spaps-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js ADDED
@@ -0,0 +1,26 @@
1
+ import {
2
+ SpapsHttpClient,
3
+ SpapsHttpError,
4
+ buildResourceDefinitions,
5
+ buildToolDefinitions,
6
+ createSpapsMcpServer,
7
+ docsPath,
8
+ docsPathWithCapturedLeadingSlash,
9
+ getWizardStep,
10
+ listWizardSteps,
11
+ resolveConfig,
12
+ resolveWizardDir
13
+ } from "./chunk-GPBTYWDD.js";
14
+ export {
15
+ SpapsHttpClient,
16
+ SpapsHttpError,
17
+ buildResourceDefinitions,
18
+ buildToolDefinitions,
19
+ createSpapsMcpServer,
20
+ docsPath,
21
+ docsPathWithCapturedLeadingSlash,
22
+ getWizardStep,
23
+ listWizardSteps,
24
+ resolveConfig,
25
+ resolveWizardDir
26
+ };
@@ -0,0 +1,125 @@
1
+ # SPAPS Surface Contract
2
+
3
+ This document defines the public surfaces around SPAPS, what each one owns, and how they are allowed to interact.
4
+
5
+ The goal is simple: one operator shell, clean integration packages, and no drift where agent skills quietly become a second product interface.
6
+
7
+ ## Core Rule
8
+
9
+ `spaps` is the self-serve administrator shell.
10
+
11
+ Everything else either powers that shell, consumes what it provisions, or orchestrates around it.
12
+
13
+ ## Surfaces
14
+
15
+ | Surface | Driven by | Owns | Must not own | Interface type | Canonical neighbor |
16
+ | --- | --- | --- | --- | --- | --- |
17
+ | `spaps` CLI (`packages/spaps`) | operator, agent, CI | account connect, app select/create, repo bootstrap/attach, local runtime orchestration, verification, machine-readable status | app business logic, framework SDK concerns, skillbox fleet ops, repo archaeology | product-facing shell | talks to `sweetpotato.dev`, local SPAPS runtimes, and repo-local config |
18
+ | `sweetpotato.dev` hosted service | platform | account identity, free tier, app registry, hosted provisioning APIs, billing for hosted surfaces | repo patching, local runtime orchestration, custom implementation workflow | product-facing backend | backs the `spaps` CLI |
19
+ | `spaps-sdk` (`packages/sdk`) | application code | frontend and Node integration against SPAPS auth, entitlements, issue reporting, and related APIs | account signup, app provisioning, repo bootstrap, operator workflows | product-facing library | consumes credentials and config created by `spaps` |
20
+ | Python `spaps` client (`packages/python-client`) | application code, services, scripts | Python access to SPAPS APIs | operator shell behavior, local runtime control, repo mutation | product-facing library | consumes credentials and config created by `spaps` |
21
+ | `spaps-server-quickstart` (`packages/python-server-quickstart`) | backend developers | FastAPI/Celery service scaffolding, auth middleware, endpoint contracts, local-mode behavior, backend templates | hosted account lifecycle, product onboarding shell, portfolio orchestration | product-facing backend scaffold | serves the runtime that `spaps` manages locally |
22
+ | skills (`skills/`, global skills, skillbox overlays) | agent | multi-repo reasoning, wiki/context synthesis, audits, migrations, managed ops, portfolio decisions, workflow composition | stable product contract, end-user onboarding surface, backend API truth | agent-only orchestration | call the CLI, read docs, and coordinate sibling repos |
23
+
24
+ ## Interaction Rules
25
+
26
+ ### 1. Skills decide and compose; CLIs execute and report
27
+
28
+ Skills may inspect repo state, overlays, plans, the wiki, and sibling repos. They can recommend or sequence work. They should call `spaps` when the task is a real operator action.
29
+
30
+ `spaps` should perform the action, emit stable human-readable output, and support JSON where agents need a machine contract.
31
+
32
+ ### 2. Provisioning starts in the shell, not in the SDKs
33
+
34
+ Application packages should assume credentials, app identity, and policy defaults already exist. They consume provisioned state; they do not create it.
35
+
36
+ ### 3. The backend scaffold is not the admin shell
37
+
38
+ `spaps-server-quickstart` defines runtime capability and local-mode semantics. It should not become the place where account connect, app selection, or repo bootstrap logic lives.
