d.ts +45 -0
package/dist/project.d.ts.map +1 -0
package/dist/project.js +252 -0
package/dist/project.js.map +1 -0
package/node_modules/@noodle-borg/runtime/dist/broker/secret-box.d.ts +2 -2
package/node_modules/@noodle-borg/runtime/dist/broker/secret-box.js +2 -2
package/node_modules/@noodle-borg/service/dist/service.d.ts +6 -25
package/node_modules/@noodle-borg/service/dist/service.d.ts.map +1 -1
package/node_modules/@noodle-borg/service/dist/service.js +219 -175
package/node_modules/@noodle-borg/service/dist/service.js.map +1 -1
package/node_modules/@noodle-borg/service/dist/store/postgres.d.ts +2 -1
package/node_modules/@noodle-borg/service/dist/store/postgres.d.ts.map +1 -1
package/node_modules/@noodle-borg/service/dist/store/postgres.js +19 -78
package/node_modules/@noodle-borg/service/dist/store/postgres.js.map +1 -1
package/node_modules/@noodle-borg/service/dist/store.d.ts +24 -12
package/node_modules/@noodle-borg/service/dist/store.d.ts.map +1 -1
package/node_modules/@noodle-borg/service/dist/store.js +18 -18
package/node_modules/@noodle-borg/service/dist/store.js.map +1 -1
package/node_modules/@noodle-borg/transport-http/dist/handler.d.ts +2 -21
package/node_modules/@noodle-borg/transport-http/dist/handler.d.ts.map +1 -1
package/node_modules/@noodle-borg/transport-http/dist/handler.js +14 -25
package/node_modules/@noodle-borg/transport-http/dist/handler.js.map +1 -1
package/node_modules/@noodle-borg/transport-http/dist/index.d.ts +1 -2
package/node_modules/@noodle-borg/transport-http/dist/index.d.ts.map +1 -1
package/node_modules/@noodle-borg/transport-http/dist/index.js +0 -1
package/node_modules/@noodle-borg/transport-http/dist/index.js.map +1 -1
package/node_modules/@noodle-borg/transport-http/dist/logging.d.ts +1 -1
package/node_modules/@noodle-borg/transport-http/dist/logging.js +1 -1
package/package.json +2 -2

package/node_modules/@noodle-borg/service/dist/service.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { createJwtVerifier, protectedResourceMetadata, } from '@noodle-borg/auth
 import { compile, InMemoryCatalog } from '@noodle-borg/compiler';
 import { compileConnectors } from '@noodle-borg/connector-defs';
 import { InMemoryConnectorRegistry, MapServiceBroker, SecretBox, staticMasterKeyProvider, } from '@noodle-borg/runtime';
-import { applySecurityHeaders, createMcpRouter, effectiveProto, enforceHttps, mintCallerKey, noopLogger, verifyCallerKey, } from '@noodle-borg/transport-http';
+import { applySecurityHeaders, createMcpRouter, effectiveProto, enforceHttps, noopLogger, } from '@noodle-borg/transport-http';
 import { allowAllGate, GoogleControlPlaneGate, NoodleOAuthControlPlaneGate, } from './auth/deploy-gate.js';
 import { isAuthServerPath } from './oauth/paths.js';
 import { InMemoryConfigStore, InMemoryControlPlaneStore, JsonFileArtifactStore, resolveConfigScope, scopeChain, validateConfigName, validateConfigScope, validateOrgRole, validateSlug, validateTenantRef, } from './store.js';
@@ -44,18 +44,11 @@ export class ServerRegistry {
         this.#store = store;
         this.#configStore = configStore ?? new InMemoryConfigStore();
     }
-    async deploy(tenant, manifest, connectors, actor, accessMode = 'caller-key',
-    /**
-     * When true and a prior active deployment exists for this tenant, reuse its caller-key **hash** instead
-     * of minting a new key (the plaintext is unrecoverable, so none is returned). Used by `noodle dev`
-     * to keep the local key stable across hot-reloads; the HTTP deploy route never sets it, so production
-     * redeploys keep rotating the key.
