taskover-mcp 1.0.0 → 1.1.0

package/auth-flow.js

@@ -0,0 +1,275 @@
+const crypto = require("crypto");
+const http = require("http");
+const credentialStore = require("./credential-store.js");
+
+const API_BASE = "https://api.taskover.gg";
+const AUTH_PAGE_BASE = "https://taskover.gg";
+
+function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString("base64url");
+  const challenge = crypto.createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+function generateState() {
+  return crypto.randomBytes(32).toString("hex");
+}
+
+async function openBrowser(url) {
+  try {
+    const { default: open } = await import("open");
+    await open(url);
+    return true;
+  } catch (_) {
+    const { exec } = require("child_process");
+    const cmd = process.platform === "win32" ? `start "" "${url}"`
+              : process.platform === "darwin" ? `open "${url}"`
+              : `xdg-open "${url}"`;
+    try { exec(cmd); return true; } catch (_e) { return false; }
+  }
+}
+
+function startCallbackServer(expectedState) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer();
+    let callbackUsed = false;
+
+    server.listen(0, "127.0.0.1", () => {
+      const port = server.address().port;
+      const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+      const codePromise = new Promise((resolveCode, rejectCode) => {
+        server.on("request", (req, res) => {
+          const url = new URL(req.url, `http://127.0.0.1:${port}`);
+
+          if (url.pathname !== "/callback") {
+            res.writeHead(404).end();
+            return;
+          }
+
+          if (callbackUsed) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Already processed", "This authorization has already been handled.", "#fbbf24"));
+            return;
+          }
+
+          const code = url.searchParams.get("code");
+          const returnedState = url.searchParams.get("state");
+          const error = url.searchParams.get("error");
+
+          if (!returnedState || returnedState !== expectedState) {
+            callbackUsed = true;
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Security Error", "State parameter mismatch. This may be a CSRF attack. The authorization has been rejected.", "#ef4444"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error("State mismatch on callback — possible CSRF. Auth rejected."));
+            return;
+          }
+
+          callbackUsed = true;
+
+          if (error) {
+            const msg = error === "user_cancelled" ? "You cancelled the authorization." : `Auth error: ${error}`;
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end(htmlPage("Cancelled", msg, "#fbbf24"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error(msg));
+            return;
+          }
+
+          if (!code) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Error", "No authorization code received.", "#ef4444"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error("No auth code received in callback"));
+            return;
+          }
+
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(htmlPage("Connected!", "You can close this tab. Your AI assistant is authenticated.", "#4ade80"));
+          setTimeout(() => server.close(), 500);
+          resolveCode(code);
+        });
+
+        setTimeout(() => {
+          if (!callbackUsed) {
+            callbackUsed = true;
+            server.close();
+            rejectCode(new Error("Auth timed out (5 min). Restart MCP server to try again."));
+          }
+        }, 300000);
+      });
+
+      resolve({ port, redirectUri, codePromise, server });
+    });
+
+    server.on("error", (err) => {
+      if (err.code === "EADDRINUSE" || err.code === "EACCES") {
+        reject(new Error(`Cannot bind localhost port for auth callback: ${err.message}. Is another instance running?`));
+      } else {
+        reject(err);
+      }
+    });
+  });
+}
+
+function escapeHtml(s) { return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;"); }
+
+function htmlPage(title, message, color) {
+  return `<!DOCTYPE html><html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head>`
+    + `<body style="font-family:system-ui,sans-serif;background:#161920;color:${color};`
+    + `display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center">`
+    + `<div><h2>${escapeHtml(title)}</h2><p style="color:#afafba">${escapeHtml(message)}</p></div></body></html>`;
+}
+
+async function exchangeCodeForTokens(code, codeVerifier, state, deviceLabel) {
+  const res = await fetch(`${API_BASE}/api/mcp/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      state,
+      device_label: deviceLabel,
+    }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Token exchange failed (HTTP ${res.status})`);
+  }
+
+  return res.json();
+}
+
+async function refreshAccessToken(refreshToken) {
+  const res = await fetch(`${API_BASE}/api/mcp/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+    }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Token refresh failed (HTTP ${res.status})`);
+  }
+
+  return res.json();
+}
+
+async function authenticate(hostType) {
+  const cached = await credentialStore.read();
+  if (cached && cached.access_token && cached.refresh_token) {
+    if (cached.expires_at && Date.now() < cached.expires_at - 30000) {
+      return { accessToken: cached.access_token, refreshToken: cached.refresh_token };
+    }
+
+    try {
+      const res = await fetch(`${API_BASE}/api/auth/validate`, {
+        method: "POST",
+        headers: { "Authorization": `Bearer ${cached.access_token}` },
+        signal: AbortSignal.timeout(5000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        return { accessToken: cached.access_token, refreshToken: cached.refresh_token, displayName: data.displayName || "user" };
+      }
+    } catch (_) {}
+
+    try {
+      console.error("[AUTH] Access token expired, refreshing...");
+      const tokens = await refreshAccessToken(cached.refresh_token);
+      await credentialStore.write({
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token,
+        expires_at: Date.now() + (tokens.expires_in * 1000),
+        host_type: hostType,
+      });
+      return { accessToken: tokens.access_token, refreshToken: tokens.refresh_token };
+    } catch (err) {
+      console.error(`[AUTH] Refresh failed: ${err.message}. Starting browser login...`);
+      await credentialStore.clear();
+    }
+  }
+
+  console.error("[AUTH] Opening browser for login...");
+
+  const pkce = generatePKCE();
+  const state = generateState();
+
+  let callbackResult;
+  try {
+    callbackResult = await startCallbackServer(state);
+  } catch (err) {
+    console.error(`[AUTH] ${err.message}`);
+    console.error("[AUTH] Fallback: set TASKOVER_API_KEY environment variable for headless auth.");
+    throw err;
+  }
+
+  const { port, redirectUri, codePromise } = callbackResult;
+
+  const authUrl = new URL(`${AUTH_PAGE_BASE}/mcp-auth`);
+  authUrl.searchParams.set("code_challenge", pkce.challenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("host", hostType || "MCP");
+
+  console.error("[AUTH] If your browser doesn't open, visit:");
+  console.error(`[AUTH] ${authUrl.toString()}`);
+
+  const opened = await openBrowser(authUrl.toString());
+  if (!opened) {
+    console.error("[AUTH] Could not open browser automatically. Please open the URL above.");
+  }
+
+  console.error("[AUTH] Waiting for browser authorization...");
+  let code;
+  try {
+    code = await codePromise;
+  } catch (err) {
+    console.error(`[AUTH] ${err.message}`);
+    throw err;
+  }
+
+  console.error("[AUTH] Exchanging authorization code...");
+  const tokens = await exchangeCodeForTokens(code, pkce.verifier, state, hostType);
+
+  const storageType = await credentialStore.write({
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    expires_at: Date.now() + (tokens.expires_in * 1000),
+    host_type: hostType,
+  });
+
+  console.error(`[AUTH] Authenticated successfully! (credentials stored in ${storageType})`);
+  return { accessToken: tokens.access_token, refreshToken: tokens.refresh_token };
+}
+
+async function reauthenticate(currentRefreshToken) {
+  try {
+    const tokens = await refreshAccessToken(currentRefreshToken);
+    await credentialStore.write({
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_at: Date.now() + (tokens.expires_in * 1000),
+    });
+    return tokens;
+  } catch (err) {
+    await credentialStore.clear();
+    throw new Error("Session expired. Restart the MCP server to re-authenticate via browser.");
+  }
+}
+
+async function logout() {
+  await credentialStore.clear();
+  console.error("[AUTH] Logged out. Credentials cleared.");
+}
+
+module.exports = { authenticate, reauthenticate, logout };

