systematics-mcp 1.0.1 → 1.0.2

package/README.md

@@ -6,7 +6,7 @@ Claude Code MCP server for the [Systematics](https://app.dovito.com) platform by
 
 ### 1. Add to Claude Code
 
-Add this to your `~/.claude/settings.json`:
+Add this to your project or global `.mcp.json` file:
 
 ```json
 {
@@ -21,12 +21,14 @@ Add this to your `~/.claude/settings.json`:
 
 ### 2. Authenticate
 
-Start a Claude Code session. The first time you use a Systematics tool, your browser will open to sign in. Click **Authorize Claude Code** and you're connected. Your token is saved locally at `~/.systematics/token` and reused automatically for 90 days.
+Restart Claude Code, then use `/mcp` to see Systematics listed. The first time you use a Systematics tool, your browser will open to sign in. Click **Authorize Claude Code** and you're connected. Your token is saved locally at `~/.systematics/token` and reused automatically for 90 days.
 
 That's it. No API keys, no repo access, no manual setup.
 
 ## How It Works
 
+- The MCP server starts silently -- no browser popup on launch
+- Authentication only triggers when you actually use a Systematics tool
 - You sign in with your normal Systematics account (Google or email)
 - Claude Code gets the same permissions as your account
 - Clients see only their business data
@@ -61,9 +63,32 @@ That's it. No API keys, no repo access, no manual setup.
 | `SYSTEMATICS_TOKEN` | - | Skip browser auth by providing a token directly |
 | `DOVITO_APP_URL` | `https://app.dovito.com` | Custom app URL (for self-hosted instances) |
 
+## Development
+
+The MCP server lives in `mcp-server/` inside the [app.dovito.com](https://github.com/dovito-dev/app.dovito.com) repository.
+
+```bash
+cd mcp-server
+npm install
+npm run dev    # Run locally with tsx
+npm run build  # Compile TypeScript
+```
+
+### CI/CD
+
+Publishing to npm is automated via GitHub Actions. To release a new version:
+
+1. Make changes in `mcp-server/`
+2. Bump the version in `mcp-server/package.json`
+3. Push to `main`
+4. GitHub Actions builds and publishes to npm automatically
+
+If you push without bumping the version, the workflow skips the publish step.
+
 ## Security
 
-- Tokens are hashed before storage in the database
-- Token file is stored with `0o600` permissions (owner-only)
+- Tokens are hashed (HMAC-SHA256) before storage in the database
+- Token file is stored with `0o600` permissions in a `0o700` directory
 - Auth callback uses POST (token never appears in URLs or browser history)
 - All API calls go through the same validation and rate limiting as the web UI
+- SSRF prevention: `DOVITO_APP_URL` is validated against an allowlist before any network call

package/dist/api-client.d.ts

@@ -5,7 +5,8 @@
 export declare class ApiClient {
     private baseUrl;
     private token;
-    constructor(baseUrl: string, token: string);
+    private onAuthError?;
+    constructor(baseUrl: string, token: string, onAuthError?: () => void);
     private request;
     get<T>(path: string): Promise<T>;
     post<T>(path: string, body: unknown): Promise<T>;

package/dist/api-client.js

@@ -5,9 +5,11 @@
 export class ApiClient {
     baseUrl;
     token;
-    constructor(baseUrl, token) {
+    onAuthError;
+    constructor(baseUrl, token, onAuthError) {
         this.baseUrl = baseUrl.replace(/\/$/, "");
         this.token = token;
+        this.onAuthError = onAuthError;
     }
     async request(method, path, body) {
         const url = `${this.baseUrl}${path}`;
@@ -21,6 +23,9 @@ export class ApiClient {
             body: body ? JSON.stringify(body) : undefined,
         });
         if (!res.ok) {
+            if (res.status === 401 && this.onAuthError) {
+                this.onAuthError();
+            }
             const text = await res.text();
             let msg;
             try {
@@ -29,7 +34,6 @@ export class ApiClient {
             catch {
                 msg = text;
             }