-     */
-    reuseCallerKey = false) {
+    async deploy(tenant, manifest, connectors, actor, accessMode) {
         const safeTenant = validateTenantRef(tenant);
         // Identity-based access modes gate the data plane on verified identity, so the deploy must have an
         // authenticated actor to establish ownership/audit provenance and avoid unauthored protected servers.
-        if (isIdentityAccessMode(accessMode) && actor === undefined) {
+        if (accessMode !== undefined && actor === undefined) {
             return {
                 ok: false,
                 errors: [
@@ -71,18 +64,10 @@ export class ServerRegistry {
         if (!built.ok)
             return { ok: false, errors: built.errors };
         const deploymentId = mintDeploymentId(built.served.artifact.server.name);
-        // `caller-key`: mint a per-server caller key, store only its hash, return the key once — unless
-        // `reuseCallerKey` is set and a prior active deployment exists, in which case keep its hash (no plaintext
-        // to return). Identity modes: no shared key at all — callers authenticate with verified identity.
-        const reusedHash = accessMode === 'caller-key' && reuseCallerKey
-            ? await this.#activeCallerKeyHash(safeTenant)
-            : undefined;
-        const callerKey = accessMode === 'caller-key' && reusedHash === undefined ? mintCallerKey() : undefined;
-        const callerKeyHash = callerKey?.hash ?? reusedHash;
         const version = Date.now();
         const ownerSubject = accessMode === 'owner-only' ? actor?.subject : undefined;
         // Persist before registering so a write failure fails the deploy closed (nothing is served that would
-        // silently vanish on restart). The plaintext caller key is never persisted — only its hash (ADR 0030).
+        // silently vanish on restart).
         if (this.#store) {
             const record = {
                 schemaVersion: 1,
@@ -95,8 +80,7 @@ export class ServerRegistry {
                 serverName: built.served.artifact.server.name,
                 createdAt: new Date().toISOString(),
                 ...(actor ? { createdBySubject: actor.subject, createdByEmail: actor.email } : {}),
-                accessMode,
-                ...(callerKeyHash ? { callerKeyHash } : {}),
+                ...(accessMode !== undefined ? { accessMode } : {}),
                 manifest,
                 ...(connectors !== undefined ? { connectors } : {}),
                 secrets: emptySecretEnvelope(),
@@ -124,8 +108,7 @@ export class ServerRegistry {
                 serverName: built.served.artifact.server.name,
                 createdAt: new Date().toISOString(),
                 ...(actor ? { createdBySubject: actor.subject, createdByEmail: actor.email } : {}),
-                accessMode,
-                ...(callerKeyHash ? { callerKeyHash } : {}),
+                ...(accessMode !== undefined ? { accessMode } : {}),
                 manifest,
                 ...(connectors !== undefined ? { connectors } : {}),
                 secrets: emptySecretEnvelope(),
@@ -133,41 +116,20 @@ export class ServerRegistry {
         }
         this.#servers.set(deploymentId, {
             served: built.served,
-            accessMode,
+            ...(accessMode !== undefined ? { accessMode } : {}),
             org: safeTenant.org,
-            ...(callerKeyHash ? { callerKeyHash } : {}),
             ...(ownerSubject !== undefined ? { ownerSubject } : {}),
         });
         this.#activeTenants.set(tenantKey(safeTenant), deploymentId);
         return {
             ok: true,
             deploymentId,
-            accessMode,
-            ...(callerKey ? { callerKey: callerKey.key } : {}),
-            ...(reusedHash !== undefined ? { callerKeyReused: true } : {}),
+            ...(accessMode !== undefined ? { accessMode } : {}),
         };
     }
-    /**
-     * The caller-key **hash** of the tenant's current active deployment, or `undefined` if none. Checks the
-     * in-memory registry first (the `dev` hot-reload path), then the durable store. Used only by the
-     * `reuseCallerKey` deploy path to keep a key stable across redeploys without ever handling its plaintext.