package/cloud-adapter.js

@@ -102,10 +102,19 @@ const MCP_ALLOWED_METHODS = new Set([...MCP_ALLOWED_READS, ...MCP_ALLOWED_WRITES
 
 let _apiKey = null;
 
+// Token-based auth state (OAuth flow — set via initWithToken)
+let _accessToken = null;
+let _refreshToken = null;
+
 function init(apiKey) {
   _apiKey = apiKey;
 }
 
+function initWithToken(accessToken, refreshToken) {
+  _accessToken = accessToken;
+  _refreshToken = refreshToken;
+}
+
 function isAllowed(method) {
   return MCP_ALLOWED_METHODS.has(method);
 }
@@ -114,8 +123,8 @@ function isWrite(method) {
   return MCP_ALLOWED_WRITES.has(method);
 }
 
-async function callRpc(method, args) {
-  if (!_apiKey) throw new Error("Cloud adapter not initialized -- no API key");
+async function _doRpcCall(method, args, token) {
+  if (!token) throw new Error("Cloud adapter not initialized — no token");
   if (!isAllowed(method)) throw new Error(`Method "${method}" is not allowed through MCP`);
 
   const body = JSON.stringify({ method, args: args || [] });
@@ -131,7 +140,7 @@ async function callRpc(method, args) {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
-        "Authorization": `Bearer ${_apiKey}`,
+        "Authorization": `Bearer ${token}`,
       },
       body,
       signal: controller.signal,
@@ -139,16 +148,22 @@ async function callRpc(method, args) {
 
     clearTimeout(timer);
 