39
+
40
+ ### 4. `sweetpotato.dev` is the hosted backing service, not the primary operator interface
41
+
42
+ The website and hosted APIs hold account and app state. The shell is still `spaps`.
43
+
44
+ ### 5. Managed operations stay outside the shell
45
+
46
+ `skillbox` and its overlays own managed boxes, runtime distribution, and higher-trust fleet operations. `buildooor` owns custom implementation work. The `spaps` CLI can hand users toward those layers, but it must not absorb their responsibilities.
47
+
48
+ ## OpenAPI Auth Metadata
49
+
50
+ Every operation in `docs/api-reference.yaml` must carry standard OpenAPI
51
+ `security` requirements and an `x-spaps-auth` object generated from the
52
+ FastAPI route dependencies.
53
+
54
+ Allowed `x-spaps-auth.auth_type` values:
55
+
56
+ | Value | Meaning |
57
+ | --- | --- |
58
+ | `public` | No SPAPS credential required. |
59
+ | `application` | Requires an application API key, with publishable or secret acceptance recorded in `api_key.accepted`. |
60
+ | `application_optional_user` | Requires an application API key and accepts, but does not require, a bearer user token. |
61
+ | `user` | Requires an application API key plus a bearer user token. |
62
+ | `admin` | Requires a secret application key plus a bearer token with the `admin` role. |
63
+ | `super_admin` | Requires a secret application key plus a bearer token with the `super_admin` role. |
64
+ | `stripe_webhook_signature` | Requires a Stripe provider signature instead of a SPAPS application key. |
65
+ | `mailgun_webhook_signature` | Requires a Mailgun provider signature instead of a SPAPS application key. |
66
+
67
+ The `x-spaps-auth` object is fail-closed: unknown `auth_type`, API key type,
68
+ security scheme, JWT shape, role, or provider-signature scheme values fail
69
+ `npm run docs:validate-openapi`. The canonical generator and validator live in
70
+ `spaps_server_quickstart.openapi_auth` and
71
+ `scripts/validate_openapi_auth_metadata.py`; new route dependencies must update
72
+ those files and the contract tests together.
73
+
74
+ ## Manifest Route Metadata
75
+
76
+ `docs/manifest.json` version `1.4` is the machine-readable route contract for
77
+ agents, SDK docs, and CLI tooling. Every endpoint entry must carry:
78
+
79
+ | Field | Type | Source of truth |
80
+ | --- | --- | --- |
81
+ | `auth` | object | `spaps_server_quickstart.openapi_auth.route_auth_metadata()` |
82
+ | `rate_tier` | string | `spaps_server_quickstart.middleware.rate_limiting.get_tier_for_endpoint()` |
83
+ | `publishable_scope` | string array or `null` | `spaps_server_quickstart.middleware.key_scope.publishable_scopes_for_endpoint()` filtered to routes whose auth accepts publishable keys |
84
+ | `entitlement_key` | string or `null` | fixed route-level entitlement gates only |
85
+
86
+ `auth` uses the same shape and vocabulary as OpenAPI `x-spaps-auth`.
87
+ `publishable_scope` is `null` when a route is public, secret-only, provider
88
+ signed, or otherwise not callable with a publishable SPAPS key. It is an array
89
+ because more than one built-in application blueprint scope may admit the same
90
+ route over time. `entitlement_key` is intentionally `null` for dynamic
91
+ entitlement checks, x402 resource rules, usage policies, and request-provided
92
+ capability controls.
93
+
94
+ Regenerate the manifest with `npm run docs:generate-manifest`; CI checks the
95
+ checked-in file with `npm run docs:validate-manifest` and fails when route
96
+ coverage or projected metadata drifts from FastAPI and middleware code.
97
+
98
+ `npm run docs:validate-sdk-parity` also enforces inverse client coverage. For
99
+ each domain in `docs/client-domain-parity.md`, a `yes` cell means that surface
100
+ must claim at least one implemented route in the domain. A backend route may
101
+ temporarily ship before its client helper only with a row in the policy file's
102
+ `Pending Client Coverage Waivers` table, and that row must reference an open
103
+ Bead. Waivers are route-level and expire when the Bead closes.