-     */
-    async #activeCallerKeyHash(tenant) {
-        const cachedId = this.#activeTenants.get(tenantKey(tenant));
-        if (cachedId !== undefined) {
-            const hash = this.#servers.get(cachedId)?.callerKeyHash;
-            if (hash !== undefined)
-                return hash;
-        }
-        if (this.#store) {
-            const record = await this.#store.getActiveByTenant(tenant);
-            return record?.callerKeyHash;
-        }
-        return undefined;
-    }
     /**
      * Rebuild every persisted server into memory on startup. Each record is replayed through the same
-     * compile path as a fresh deploy, reusing its stored id and caller-key hash. A record that no longer
+     * compile path as a fresh deploy, reusing its stored id and access metadata. A record that no longer
      * compiles (e.g. source/catalog drift) is skipped and reported — the remaining servers still recover.
      */
     async recover() {
@@ -177,6 +139,19 @@ export class ServerRegistry {
         const failed = [];
         let recovered = 0;
         for (const record of records) {
+            if (record.accessMode === undefined) {
+                failed.push({
+                    deploymentId: record.deploymentId,
+                    errors: [
+                        {
+                            code: 'unsupported_legacy_access_mode',
+                            path: 'accessMode',
+                            message: 'caller-key deployments are no longer supported; redeploy with owner-only or org-members access',
+                        },
+                    ],
+                });
+                continue;
+            }
             const built = await this.#compileTarget(recordTenant(record), record.manifest, record.connectors);
             if (!built.ok) {
                 failed.push({ deploymentId: record.deploymentId, errors: built.errors });
@@ -285,43 +260,66 @@ export class ServerRegistry {
             .sort((a, b) => b.deploymentVersion - a.deploymentVersion)
             .map(recordSummary);
     }
-    async rotateCallerKey(tenant) {
-        const safe = validateTenantRef(tenant);
-        const active = this.#store
-            ? await this.#store.getActiveByTenant(safe)
-            : [...this.#records.values()]
-                .filter((record) => record.active &&
-                record.orgSlug === safe.org &&
-                record.appSlug === safe.app &&
-                record.environment === safe.env)
-                .sort((a, b) => b.deploymentVersion - a.deploymentVersion)[0];
-        if (!active || (active.accessMode ?? 'caller-key') !== 'caller-key')
+    async getStatus(ref, baseUrl) {
+        const safe = validateTenantRef(ref);
+        const record = await this.#activeRecord(safe);
+        if (record === undefined)
             return undefined;
-        const minted = mintCallerKey();
-        const updated = this.#store
-            ? await this.#store.updateActiveCallerKey(safe, minted.hash)
-            : { ...active, callerKeyHash: minted.hash };
-        if (!updated)
+        const built = await this.#compileTarget(recordTenant(record), record.manifest, record.connectors);
+        const missingSecrets = built.ok ? [] : missingSecretNames(built.errors);
+        const unhealthy = !built.ok && missingSecrets.length === 0;
+        return {
+            target: safe,
+            deployment: {
+                deploymentId: record.deploymentId,
+                endpointUrl: tenantMcpUrl(baseUrl, safe),
+                active: record.active,
+                serverName: record.serverName,
+                createdAt: record.createdAt,
+                ...(record.createdByEmail !== undefined ? { createdByEmail: record.createdByEmail } : {}),
+                accessMode: record.accessMode ?? 'owner-only',
+            },
+            health: {
+                state: built.ok ? 'ready' : unhealthy ? 'unhealthy' : 'missing-config',
+            },
+            config: {
+                ok: missingSecrets.length === 0,
+                missingSecrets,
+            },
+        };
+    }
+    async updateAccess(ref, accessMode) {
+        const safe = validateTenantRef(ref);
+        const record = await this.#activeRecord(safe);
+        if (record === undefined)
             return undefined;
+        const updated = { ...record, accessMode };
+        if (this.#store)
+            await this.#store.updateActiveAccess(safe, accessMode);