-            // Truncate error message to avoid leaking internal details
             const safeMsg = msg.length > 500 ? msg.slice(0, 500) + "..." : msg;
             throw new Error(`API ${method} ${path} returned ${res.status}: ${safeMsg}`);
         }

package/dist/auth.d.ts

@@ -2,6 +2,10 @@
  * Get the stored personal access token, or null if not found/expired.
  */
 export declare function getStoredToken(): string | null;
+/**
+ * Delete the stored token (e.g. on 401 so re-auth triggers next time).
+ */
+export declare function clearStoredToken(): void;
 /**
  * Run the browser-based authentication flow:
  * 1. Start a temporary local HTTP server

package/dist/auth.js

@@ -21,6 +21,17 @@ export function getStoredToken() {
         return null;
     }
 }
+/**
+ * Delete the stored token (e.g. on 401 so re-auth triggers next time).
+ */
+export function clearStoredToken() {
+    try {
+        if (existsSync(TOKEN_FILE)) {
+            writeFileSync(TOKEN_FILE, "", { mode: 0o600 });
+        }
+    }
+    catch { /* ignore */ }
+}
 /**
  * Save a token to the local config directory.
  */
@@ -100,7 +111,7 @@ export async function authenticateViaBrowser(appUrl) {
   <div class="card">
     <div class="check"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><path d="M20 6L9 17l-5-5"/></svg></div>
     <h1>Connected to Systematics</h1>
-    <p>You can close this tab and return to Claude Code.</p>
+    <p>You can close this tab and return to your application.</p>
   </div>
 </body>
 </html>`);
@@ -126,7 +137,8 @@ export async function authenticateViaBrowser(appUrl) {
                 return;
             }
             const callbackUrl = `http://127.0.0.1:${addr.port}/callback`;
-            const authUrl = `${appUrl}/auth/mcp?callback=${encodeURIComponent(callbackUrl)}`;
+            const clientName = process.env.MCP_CLIENT_NAME || "Claude Code";
+            const authUrl = `${appUrl}/auth/mcp?callback=${encodeURIComponent(callbackUrl)}&client=${encodeURIComponent(clientName)}`;
             // Write to stderr so Claude Code can show it (stdout is MCP protocol)
             process.stderr.write(`\nOpening browser to authenticate with Systematics...\n`);
             process.stderr.write(`If the browser doesn't open, visit: ${authUrl}\n\n`);

package/dist/index.js

@@ -3,7 +3,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
 import { ApiClient } from "./api-client.js";
-import { getStoredToken, authenticateViaBrowser } from "./auth.js";
+import { getStoredToken, authenticateViaBrowser, clearStoredToken } from "./auth.js";
 // Validate DOVITO_APP_URL against allowed hostnames to prevent SSRF
 const rawUrl = process.env.DOVITO_APP_URL || "https://app.dovito.com";
 const parsedUrl = new URL(rawUrl);
@@ -17,11 +17,16 @@ const BASE_URL = parsedUrl.origin;
 function getToken() {
     return process.env.SYSTEMATICS_TOKEN || process.env.MCP_API_KEY || getStoredToken();
 }
+// On 401, clear stored token so next call re-authenticates
+function handleAuthError() {
+    clearStoredToken();
+    api = null;
+}
 // Lazy API client -- initialized on first use or after auth
 let api = null;
 const token = getToken();
 if (token) {
-    api = new ApiClient(BASE_URL, token);
+    api = new ApiClient(BASE_URL, token, handleAuthError);
 }
 /**
  * Get the API client, triggering browser auth if not yet authenticated.
@@ -31,7 +36,7 @@ async function getApi() {
     if (api)
         return api;
     const newToken = await authenticateViaBrowser(BASE_URL);
-    api = new ApiClient(BASE_URL, newToken);
+    api = new ApiClient(BASE_URL, newToken, handleAuthError);
     return api;
 }
 const server = new McpServer({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "systematics-mcp",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "type": "module",
   "description": "Claude Code MCP server for the Systematics platform by Dovito Business Solutions",
   "bin": {