104
+
105
+ ## Administrator Journey
106
+
107
+ The intended administrator loop is:
108
+
109
+ 1. `spaps connect`
110
+ 2. `spaps bootstrap`
111
+ 3. `spaps verify`
112
+
113
+ Those verbs define the shell:
114
+
115
+ - `connect`: establish operator identity, free-tier signup/login, and default app context
116
+ - `bootstrap`: attach SPAPS to the current repo or scaffold a new app against the right blueprint
117
+ - `verify`: prove the golden path end to end, including auth, entitlements, and local runtime hints
118
+
119
+ Other commands should support that loop, not compete with it.
120
+
121
+ ## Present Naming Risk
122
+
123
+ Today the JavaScript CLI package and the Python client both publish as `spaps`. That is already enough to confuse internal audit tooling and weakens the surface boundary described here.
124
+
125
+ This document records the contract first. Package renaming, aliasing, or audit-tool disambiguation is a separate follow-on decision.
@@ -0,0 +1,36 @@
1
+ # SPAPS Glossary
2
+
3
+ Canonical terminology for the Sweet Potato Authentication & Payment Service.
4
+ Use these terms in code, API responses, docs, and SDK surface.
5
+
6
+ ## Keys
7
+
8
+ | Term | Definition |
9
+ |------|-----------|
10
+ | **secret key** | Server-side application credential (`spaps_sec_` prefix). Authenticates backend API calls. Never expose to browsers. Formerly called "API key" — that term is deprecated. |
11
+ | **publishable key** | Client-side application credential (`spaps_pub_` prefix). Safe to embed in browser/mobile code. Scoped to a subset of endpoints configured by the application blueprint. |
12
+
13
+ ## Identity
14
+
15
+ | Term | Definition |
16
+ |------|-----------|
17
+ | **user** | An authenticated identity within an application. Has an email, optional username, and optional wallet addresses. |
18
+ | **profile** | The public-facing projection of a user: id, email, username, wallets, tier, roles, permissions, and metadata. Returned by `/auth/user`. |
19
+ | **wallet** | A blockchain address linked to a user. Each wallet has a `wallet_address` and `chain_type`. |
20
+ | **wallet_address** | The on-chain address string (e.g. a Solana or Ethereum address). Always lowercase-normalized for EVM chains. |
21
+
22
+ ## Access
23
+
24
+ | Term | Definition |
25
+ |------|-----------|
26
+ | **tier** | The subscription level of a user. Canonical values: `basic` (default), `premium`, `enterprise`. Drives policy evaluation and rate limiting. |
27
+ | **subscription** | A Stripe-managed billing relationship that determines a user's tier. |
28
+ | **application** | A registered SPAPS client. Owns a secret key, publishable key, settings, and a set of users via memberships. |
29
+ | **entitlement** | A granted capability or resource access. Projected per-user via policy evaluation. Types: `access`, `feature`, `quota`. |
30
+
31
+ ## Deprecated Terms
32
+
33
+ | Deprecated | Replacement |
34
+ |-----------|------------|
35
+ | `api_key` (in API responses) | `secret_key` |
36
+ | `API key` (in docs/copy) | "secret key" or "publishable key" (be specific) |
@@ -0,0 +1,15 @@
1
+ # Sweet Potato llms.txt
2
+ # Source file copied to docs.sweetpotato.dev by deploy/reverse-proxy/sync-docs.sh.
3
+
4
+ /index.md | Sweet Potato documentation index and source-of-truth pointer.
5
+ /docs/agents/AGENT_QUICKSTART.md | Agent quickstart for local mode, API keys, auth flows, verification, capability checks, and tool-spec generation.
6
+ /docs/manifest.json | Endpoint manifest with path, category, docs, tests, and consumer-facing tags.
7
+ /docs/api-reference.yaml | OpenAPI contract for SPAPS HTTP routes and schemas.
8
+ /docs/guides/authentication-methods.md | Canonical authentication method matrix, security caveats, rate tiers, key requirements, and TypeScript/Python examples.
9
+ /docs/guides/email-authentication.md | Password, OIDC, SMS, WebAuthn, magic-link, MFA, password reset, and email-delivery auth guide.
10
+ /docs/guides/magic-link-authentication.md | Magic-link request and verification behavior, including MFA challenge handling.
11
+ /packages/sdk/README.md | TypeScript SDK usage for auth, payments, sessions, entitlements, access, graph, and domain helpers.
12
+ /packages/python-client/README.md | Python SDK usage for sync and async auth, MFA, OIDC, WebAuthn, payments, sessions, and domain helpers.