         this.#records.set(updated.deploymentId, updated);
-        const cached = this.#servers.get(updated.deploymentId);
-        if (cached) {
-            this.#servers.set(updated.deploymentId, { ...cached, callerKeyHash: minted.hash });
+        const existing = this.#servers.get(updated.deploymentId);
+        if (existing)
+            this.#servers.set(updated.deploymentId, servedTargetFor(updated, existing.served));
+        this.#activeTenants.set(tenantKey(safe), updated.deploymentId);
+        return updated;
+    }
+    async #activeRecord(ref) {
+        const cachedId = this.#activeTenants.get(tenantKey(ref));
+        if (cachedId !== undefined) {
+            const cached = this.#records.get(cachedId);
+            if (cached !== undefined)
+                return cached;
+            if (this.#store)
+                return this.#store.get(cachedId);
         }
-        return { key: minted.key, deployment: recordSummary(updated) };
-    }
-    async verifyActiveCallerKey(tenant, token) {
-        const safe = validateTenantRef(tenant);
-        const active = this.#store
-            ? await this.#store.getActiveByTenant(safe)
-            : [...this.#records.values()]
-                .filter((record) => record.active &&
-                record.orgSlug === safe.org &&
-                record.appSlug === safe.app &&
-                record.environment === safe.env)
-                .sort((a, b) => b.deploymentVersion - a.deploymentVersion)[0];
-        const hash = active?.callerKeyHash;
-        return hash !== undefined && verifyCallerKey(token, hash);
+        if (this.#store)
+            return this.#store.getActiveByTenant(ref);
+        return [...this.#records.values()]
+            .filter((record) => record.active &&
+            record.orgSlug === ref.org &&
+            record.appSlug === ref.app &&
+            record.environment === ref.env)
+            .sort((a, b) => b.deploymentVersion - a.deploymentVersion)[0];
     }
     get configStore() {
         return this.#configStore;
@@ -352,16 +350,17 @@ export class ServerRegistry {
 }
 /**
  * Build the front-door {@link ServedTarget} for a persisted record: its access mode plus the credential the
- * front-door checks — a caller-key hash (`caller-key`), the owner subject (`owner-only`), or the tenant org
- * (`org-members`). A legacy record with no `accessMode` reads as `caller-key`.
+ * front-door checks. Legacy alpha records without an identity access mode are not served.
  */
 function servedTargetFor(record, served) {
-    const accessMode = record.accessMode ?? 'caller-key';
+    const accessMode = record.accessMode;
+    if (accessMode === undefined) {
+        throw new Error(`deployment ${record.deploymentId} has unsupported legacy access mode`);
+    }
     return {
         served,
         accessMode,
         org: record.orgSlug,
-        ...(record.callerKeyHash !== undefined ? { callerKeyHash: record.callerKeyHash } : {}),
         ...(accessMode === 'owner-only' && record.createdBySubject !== undefined
             ? { ownerSubject: record.createdBySubject }
             : {}),
@@ -377,8 +376,7 @@ function recordSummary(record) {
         serverName: record.serverName,
         createdAt: record.createdAt,
         ...(record.createdByEmail !== undefined ? { createdByEmail: record.createdByEmail } : {}),
-        accessMode: record.accessMode ?? 'caller-key',
-        hasCallerKey: record.callerKeyHash !== undefined,
+        accessMode: record.accessMode ?? 'owner-only',
     };
 }
 function recordTenant(record) {
@@ -455,7 +453,6 @@ export function createServiceHandler(registry, options = {}) {
                 return Promise.resolve(false);
             return controlPlane.isOrgMember({ org: input.org, subject: input.subject });
         },
-        verifyCallerKeyForTenant: (input) => registry.verifyActiveCallerKey(input.tenant, input.token),
         admissionGate: createAdmissionGate(logger),
         tenantLookup: (ref) => registry.getActiveByTenant(ref),
     });
@@ -532,8 +529,8 @@ export function createServiceHandler(registry, options = {}) {
             applySecurityHeaders(res, tls);
             if (enforceHttps(req, res, tls))
                 return;
-            // Admin boundary: authenticate the deployer before reading the body. The gate guards only
-            // management deploys — tenant MCP routes are governed separately (caller key, Slice 24).