-    if (res.status === 401) {
-      throw new Error("AUTH_FAILED");
-    }
+    if (res.status === 401) throw new Error("AUTH_FAILED");
     if (res.status === 429) {
       const retryAfter = res.headers.get("retry-after") || "60";
       throw new Error(`RATE_LIMITED:${retryAfter}`);
     }
     if (!res.ok) {
-      const errBody = await res.text().catch(() => "");
-      throw new Error(`Cloud API error ${res.status}: ${errBody.slice(0, 200)}`);
+      // Privacy: extract machine-readable code only — raw error body may echo customer content.
+      let errDetail = "";
+      try {
+        const errJson = await res.json();
+        // Data Control denials have a server-generated message safe to surface (no customer content)
+        if (errJson.code && errJson.code.startsWith("DATA_CONTROL_") && errJson.message) throw new Error(errJson.message);
+        if (errJson.code) errDetail = ` code=${errJson.code}`;
+        else if (typeof errJson.error === "string" && errJson.error.length <= 60) errDetail = ` msg=${errJson.error}`;
+      } catch (e) { if (e.message && !e.message.startsWith("Cloud API")) throw e; await res.text().catch(() => ""); /* drain body */ }
+      throw new Error(`Cloud API error ${res.status}${errDetail}`);
     }
 
     // SECURITY: Enforce response size limit using byte-accurate check.
@@ -170,12 +185,29 @@ async function callRpc(method, args) {
   }
 }
 
+async function callRpc(method, args) {
+  const token = _accessToken || _apiKey;
+  try {
+    return await _doRpcCall(method, args, token);
+  } catch (err) {
+    if (err.message === "AUTH_FAILED" && _accessToken && _refreshToken) {
+      try {
+        const authFlow = require("./auth-flow.js");
+        const tokens = await authFlow.reauthenticate(_refreshToken);
+        _accessToken = tokens.access_token;
+        _refreshToken = tokens.refresh_token;
+        return await _doRpcCall(method, args, _accessToken);
+      } catch (refreshErr) {
+        throw new Error("Session expired. Restart the MCP server to re-authenticate.");
+      }
+    }
+    throw err;
+  }
+}
+
 async function validateKey() {
-  // SECURITY: Validate auth via dedicated lightweight endpoint.
-  // /api/auth/validate confirms the key is valid and returns userId + displayName.
-  // Does NOT load business data (unlike listProjects which fetches all projects).
-  // /api/health is unauthenticated and must NEVER be used for key validation.
-  if (!_apiKey) return { valid: false, error: "No API key configured" };
+  const token = _accessToken || _apiKey;
+  if (!token) return { valid: false, error: "No token or API key configured" };
 
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
@@ -183,35 +215,27 @@ async function validateKey() {
   try {
     const res = await fetch(`${API_BASE}/api/auth/validate`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${_apiKey}`,
-      },
+      headers: { "Authorization": `Bearer ${token}` },
       signal: controller.signal,
     });
 
     clearTimeout(timer);
 
-    if (res.status === 401) {
-      return { valid: false, error: "API key is invalid or expired. Generate a new key at taskover.gg -> Settings -> Security." };
-    }
-    if (!res.ok) {
-      return { valid: false, error: `Unexpected response from api.taskover.gg (HTTP ${res.status})` };
-    }
+    if (res.status === 401) return { valid: false, error: "Token/key invalid or expired." };
+    if (!res.ok) return { valid: false, error: `Unexpected response (HTTP ${res.status})` };
 
     const data = await res.json();
     return { valid: true, displayName: data.displayName || "user" };
   } catch (err) {
     clearTimeout(timer);
-    if (err.name === "AbortError") {
-      return { valid: false, error: "Cannot reach api.taskover.gg (timeout). Check your internet connection." };
-    }
+    if (err.name === "AbortError") return { valid: false, error: "Cannot reach api.taskover.gg (timeout)" };
     return { valid: false, error: `Cannot reach api.taskover.gg: ${err.message}` };
   }
 }
 
 module.exports = {
   init,
+  initWithToken,
   isAllowed,
   isWrite,
   callRpc,