13
+ /packages/spaps/AI_TOOLS.json | Generated OpenAI-style SPAPS tool spec for agent callers.
14
+ /docs/manifest.json tags | admin-stripe, affiliate-referrals, agent, agent-approvals, app-links, apply-log, attribution, audit, auth, authorization, authz, billing-accounts, capability-graph, cfo, controlled-reveal, crypto-payments, dayrate, dev, device-flow, discovery, docs, elevenlabs, email, entitlements, experiments, features, fixtures, governance, handoff, health, history, hosted-assets, idempotency, insights, invitations, issue-reporting, ledger, local, marketing-events, memberships, notifications, operator-control-plane, other, outbox, paid-resources, paid-review, payments, policies, privacy, project-grants, publishable-key, realtime, receipts, reporter-thread, results, reviews, rollups, screenshots, secret-key, secure-messages, security, self-service, service-admin, sessions, short-links, skill-evals, status, stripe, stripe-webhooks, support-triage, triage, usage, user-messaging, users, voice, webhooks, whitelist, x402.
15
+ /sweet-potato-logo.jpg | Sweet Potato brand image.
@@ -0,0 +1,149 @@
1
+ # SPAPS Integration Step 1/12: Project Setup & Dependencies
2
+
3
+ ## Your Current Task
4
+
5
+ You are setting up a new Next.js application with SPAPS integration. This is the foundation - getting this right is critical.
6
+
7
+ ## Required TodoWrite List
8
+
9
+ Create a TodoWrite with EXACTLY these items (copy this list):
10
+
11
+ ```javascript
12
+ TodoWrite({
13
+ todos: [
14
+ { content: "Create Next.js app with TypeScript and App Router", status: "pending", activeForm: "Creating Next.js app with TypeScript and App Router" },
15
+ { content: "Initialize shadcn/ui with Default style and Slate base color", status: "pending", activeForm: "Initializing shadcn/ui with Default style and Slate base color" },
16
+ { content: "Install spaps-sdk from npm (version 1.0.1)", status: "pending", activeForm: "Installing spaps-sdk from npm" },
17
+ { content: "Install spaps CLI in devDependencies", status: "pending", activeForm: "Installing spaps CLI in devDependencies" },
18
+ { content: "Install concurrently in devDependencies", status: "pending", activeForm: "Installing concurrently in devDependencies" },
19
+ { content: "Update package.json dev script to run spaps local", status: "pending", activeForm: "Updating package.json dev script" },
20
+ { content: "Verify all dependencies are correctly installed", status: "pending", activeForm: "Verifying dependencies" },
21
+ { content: "Request step 2 of SPAPS integration wizard", status: "pending", activeForm: "Requesting next step" }
22
+ ]
23
+ })
24
+ ```
25
+
26
+ ## Step-by-Step Instructions
27
+
28
+ ### 1. Create Next.js Application
29
+ ```bash
30
+ npx create-next-app@latest spaps-demo --typescript --tailwind --app --no-src-dir --import-alias "@/*"
31
+ cd spaps-demo
32
+ ```
33
+
34
+ ### 2. Setup shadcn/ui
35
+ ```bash
36
+ npx shadcn@latest init
37
+ ```
38
+ When prompted, choose:
39
+ - ✅ Style: **Default** (NOT New York)
40
+ - ✅ Base color: **Slate**
41
+ - ✅ CSS variables: **Yes**
42
+
43
+ ### 3. Install SPAPS SDK
44
+ ```bash
45
+ npm install spaps-sdk
46
+ ```
47
+ ⚠️ **CRITICAL**: The package is `spaps-sdk` NOT:
48
+ - ❌ @sweet-potato/sdk
49
+ - ❌ @sweetpotato/sdk
50
+ - ❌ sweet-potato-sdk
51
+
52
+ ### 4. Install Development Dependencies
53
+ ```bash
54
+ npm install -D spaps concurrently
55
+ ```
56
+
57
+ ### 5. Update package.json Scripts
58
+ Edit package.json and update the dev script:
59
+ ```json
60
+ {
61
+ "scripts": {
62
+ "dev": "concurrently \"npx spaps local\" \"next dev\"",
63
+ "build": "next build",
64
+ "start": "next start",
65
+ "lint": "next lint"
66
+ }
67
+ }
68
+ ```
69
+
70
+ ## Validation Checklist
71
+
72
+ Before marking this step complete, verify:
73
+
74
+ ✅ **package.json** contains:
75
+ ```json
76
+ {
77
+ "dependencies": {
78
+ "spaps-sdk": "^1.0.1",
79
+ "next": "^15.0.0",
80
+ // ... other deps
81
+ },
82
+ "devDependencies": {
83
+ "spaps": "^0.3.2",
84
+ "concurrently": "^8.0.0",
85
+ // ... other dev deps
86
+ }
87
+ }
88
+ ```
89
+
90
+ ✅ **Dev script** includes both commands:
91
+ ```json
92
+ "dev": "concurrently \"npx spaps local\" \"next dev\""
93
+ ```
94
+
95
+ ✅ **shadcn/ui** is configured with:
96
+ - components.json exists
97
+ - Uses Default style (not New York)
98
+ - Uses Slate as base color
99
+
100
+ ✅ **Project structure** has:
101
+ - app/ directory (App Router)
102
+ - TypeScript configured
103
+ - Tailwind CSS working
104
+
105
+ ## Common Mistakes to Avoid
106
+
107
+ ❌ **Wrong package name**: Using @sweet-potato/sdk instead of spaps-sdk
108
+ ❌ **Missing concurrently**: Not installing or using concurrently
109
+ ❌ **Wrong dev script**: Not including spaps local command
110
+ ❌ **Wrong shadcn style**: Choosing New York instead of Default
111
+ ❌ **Missing TypeScript**: Creating JavaScript project instead
112
+
113
+ ## Testing Your Setup
114
+
115
+ Run this command to test:
116
+ ```bash
117
+ npm run dev
118
+ ```
119
+
120
+ You should see:
121
+ - SPAPS starting on port **3301** (NOT 3000, 3300, or 3456)
122
+ - Next.js starting on port 3000
123
+ - No dependency errors
124
+
125
+ ## Next Step
126
+
127
+ When ALL todos are ✅ complete and validation passes:
128
+
129
+ ```javascript
130
+ mcp__product-manager__get_agent_instructions({
131
+ category: "spaps-integration",
132
+ project: "spaps-demo",
133
+ step: 2
134
+ })
135
+ ```
136
+
137
+ ## Need Help?
138
+
139
+ If you're stuck, create a detailed task describing the issue:
140
+ ```javascript
141
+ mcp__product-manager__create_task({
142
+ project: "spaps-integration",
143
+ description: "Step 1 Blocker: [specific issue description]",
144
+ category: "bug",
145
+ priority: "high"
146
+ })
147
+ ```
148
+
149
+ Remember: **Get this foundation right!** All subsequent steps depend on correct setup.
@@ -0,0 +1,291 @@
1
+ # SPAPS Integration Step 2/12: Environment Configuration
2
+
3
+ ## Prerequisites Check
4
+
5
+ Before starting, confirm you have completed:
6
+ - ✅ Step 1: Project setup with all dependencies installed
7
+ - ✅ Next.js app created with TypeScript
8
+ - ✅ shadcn/ui initialized
9
+ - ✅ spaps-sdk and spaps CLI installed
10
+
11
+ ## Required TodoWrite List
12
+
13
+ Create a TodoWrite with EXACTLY these items:
14
+
15
+ ```javascript
16
+ TodoWrite({
17
+ todos: [
18
+ { content: "Create .env.local file in project root", status: "pending", activeForm: "Creating .env.local file" },
19
+ { content: "Set NEXT_PUBLIC_SPAPS_API_URL to http://localhost:3301", status: "pending", activeForm: "Setting API URL to port 3301" },
20
+ { content: "Add SPAPS_API_KEY configuration", status: "pending", activeForm: "Adding API key configuration" },
21
+ { content: "Add admin credentials for later use", status: "pending", activeForm: "Adding admin credentials" },
22
+ { content: "Create .env.local.example for documentation", status: "pending", activeForm: "Creating example env file" },
23
+ { content: "Add .env.local to .gitignore", status: "pending", activeForm: "Adding to gitignore" },
24
+ { content: "Verify environment variables are loaded", status: "pending", activeForm: "Verifying environment setup" },
25
+ { content: "Request step 3 of SPAPS integration wizard", status: "pending", activeForm: "Requesting next step" }
26
+ ]
27
+ })
28
+ ```
29
+
30
+ ## Environment Configuration
31
+
32
+ ### 1. Create .env.local File
33
+
34
+ In your project root (same level as package.json), create `.env.local`:
35
+
36
+ ```bash
37
+ touch .env.local
38
+ ```
39
+
40
+ ### 2. Add Environment Variables
41
+
42
+ ⚠️ **CRITICAL**: The port MUST be 3301, not 3000, 3300, or 3456!