+            // Admin boundary: authenticate the deployer before reading the body. The gate guards management
+            // deploys; tenant MCP routes are governed separately by identity-based data-plane auth.
             handleDeploy(req, res, registry, options, maxBody, deployRef, gate, controlPlane).catch((error) => {
                 // A thrown deploy failure (compile/seal/persist) must be observable, not a silent 500. The message
                 // is operational detail (a DB/KMS/connector fault), not a secret — values/keys are never included.
@@ -590,23 +587,34 @@ export function createServiceHandler(registry, options = {}) {
             });
             return;
         }
-        const deploymentsRef = parseDeploymentsPath(url.pathname);
-        if (deploymentsRef !== undefined && req.method === 'GET') {
+        const statusRef = parseTenantStatusPath(url.pathname);
+        if (statusRef !== undefined && req.method === 'GET') {
             applySecurityHeaders(res, tls);
             if (enforceHttps(req, res, tls))
                 return;
-            handleDeployments(req, res, registry, gate, controlPlane, deploymentsRef, url).catch(() => {
+            handleDeploymentStatus(req, res, registry, gate, controlPlane, statusRef, options).catch(() => {
+                if (!res.headersSent)
+                    sendJson(res, 500, { error: 'internal error' });
+            });
+            return;
+        }
+        const accessRef = parseTenantAccessPath(url.pathname);
+        if (accessRef !== undefined && req.method === 'PATCH') {
+            applySecurityHeaders(res, tls);
+            if (enforceHttps(req, res, tls))
+                return;
+            handleAccessUpdate(req, res, registry, gate, controlPlane, maxBody, accessRef).catch(() => {
                 if (!res.headersSent)
                     sendJson(res, 500, { error: 'internal error' });
             });
             return;
         }
-        const keysRef = parseKeysPath(url.pathname);
-        if (keysRef !== undefined && (req.method === 'GET' || req.method === 'POST')) {
+        const deploymentsRef = parseDeploymentsPath(url.pathname);
+        if (deploymentsRef !== undefined && req.method === 'GET') {
             applySecurityHeaders(res, tls);
             if (enforceHttps(req, res, tls))
                 return;
-            handleKeys(req, res, registry, gate, controlPlane, keysRef).catch(() => {
+            handleDeployments(req, res, registry, gate, controlPlane, deploymentsRef, url).catch(() => {
                 if (!res.headersSent)
                     sendJson(res, 500, { error: 'internal error' });
             });
@@ -629,7 +637,7 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         return sendJson(res, 413, { error: 'request body too large' });
     let manifest;
     let connectors;
-    let accessMode = 'caller-key';
+    let accessMode = 'owner-only';
     try {
         const parsed = JSON.parse(body.text);
         if (typeof parsed.manifest !== 'string')
@@ -645,7 +653,10 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         }
         if (parsed.accessMode !== undefined) {
             if (!isAccessMode(parsed.accessMode)) {
-                throw new Error('"accessMode" must be "caller-key", "owner-only", or "org-members"');
+                if (parsed.accessMode === 'caller-key') {
+                    throw new Error('caller-key access has been removed; use owner-only or org-members');
+                }
+                throw new Error('"accessMode" must be "owner-only" or "org-members"');
             }
             accessMode = parsed.accessMode;
         }
@@ -671,7 +682,7 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         });
         return sendJson(res, 400, { ok: false, errors: result.errors });
     }
-    // Counts only — never secret names or values, never the minted caller key or its hash.