package/credential-store.js

@@ -0,0 +1,93 @@
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+const SERVICE_NAME = "taskover-mcp";
+const ACCOUNT_NAME = "default";
+const AUTH_DIR = path.join(os.homedir(), ".taskover");
+const TOKEN_FILE = path.join(AUTH_DIR, "auth.json");
+
+let _keytar = null;
+let _keytarAvailable = null;
+
+async function _getKeytar() {
+  if (_keytarAvailable === false) return null;
+  if (_keytar) return _keytar;
+  try {
+    _keytar = require("keytar");
+    await _keytar.getPassword(SERVICE_NAME, "__probe__");
+    _keytarAvailable = true;
+    return _keytar;
+  } catch (_) {
+    _keytarAvailable = false;
+    _keytar = null;
+    return null;
+  }
+}
+
+function _ensureAuthDir() {
+  if (!fs.existsSync(AUTH_DIR)) {
+    fs.mkdirSync(AUTH_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function _readFile() {
+  try {
+    return JSON.parse(fs.readFileSync(TOKEN_FILE, "utf8"));
+  } catch (_) {
+    return null;
+  }
+}
+
+function _writeFile(data) {
+  _ensureAuthDir();
+  fs.writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
+}
+
+function _deleteFile() {
+  try { fs.unlinkSync(TOKEN_FILE); } catch (_) {}
+}
+
+async function read() {
+  const kt = await _getKeytar();
+  if (kt) {
+    try {
+      const raw = await kt.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+      if (raw) return JSON.parse(raw);
+    } catch (_) {}
+  }
+  return _readFile();
+}
+
+async function write(tokens) {
+  const kt = await _getKeytar();
+  if (kt) {
+    try {
+      await kt.setPassword(SERVICE_NAME, ACCOUNT_NAME, JSON.stringify(tokens));
+      // Metadata-only stub — NO tokens or secrets in the file when keychain is available
+      _writeFile({ host_type: tokens.host_type, storage: "keychain", expires_at: tokens.expires_at, issued_at: Date.now() });
+      return "keychain";
+    } catch (_) {}
+  }
+  _writeFile(tokens);
+  if (process.platform === "win32") {
+    console.error("[AUTH] Tokens stored in " + TOKEN_FILE);
+    console.error("[AUTH] Ensure this directory is not shared or synced to cloud storage.");
+  }
+  return "file";
+}
+
+async function clear() {
+  const kt = await _getKeytar();
+  if (kt) {
+    try { await kt.deletePassword(SERVICE_NAME, ACCOUNT_NAME); } catch (_) {}
+  }
+  _deleteFile();
+}
+
+async function getStorageType() {
+  const kt = await _getKeytar();
+  return kt ? "keychain" : "file";
+}
+
+module.exports = { read, write, clear, getStorageType };

package/index.js

@@ -7,21 +7,9 @@ const {
   CallToolRequestSchema,
 } = require("@modelcontextprotocol/sdk/types.js");
 
-// SECURITY: Mode selection -- cloud is the customer path, local is dev-only.
+// SECURITY: Mode selection — API key (headless) or browser auth (default).
 const CLOUD_MODE = !!process.env.TASKOVER_API_KEY;
-const LOCAL_MODE = !CLOUD_MODE && process.env.TASKOVER_LOCAL === "1";
-
-if (!CLOUD_MODE && !LOCAL_MODE) {
-  console.error("[ERROR] No API key found.");
-  console.error("Set TASKOVER_API_KEY environment variable.");
-  console.error("Get your key at taskover.gg -> Settings -> Security.");
-  process.exit(1);
-}
-
-if (LOCAL_MODE) {
-  console.error("[DEV MODE] Using local SQLite database. This mode is not for production use.");
-  console.error("[DEV MODE] Set TASKOVER_API_KEY for cloud mode.");
-}
+const BROWSER_AUTH_MODE = !CLOUD_MODE;
 
 // SECURITY: Refuse API key passed as CLI argument
 if (process.argv.some(arg => arg.startsWith("tok_"))) {
@@ -30,18 +18,14 @@ if (process.argv.some(arg => arg.startsWith("tok_"))) {
   process.exit(1);
 }
 
-let store, initDb, reloadFromDisk;
-let cloudAdapter, toolMap, validateSchema;
+const cloudAdapter = require("./cloud-adapter.js");
+const { TOOL_MAP: toolMap, validateSchema } = require("./tool-map.js");
+let authFlow;
 
 if (CLOUD_MODE) {
-  cloudAdapter = require("./cloud-adapter.js");
-  const tm = require("./tool-map.js");
-  toolMap = tm.TOOL_MAP;
-  validateSchema = tm.validateSchema;
   cloudAdapter.init(process.env.TASKOVER_API_KEY);
 } else {
-  store = require("./data-store.js");
-  ({ initDb, reloadFromDisk } = require("./db"));
+  authFlow = require("./auth-flow.js");
 }
 
 const server = new Server(
@@ -94,10 +78,10 @@ const TOOLS = [
   },
   {
     name: "taskovergg_add_project",
-    description: `DO NOT call this tool directly. Projects must be created by the user in the TaskOver desktop app.
+    description: `DO NOT call this tool directly. Projects must be created by the user on the TaskOver website.
 