43
+
44
+ ```env
45
+ # .env.local
46
+
47
+ # SPAPS Configuration - Port 3301 is REQUIRED
48
+ NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3301
49
+ SPAPS_API_KEY=test_key_local_dev_only
50
+
51
+ # Admin Credentials (for whitelist/admin operations)
52
+ NEXT_PUBLIC_ADMIN_EMAIL=admin@example.com
53
+ NEXT_PUBLIC_ADMIN_PASSWORD=Admin123!
54
+
55
+ # App Configuration
56
+ NEXT_PUBLIC_APP_URL=http://localhost:3000
57
+
58
+ # Optional: For production (not available yet)
59
+ # NEXT_PUBLIC_SPAPS_API_URL=https://api.sweetpotato.dev
60
+ # SPAPS_API_KEY=your_production_api_key_here
61
+ ```
62
+
63
+ ### 3. Create .env.local.example
64
+
65
+ Create a template for other developers:
66
+
67
+ ```env
68
+ # .env.local.example
69
+
70
+ # SPAPS Configuration (Port 3301 is standardized)
71
+ NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3301
72
+ SPAPS_API_KEY=test_key_local_dev_only
73
+
74
+ # Admin credentials for whitelist/admin operations
75
+ NEXT_PUBLIC_ADMIN_EMAIL=admin@example.com
76
+ NEXT_PUBLIC_ADMIN_PASSWORD=your_admin_password_here
77
+
78
+ # Next.js Configuration
79
+ NEXT_PUBLIC_APP_URL=http://localhost:3000
80
+
81
+ # Note: SPAPS runs on port 3301 in this repository
82
+ # Production API not yet available
83
+ ```
84
+
85
+ ### 4. Update .gitignore
86
+
87
+ Make sure `.env.local` is NOT committed:
88
+
89
+ ```gitignore
90
+ # Environment variables
91
+ .env*.local
92
+ .env.local
93
+
94
+ # Keep the example file
95
+ !.env.local.example
96
+ ```
97
+
98
+ ### 5. Verify Configuration
99
+
100
+ Create a test file to verify environment variables:
101
+
102
+ ```typescript
103
+ // app/api/test-env/route.ts
104
+ import { NextResponse } from 'next/server'
105
+
106
+ export async function GET() {
107
+ return NextResponse.json({
108
+ apiUrl: process.env.NEXT_PUBLIC_SPAPS_API_URL,
109
+ hasApiKey: !!process.env.SPAPS_API_KEY,
110
+ hasAdminEmail: !!process.env.NEXT_PUBLIC_ADMIN_EMAIL,
111
+ nodeEnv: process.env.NODE_ENV
112
+ })
113
+ }
114
+ ```
115
+
116
+ Test it:
117
+ ```bash
118
+ curl http://localhost:3000/api/test-env
119
+ ```
120
+
121
+ Should return:
122
+ ```json
123
+ {
124
+ "apiUrl": "http://localhost:3301",
125
+ "hasApiKey": true,
126
+ "hasAdminEmail": true,
127
+ "nodeEnv": "development"
128
+ }
129
+ ```
130
+
131
+ ## Important Port Information
132
+
133
+ ### Why Port 3301?
134
+
135
+ This repository's SPAPS server defaults to port 3301.