+    // Counts only — never secret names or values.
     logger.info('deploy.ok', {
         deploymentId: result.deploymentId,
         org: tenant.org,
@@ -690,13 +701,10 @@ async function handleDeploy(req, res, registry, options, maxBody, tenant, gate,
         url: tenant.env === 'prod'
             ? `${base}/o/${tenant.org}/${tenant.app}/mcp`
             : `${base}/o/${tenant.org}/${tenant.app}/${tenant.env}/mcp`,
-        // Caller-key deploys only: shown once, callers send `Authorization: Bearer <callerKey>` (only the hash
-        // is stored). Identity-based deploys mint no key — callers authenticate with their own identity.
-        ...(result.callerKey !== undefined ? { callerKey: result.callerKey } : {}),
     });
 }
 function isAccessMode(value) {
-    return value === 'caller-key' || value === 'owner-only' || value === 'org-members';
+    return value === 'owner-only' || value === 'org-members';
 }
 function isIdentityAccessMode(accessMode) {
     return accessMode === 'owner-only' || accessMode === 'org-members';
@@ -796,7 +804,7 @@ async function handleMembers(req, res, gate, controlPlane, maxBody, ref) {
     return sendJson(res, 404, { error: 'not found' });
 }
 async function handleConfigValues(req, res, gate, controlPlane, configStore, maxBody, ref) {
-    const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: false });
+    const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: true });
     if (identity === false)
         return;
     if (ref.invalid !== undefined)
@@ -843,30 +851,66 @@ async function handleConfigValues(req, res, gate, controlPlane, configStore, max
     }
     return sendJson(res, 404, { error: 'not found' });
 }
-async function handleDeployments(req, res, registry, gate, controlPlane, ref, url) {
+async function authorizeTenantControl(req, res, gate, controlPlane, org) {
     const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: true });
     if (identity === false)
-        return;
+        return false;
     if (!identity.superAdmin) {
-        const member = await controlPlane.isOrgMember({ org: ref.org, subject: identity.subject });
-        if (!member)
-            return sendForbidden(res, 'forbidden');
+        const member = await controlPlane.isOrgMember({ org, subject: identity.subject });
+        if (!member) {
+            sendForbidden(res, 'forbidden');
+            return false;
+        }
     }
-    const app = url.searchParams.get('app') ?? undefined;
-    const env = url.searchParams.get('env') ?? undefined;
+    return identity;
+}
+async function handleDeploymentStatus(req, res, registry, gate, controlPlane, tenant, options) {
+    const identity = await authorizeTenantControl(req, res, gate, controlPlane, tenant.org);
+    if (identity === false)
+        return;
     try {
-        const deployments = await registry.listDeployments({
-            org: ref.org,
-            ...(app !== undefined ? { app } : {}),
-            ...(env !== undefined ? { env } : {}),
+        const base = options.publicBaseUrl ?? baseFromRequest(req, options.tls ?? {});
+        const status = await registry.getStatus(tenant, base);
+        if (status === undefined)
+            return sendJson(res, 404, { error: 'no active deployment' });
+        return sendJson(res, 200, { ok: true, ...status });
+    }
+    catch (error) {
+        return sendJson(res, 400, { error: error.message });
+    }
+}
+async function handleAccessUpdate(req, res, registry, gate, controlPlane, maxBody, tenant) {
+    const identity = await authorizeTenantControl(req, res, gate, controlPlane, tenant.org);
+    if (identity === false)
+        return;
+    const body = await readJsonBody(req, maxBody);
+    if (!body.ok)
+        return sendJson(res, body.status, { error: body.error });
+    const parsed = body.value;
+    if (!isAccessMode(parsed.accessMode)) {
+        const message = parsed.accessMode === 'caller-key'
+            ? 'caller-key access has been removed; use owner-only or org-members'
+            : '"accessMode" must be "owner-only" or "org-members"';
+        return sendJson(res, 400, { error: message });
+    }
+    try {
+        const record = await registry.updateAccess(tenant, parsed.accessMode);