 Instead of calling this tool, instruct the user with these steps:
-1. Open the TaskOver desktop app
+1. Go to taskover.gg and log in
 2. Click the project dropdown in the top-left of the sidebar
 3. Click "+ New Project" at the bottom of the dropdown
 4. Follow the 5-step project creation wizard:
@@ -1368,701 +1352,82 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
 });
 
 // ===== PROJECT SCOPE GUARD =====
-const EXEMPT_TOOLS = new Set(["taskovergg_list_projects", "taskovergg_add_project"]);
-
-function getActiveProject() {
-  return store.getSetting("active_project");
-}
-
 // ===== HANDLE TOOL CALLS =====
 
 server.setRequestHandler(CallToolRequestSchema, async (request) => {
   const { name, arguments: args } = request.params;
 
-  // ── Cloud mode: validate schema, then route through cloud adapter ──
-  if (CLOUD_MODE) {
-    const mapping = toolMap[name];
-    if (!mapping) {
-      return { content: [{ type: "text", text: `Unknown tool: ${name}` }] };
-    }
-    if (!cloudAdapter.isAllowed(mapping.rpc)) {
-      return { content: [{ type: "text", text: `Method "${mapping.rpc}" is not available in cloud mode` }] };
-    }
-
-    // SECURITY: Schema validation -- strips unknown fields, checks required + types
-    const raw = args || {};
-    const { errors, cleaned } = validateSchema(raw, mapping.schema);
-    if (errors.length > 0) {
-      return { content: [{ type: "text", text: `Validation error: ${errors.join("; ")}` }] };
-    }
-
-    try {
-      const rpcArgs = mapping.args(cleaned, raw);
-      const result = await cloudAdapter.callRpc(mapping.rpc, rpcArgs);
-      return { content: [{ type: "text", text: typeof result === "string" ? result : JSON.stringify(result, null, 2) }] };
-    } catch (err) {
-      if (err.message === "AUTH_FAILED") {
-        console.error("[ERROR] API key rejected. Shutting down.");
-        process.exit(1);
-      }
-      if (err.message.startsWith("RATE_LIMITED:")) {
-        const secs = err.message.split(":")[1];
-        return { content: [{ type: "text", text: `Rate limited. Try again in ${secs} seconds.` }] };
-      }
-      return { content: [{ type: "text", text: `Error: ${err.message}` }] };
-    }
+  const mapping = toolMap[name];
+  if (!mapping) {
+    return { content: [{ type: "text", text: `Unknown tool: ${name}` }] };
+  }
+  if (!cloudAdapter.isAllowed(mapping.rpc)) {
+    return { content: [{ type: "text", text: `Method "${mapping.rpc}" is not available` }] };
   }
 
-  // ── Local mode: existing switch/case block (unchanged) ──
-
-  // Reload database from disk so we pick up changes made by the Electron app
-  reloadFromDisk();
-
-  // Auto-resolve project_id: if a tool needs a project_id, use the active project from TaskOver
-  if (!EXEMPT_TOOLS.has(name)) {
-    const activeProject = getActiveProject();
-    if (activeProject) {
-      // Always use the active project — no guessing needed from the AI
-      args.project_id = activeProject;
-    }
+  // SECURITY: Schema validation -- strips unknown fields, checks required + types
+  const raw = args || {};
+  const { errors, cleaned } = validateSchema(raw, mapping.schema);
+  if (errors.length > 0) {
+    return { content: [{ type: "text", text: `Validation error: ${errors.join("; ")}` }] };
   }
 