136
+ - ✅ 3301 - Correct SPAPS port here
137
+ - ❌ 3000 - This is your Next.js app
138
+ - ❌ 3300 - Old port (legacy)
139
+ - ❌ 3456 - Old port used in previous docs
140
+ - ❌ 8080 - Wrong, not SPAPS
141
+
142
+ ### Running Both Servers
143
+
144
+ Your `package.json` dev script (from Step 1) runs both:
145
+ ```json
146
+ "dev": "concurrently \"npx spaps local\" \"next dev\""
147
+ ```
148
+
149
+ This starts:
150
+ - SPAPS on `http://localhost:3301`
151
+ - Next.js on `http://localhost:3000`
152
+
153
+ ## Environment Variable Naming
154
+
155
+ ### Public vs Private Variables
156
+
157
+ - `NEXT_PUBLIC_*` - Available in browser and server
158
+ - Without prefix - Server-side only
159
+
160
+ ```typescript
161
+ // Browser accessible
162
+ process.env.NEXT_PUBLIC_SPAPS_API_URL ✅
163
+
164
+ // Server-only
165
+ process.env.SPAPS_API_KEY ✅ (backend only)
166
+ ```
167
+
168
+ ## Validation Checklist
169
+
170
+ ✅ **File Structure**:
171
+ - `.env.local` exists in project root
172
+ - `.env.local.example` created for documentation
173
+ - `.gitignore` updated to exclude `.env.local`
174
+
175
+ ✅ **Configuration Values**:
176
+ - `NEXT_PUBLIC_SPAPS_API_URL` = `http://localhost:3301`
177
+ - Port is 3301 (NOT 3000, 3300, or 3456)
178
+ - API key is set to `test_key_local_dev_only`
179
+ - Admin credentials are configured
180
+
181
+ ✅ **Testing**:
182
+ - Environment variables load correctly
183
+ - Test endpoint returns expected values
184
+ - No errors in console
185
+
186
+ ## Common Mistakes to Avoid
187
+
188
+ ❌ **Wrong port**:
189
+ ```env
190
+ # WRONG
191
+ NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3000 # This is Next.js
192
+ NEXT_PUBLIC_SPAPS_API_URL=http://localhost:3300 # Old port
193
+ ```
194
+
195
+ ❌ **Missing NEXT_PUBLIC prefix**:
196
+ ```env
197
+ # WRONG - Won't be available in browser
198
+ SPAPS_API_URL=http://localhost:3301
199
+ ```
200
+
201
+ ❌ **Committing secrets**:
202
+ ```gitignore
203
+ # WRONG - Forgot to add to .gitignore
204
+ # .env.local will be committed!
205
+ ```
206
+
207
+ ❌ **Using production URL**:
208
+ ```env
209
+ # WRONG - Production not available yet
210
+ NEXT_PUBLIC_SPAPS_API_URL=https://api.sweetpotato.dev
211
+ ```
212
+
213
+ ## Testing Your Setup
214
+
215
+ Run this command to verify SPAPS is accessible:
216
+
217
+ ```bash
218
+ # Start your dev server first
219
+ npm run dev
220
+
221
+ # In another terminal, test SPAPS
222
+ curl http://localhost:3301/health
223
+ ```
224
+
225
+ Should return:
226
+ ```json
227
+ {
228
+ "status": "ok",
229
+ "mode": "local",
230
+ "version": "0.3.2"
231
+ }
232
+ ```
233
+
234
+ ## Troubleshooting
235
+
236
+ ### Port Already in Use
237
+
238
+ If port 3301 is already in use:
239
+ ```bash
240
+ # Find what's using port 3301
241
+ lsof -i :3301
242
+
243
+ # Kill the process
244
+ kill -9 <PID>
245
+ ```
246
+
247
+ ### Environment Variables Not Loading
248
+
249
+ 1. Restart your dev server
250
+ 2. Check file is named exactly `.env.local`
251
+ 3. Verify you're in the project root
252
+ 4. Try clearing Next.js cache:
253
+ ```bash
254
+ rm -rf .next
255
+ npm run dev
256
+ ```
257
+
258
+ ### SPAPS Not Starting
259
+
260
+ Check your package.json dev script:
261
+ ```json
262
+ "dev": "concurrently \"npx spaps local\" \"next dev\""
263
+ ```
264
+
265
+ ## Security Notes
266
+
267
+ ⚠️ **Never commit real credentials**:
268
+ - Use `.env.local` for local development
269
+ - Use environment variables in production
270
+ - Never hardcode API keys in code
271
+ - Admin passwords should be strong
272
+
273
+ ## Next Step
274
+
275
+ When ALL todos are ✅ complete and environment is configured:
276
+
277
+ ```javascript
278
+ mcp__product-manager__get_agent_instructions({
279
+ category: "spaps-integration",
280
+ project: "spaps-demo",
281
+ step: 3
282
+ })
283
+ ```
284
+
285
+ ## Summary
286
+
287
+ Environment configuration is critical for SPAPS integration:
288
+ - **Port 3301** is the standard in this repository
289
+ - **NEXT_PUBLIC_** prefix for browser-accessible variables
290
+ - **Never commit** `.env.local` file
291
+ - **Always test** your configuration before proceeding