+        if (record === undefined)
+            return sendJson(res, 404, { error: 'no active deployment' });
+        return sendJson(res, 200, {
+            ok: true,
+            target: tenant,
+            deployment: {
+                deploymentId: record.deploymentId,
+                accessMode: record.accessMode ?? 'owner-only',
+            },
         });
-        return sendJson(res, 200, { ok: true, deployments });
     }
     catch (error) {
         return sendJson(res, 400, { error: error.message });
     }
 }
-async function handleKeys(req, res, registry, gate, controlPlane, ref) {
+async function handleDeployments(req, res, registry, gate, controlPlane, ref, url) {
     const identity = await authorizeControlPlane(req, res, gate, { requireIdentity: true });
     if (identity === false)
         return;
@@ -875,47 +919,19 @@ async function handleKeys(req, res, registry, gate, controlPlane, ref) {
         if (!member)
             return sendForbidden(res, 'forbidden');
     }
-    if (req.method === 'GET' && ref.action === undefined) {
+    const app = url.searchParams.get('app') ?? undefined;
+    const env = url.searchParams.get('env') ?? undefined;
+    try {
         const deployments = await registry.listDeployments({
             org: ref.org,
-            app: ref.app,
-            env: ref.env,
-        });
-        return sendJson(res, 200, {
-            ok: true,
-            keys: deployments
-                .filter((deployment) => deployment.active && deployment.hasCallerKey)
-                .map((deployment) => ({
-                org: deployment.orgSlug,
-                app: deployment.appSlug,
-                env: deployment.environment,
-                deploymentId: deployment.deploymentId,
-                active: deployment.active,
-                createdAt: deployment.createdAt,
-            })),
+            ...(app !== undefined ? { app } : {}),
+            ...(env !== undefined ? { env } : {}),
         });
+        return sendJson(res, 200, { ok: true, deployments });
     }
-    if (req.method === 'POST' && ref.action === 'rotate') {
-        const rotated = await registry.rotateCallerKey(ref);
-        if (!rotated) {
-            return sendJson(res, 404, {
-                error: 'no active caller-key deployment found for this app environment',
-            });
-        }
-        return sendJson(res, 201, {
-            ok: true,
-            key: {
-                org: rotated.deployment.orgSlug,
-                app: rotated.deployment.appSlug,
-                env: rotated.deployment.environment,
-                deploymentId: rotated.deployment.deploymentId,
-                active: rotated.deployment.active,
-                createdAt: new Date().toISOString(),
-            },
-            callerKey: rotated.key,
-        });
+    catch (error) {
+        return sendJson(res, 400, { error: error.message });
     }
-    return sendJson(res, 404, { error: 'not found' });
 }
 async function authorizeControlPlane(req, res, gate, options) {
     const auth = await gate.authorize(req);
@@ -1020,17 +1036,22 @@ function parseDeploymentsPath(pathname) {
         return undefined;
     }
 }
-function parseKeysPath(pathname) {
-    const match = /^\/v1\/orgs\/([^/]+)\/apps\/([^/]+)\/envs\/([^/]+)\/keys(?:\/(rotate))?$/.exec(pathname);
+function parseTenantStatusPath(pathname) {
+    return parseTenantActionPath(pathname, 'status');
+}
+function parseTenantAccessPath(pathname) {
+    return parseTenantActionPath(pathname, 'access');
+}
+function parseTenantActionPath(pathname, action) {
+    const match = new RegExp(`^/v1/orgs/([^/]+)/apps/([^/]+)/envs/([^/]+)/${action}$`).exec(pathname);
     if (!match)
         return undefined;
     try {
-        const ref = validateTenantRef({
+        return validateTenantRef({
             org: decodeURIComponent(match[1]),
             app: decodeURIComponent(match[2]),
             env: decodeURIComponent(match[3]),
         });
-        return { ...ref, ...(match[4] === 'rotate' ? { action: 'rotate' } : {}) };
     }
     catch {
         return undefined;
@@ -1039,6 +1060,20 @@ function parseKeysPath(pathname) {
 function createAdmissionGate(_logger) {