   try {
-    let result;
-
-    switch (name) {
-      // Dashboard & Context
-      case "taskovergg_dashboard":
-        result = store.dashboard(args.project_id);
-        break;
-      case "taskovergg_context_export":
-        result = store.contextExport(args.project_id);
-        break;
-      case "taskovergg_search":
-        result = store.search(args.project_id, args.query);
-        break;
-
-      // Projects
-      case "taskovergg_list_projects":
-        result = store.listProjects();
-        break;
-      case "taskovergg_add_project":
-        result = {
-          error: "Projects must be created in the TaskOver desktop app — not via MCP.",
-          instructions: [
-            "1. Open the TaskOver desktop app",
-            "2. Click the project dropdown in the top-left of the sidebar",
-            "3. Click '+ New Project' at the bottom of the dropdown",
-            "4. Follow the 5-step project creation wizard (name, color/icon, systems, settings, review)",
-            "5. Once the project appears in the list, come back and tell me the project name",
-            "6. I'll then use taskovergg_list_projects to get the project_id and start adding tasks, systems, etc."
-          ],
-          hint: "After the user creates the project, use taskovergg_list_projects to find the project_id."
-        };
-        break;
-
-      // Tasks
-      case "taskovergg_get_tasks":
-        result = store.getTasks(args.project_id, args.status, args.phase);
-        break;
-      case "taskovergg_add_task": {
-        const DEFAULT_STATUSES = new Set(["todo", "doing", "done", "scrapped"]);
-        const taskStatus = (args.status || "todo").toLowerCase();
-
-        // If the status matches a custom column, add as a card to that column instead
-        if (!DEFAULT_STATUSES.has(taskStatus) && args.project_id) {
-          const proj = store.getProject(args.project_id);
-          const customCols = proj?.customBoardCols || [];
-          const matchCol = customCols.find(cc =>
-            cc.name.toLowerCase() === taskStatus ||
-            cc.tag === taskStatus ||
-            String(cc.id) === taskStatus
-          );
-          if (matchCol) {
-            const newCard = {
-              id: Date.now(),
-              title: args.title,
-              description: args.description || "",
-              priority: args.priority || "medium",
-              tags: args.tags || [],
-              createdBy: "Assistant",
-              createdAt: new Date().toISOString(),
-            };
-            const updCols = customCols.map(cc =>
-              String(cc.id) === String(matchCol.id) ? { ...cc, cards: [...(cc.cards || []), newCard] } : cc
-            );
-            store.updateProjectField(args.project_id, "customBoardCols", updCols);
-            result = { ...newCard, column: matchCol.name };
-            break;
-          }
-        }
-
-        result = store.addTask({
-          projectId: args.project_id, title: args.title, description: args.description,
-          status: args.status, phase: args.phase, priority: args.priority,
-          tags: args.tags, checklist: args.checklist, createdBy: "Assistant",
-        });
-        break;
-      }
-      case "taskovergg_update_task":
-        if (!args.task_id) { result = { error: "task_id is required" }; break; }
-        result = store.updateTask(args.task_id, {
-          title: args.title, description: args.description, status: args.status,
-          phase: args.phase, priority: args.priority, tags: args.tags, checklist: args.checklist,
-        });
-        if (!result) { result = { error: `Task not found: ${args.task_id}` }; }
-        break;
-      case "taskovergg_move_task":
-        result = store.moveTask(args.task_id, args.status);
-        break;
-      case "taskovergg_add_task_comment":
-        result = store.addTaskComment(args.task_id, args.text);
-        break;
-
-      // Systems
-      case "taskovergg_get_systems":
-        result = store.getSystems(args.project_id);
-        break;
-      case "taskovergg_add_system":
-        result = store.addSystem({
-          projectId: args.project_id, name: args.name, description: args.description,
-          status: args.status, keyFiles: args.key_files, notes: args.notes,
-          criticalRules: args.critical_rules,
-        });
-        break;
-      case "taskovergg_update_system":
-        result = store.updateSystem(args.system_id, {
-          name: args.name, description: args.description, status: args.status,
-          keyFiles: args.key_files, notes: args.notes, criticalRules: args.critical_rules,
-        });
-        break;
-
-      // Sessions
-      case "taskovergg_get_sessions":
-        result = store.getSessions(args.project_id, args.limit);
-        break;
-      case "taskovergg_log_session":
-        result = store.logSession({
-          projectId: args.project_id, title: args.title, summary: args.summary,
-          whatWeDid: args.what_we_did, whereWeLeftOff: args.where_we_left_off,
-          nextSteps: args.next_steps, systemsWorkedOn: args.systems_worked_on,
-        });
-        break;
-
-      // Changelog
-      case "taskovergg_get_changelog":
-        result = store.getChangelog(args.project_id, args.limit);
-        break;
-      case "taskovergg_add_changelog":
-        result = store.addChangelog({
-          projectId: args.project_id, title: args.title,
-          changes: args.changes, systemsAffected: args.systems_affected,
-        });
-        break;
-
-      // Bugs
-      case "taskovergg_get_bugs":
-        result = store.getBugs(args.project_id, args.status);
-        break;
-      case "taskovergg_add_bug":
-        result = store.addBug({
-          projectId: args.project_id, systemId: args.system_id, title: args.title,
-          description: args.description, priority: args.priority,