     return async () => ({ allow: true });
 }
+function tenantMcpUrl(base, tenant) {
+    return tenant.env === 'prod'
+        ? `${base}/o/${tenant.org}/${tenant.app}/mcp`
+        : `${base}/o/${tenant.org}/${tenant.app}/${tenant.env}/mcp`;
+}
+function missingSecretNames(errors) {
+    const names = new Set();
+    for (const error of errors) {
+        if (error.code === 'missing_secret' && error.path.startsWith('secrets.')) {
+            names.add(error.path.slice('secrets.'.length));
+        }
+    }
+    return [...names].sort();
+}
 function baseFromRequest(req, tls) {
     const host = req.headers.host ?? 'localhost';
     return `${effectiveProto(req, tls.trustProxy ?? false)}://${host}`;
@@ -1138,30 +1173,29 @@ export async function serveService(options = {}) {
                     keyResolver: await options.oauth.signer.verifierKey(),
                 });
     }
+    if (gate === undefined &&
+        resolvedVerifyOwnerToken !== undefined &&
+        resolvedAuthServerIssuer !== undefined) {
+        const allowedEmailDomain = options.controlPlaneAllowedEmailDomain ?? options.oauth?.allowedEmailDomain;
+        gate = new NoodleOAuthControlPlaneGate({
+            verifier: resolvedVerifyOwnerToken,
+            audience: normalizeOAuthResource(options.publicBaseUrl ?? resolvedAuthServerIssuer),
+            admins: options.controlPlaneAdmins ?? [],
+            ...(allowedEmailDomain !== undefined ? { allowedEmailDomain } : {}),
+        });
+    }
     gate =
         gate ??
-            (options.oauth !== undefined && resolvedVerifyOwnerToken !== undefined
-                ? new NoodleOAuthControlPlaneGate({
-                    verifier: resolvedVerifyOwnerToken,
-                    audience: normalizeServiceBase(options.publicBaseUrl ?? options.oauth.issuer),
+            (options.googleClientId !== undefined
+                ? new GoogleControlPlaneGate({
+                    audience: options.googleClientId,
                     admins: options.controlPlaneAdmins ?? [],
-                    ...(options.controlPlaneAllowedEmailDomain !== undefined ||
-                        options.oauth.allowedEmailDomain !== undefined
-                        ? {
-                            allowedEmailDomain: options.controlPlaneAllowedEmailDomain ?? options.oauth.allowedEmailDomain,
-                        }
+                    ...(options.controlPlaneAllowedEmailDomain !== undefined
+                        ? { allowedEmailDomain: options.controlPlaneAllowedEmailDomain }
                         : {}),
+                    ...(options.googleVerifier ? { verifier: options.googleVerifier } : {}),
                 })
-                : options.googleClientId !== undefined
-                    ? new GoogleControlPlaneGate({
-                        audience: options.googleClientId,
-                        admins: options.controlPlaneAdmins ?? [],
-                        ...(options.controlPlaneAllowedEmailDomain !== undefined
-                            ? { allowedEmailDomain: options.controlPlaneAllowedEmailDomain }
-                            : {}),
-                        ...(options.googleVerifier ? { verifier: options.googleVerifier } : {}),
-                    })
-                    : undefined);
+                : undefined);
     // Fail closed: never expose an unauthenticated deploy endpoint on a non-loopback bind.
     if (gate === undefined && !isLoopbackHost(host)) {
         throw new Error(`refusing to bind a non-loopback host (${host}) without deploy authentication; ` +
@@ -1258,6 +1292,16 @@ function sendForbidden(res, message) {
 function normalizeServiceBase(value) {
     return value.replace(/\/+$/, '');
 }
+function normalizeOAuthResource(value) {
+    const normalized = normalizeServiceBase(value);
+    try {
+        const url = new URL(normalized);
+        return url.pathname === '/' && url.search === '' && url.hash === '' ? url.href : normalized;
+    }
+    catch {
+        return normalized;
+    }
+}
 /** Loopback hosts may run the control plane without auth; any other bind must configure auth. */
 function isLoopbackHost(host) {
     return host === '127.0.0.1' || host === '::1' || host === 'localhost';