-          stepsToReproduce: args.steps_to_reproduce,
-        });
-        break;
-      case "taskovergg_fix_bug":
-        result = store.fixBug(args.bug_id, args.fix_description);
-        break;
-
-      // Decisions
-      case "taskovergg_get_decisions":
-        result = store.getDecisions(args.project_id);
-        break;
-      case "taskovergg_log_decision":
-        result = store.logDecision({
-          projectId: args.project_id, decision: args.decision, context: args.context,
-          systemId: args.system_id, alternatives: args.alternatives,
-        });
-        break;
-
-      // Blueprints
-      case "taskovergg_get_blueprints":
-        result = store.getBlueprints(args.project_id);
-        break;
-      case "taskovergg_add_blueprint":
-        result = store.addBlueprint({
-          projectId: args.project_id, name: args.name, path: args.path,
-          parentClass: args.parent_class, systemId: args.system_id,
-          description: args.description, variables: args.variables,
-          keyFunctions: args.key_functions,
-        });
-        break;
-      case "taskovergg_update_blueprint":
-        result = store.updateBlueprint(args.blueprint_id, {
-          name: args.name, path: args.path, parentClass: args.parent_class,
-          description: args.description, variables: args.variables,
-          keyFunctions: args.key_functions,
-        });
-        break;
-
-      // Blueprint Graphs
-      case "taskovergg_get_blueprint_graphs":
-        result = store.getBlueprintGraphs(args.blueprint_id);
-        break;
-      case "taskovergg_set_blueprint_graph":
-        result = store.setBlueprintGraph(args.blueprint_id, {
-          name: args.graph_name, type: args.graph_type || "event",
-          nodes: args.nodes, connections: args.connections,
-        });
-        break;
-      case "taskovergg_add_graph_nodes":
-        result = store.addGraphNodes(args.blueprint_id, args.graph_name, {
-          nodes: args.nodes || [], connections: args.connections || [],
-        });
-        break;
-
-      // Notes
-      case "taskovergg_get_notes":
-        result = store.getNotes(args.project_id, args.parent_type, args.parent_id);
-        break;
-      case "taskovergg_add_note":
-        result = store.addNote({
-          projectId: args.project_id, parentType: args.parent_type,
-          parentId: args.parent_id, title: args.title, content: args.content,
-        });
-        break;
-
-      // Backups
-      case "taskovergg_log_backup":
-        result = store.logBackup({
-          projectId: args.project_id, title: args.title, description: args.description,
-        });
-        break;
-
-      // Levels
-      case "taskovergg_get_levels":
-        result = store.getLevels(args.project_id);
-        break;
-      case "taskovergg_add_level":
-        result = store.addLevel({
-          projectId: args.project_id, name: args.name, map: args.map,
-          actorCount: args.actor_count, status: args.status,
-        });
-        break;
-      case "taskovergg_update_level":
-        result = store.updateLevel(args.level_id, {
-          name: args.name, map: args.map, actorCount: args.actor_count, status: args.status,
-        });
-        break;
-      case "taskovergg_add_actor":
-        result = store.addActor(args.level_id, {
-          name: args.name, x: args.x, y: args.y, z: args.z, notes: args.notes,
-        });
-        break;
-      case "taskovergg_remove_actor":
-        result = store.removeActor(args.level_id, args.actor_index);
-        break;
-
-      // Plugins
-      case "taskovergg_get_plugins":
-        result = store.getPlugins(args.project_id);
-        break;
-      case "taskovergg_add_plugin":
-        result = store.addPlugin({
-          projectId: args.project_id, name: args.name, version: args.version,
-          source: args.source, dependents: args.dependents,
-        });
-        break;
-      case "taskovergg_update_plugin":
-        result = store.updatePlugin(args.plugin_id, {
-          name: args.name, version: args.version, source: args.source, dependents: args.dependents,
-        });
-        break;
-      case "taskovergg_delete_plugin":
-        result = store.deletePlugin(args.plugin_id);
-        break;
-
-      // Build Errors
-      case "taskovergg_get_build_errors":
-        result = store.getBuildErrors(args.project_id, args.status);
-        break;
-      case "taskovergg_add_build_error":
-        result = store.addBuildError({
-          projectId: args.project_id, error: args.error, bp: args.bp,
-        });
-        break;
-      case "taskovergg_fix_build_error":
-        result = store.fixBuildError(args.error_id, args.fix);
-        break;
-
-      // Optimize Items
-      case "taskovergg_get_optimize_items":
-        result = store.getOptimizeItems(args.project_id);
-        break;
-      case "taskovergg_add_optimize_item":
-        result = store.addOptimizeItem({
-          projectId: args.project_id, title: args.title, category: args.category,
-          status: args.status, savings: args.savings,
-        });
-        break;
-      case "taskovergg_update_optimize_item":
-        result = store.updateOptimizeItem(args.item_id, {
-          title: args.title, category: args.category, status: args.status, savings: args.savings,
-        });
-        break;
-
-      // Perf Budget
-      case "taskovergg_get_perf_budget":
-        result = store.getPerfBudget(args.project_id);
-        break;
-      case "taskovergg_add_perf_budget":
-        result = store.addPerfBudget({
-          projectId: args.project_id, scene: args.scene, fps: args.fps,
-          gpu: args.gpu, memory: args.memory, notes: args.notes,
-        });
-        break;
-
-      // Playtests
-      case "taskovergg_get_playtests":
-        result = store.getPlaytests(args.project_id);
-        break;
-      case "taskovergg_add_playtest":
-        result = store.addPlaytest({
-          projectId: args.project_id, duration: args.duration, issues: args.issues,
-          rating: args.rating, notes: args.notes, tester: args.tester,
-          buildVersion: args.build_version,
-        });
-        break;
-
-      // Milestones
-      case "taskovergg_get_milestones":
-        result = store.getMilestones(args.project_id);
-        break;
-      case "taskovergg_add_milestone":
-        result = store.addMilestone({
-          projectId: args.project_id, title: args.title, date: args.date,
-          status: args.status, notes: args.notes,
-        });
-        break;
-      case "taskovergg_update_milestone":
-        result = store.updateMilestone(args.milestone_id, {
-          title: args.title, date: args.date, status: args.status, notes: args.notes,
-        });
-        break;
-
-      // Iterations
-      case "taskovergg_get_iterations":
-        result = store.getIterations(args.project_id);
-        break;
-      case "taskovergg_add_iteration":
-        result = store.addIteration({
-          projectId: args.project_id, feature: args.feature, version: args.version,
-          change: args.change, reason: args.reason,
-        });
-        break;
-
-      // Dialogues
-      case "taskovergg_get_dialogues":
-        result = store.getDialogues(args.project_id);
-        break;
-      case "taskovergg_add_dialogue":
-        result = store.addDialogue({
-          projectId: args.project_id, npc: args.npc, line: args.line,
-          choices: args.choices, nextNode: args.next_node, notes: args.notes,
-        });
-        break;
-      case "taskovergg_update_dialogue":
-        result = store.updateDialogue(args.dialogue_id, {
-          npc: args.npc, line: args.line, choices: args.choices,
-          nextNode: args.next_node, notes: args.notes,
-        });
-        break;
-
-      // Sounds
-      case "taskovergg_get_sounds":
-        result = store.getSounds(args.project_id);
-        break;
-      case "taskovergg_add_sound":
-        result = store.addSound({
-          projectId: args.project_id, name: args.name, actor: args.actor,
-          trigger: args.trigger, spatial: args.spatial, attenuation: args.attenuation,
-          notes: args.notes,
-        });
-        break;
-      case "taskovergg_update_sound":
-        result = store.updateSound(args.sound_id, {
-          name: args.name, actor: args.actor, trigger: args.trigger,
-          spatial: args.spatial, attenuation: args.attenuation, notes: args.notes,
-        });
-        break;
-
-      // Controls
-      case "taskovergg_get_controls":
-        result = store.getControls(args.project_id);
-        break;
-      case "taskovergg_add_control":
-        result = store.addControl({
-          projectId: args.project_id, key: args.key, action: args.action,
-          context: args.context, condition: args.condition,
-        });
-        break;
-      case "taskovergg_update_control":
-        result = store.updateControl(args.control_id, {
-          key: args.key, action: args.action, context: args.context, condition: args.condition,
-        });
-        break;
-
-      // Assets
-      case "taskovergg_get_assets":
-        result = store.getAssets(args.project_id);
-        break;
-      case "taskovergg_add_asset":
-        result = store.addAsset({
-          projectId: args.project_id, name: args.name, type: args.type,
-          path: args.path, size: args.size, status: args.status, usedBy: args.used_by,
-        });
-        break;
-      case "taskovergg_update_asset":
-        result = store.updateAsset(args.asset_id, {
-          name: args.name, type: args.type, path: args.path,
-          size: args.size, status: args.status, usedBy: args.used_by,
-        });
-        break;
-
-      // References
-      case "taskovergg_get_refs":
-        result = store.getRefs(args.project_id);
-        break;
-      case "taskovergg_add_ref":
-        result = store.addRef({
-          projectId: args.project_id, title: args.title, type: args.type,
-          url: args.url, notes: args.notes,
-        });
-        break;
-
-      // Marketing
-      case "taskovergg_get_marketing_items":
-        result = store.getMarketingItems(args.project_id);
-        break;
-      case "taskovergg_add_marketing_item":
-        result = store.addMarketingItem({
-          projectId: args.project_id, item: args.item, category: args.category,
-          status: args.status, notes: args.notes,
-        });
-        break;
-      case "taskovergg_update_marketing_item":
-        result = store.updateMarketingItem(args.marketing_id, {
-          item: args.item, category: args.category, status: args.status, notes: args.notes,
-        });
-        break;
-
-      // Wiki
-      case "taskovergg_get_wiki_pages":
-        result = store.getWikiPages(args.project_id);
-        break;
-      case "taskovergg_add_wiki_page":
-        result = store.addWikiPage({
-          projectId: args.project_id, title: args.title, category: args.category,
-          content: args.content,
-        });
-        break;
-      case "taskovergg_update_wiki_page":
-        result = store.updateWikiPage(args.wiki_id, {
-          title: args.title, category: args.category, content: args.content,
-        });
-        break;
-
-      // Ship Readiness
-      case "taskovergg_get_ship_checked":
-        result = store.getShipChecked(args.project_id);
-        break;
-      case "taskovergg_toggle_ship_check":
-        result = store.toggleShipCheck(args.project_id, args.step_id);
-        break;
-
-      // Open Questions
-      case "taskovergg_get_open_questions":
-        result = store.getOpenQuestions(args.project_id);
-        break;
-      case "taskovergg_add_open_question":
-        result = store.addOpenQuestion({
-          projectId: args.project_id, text: args.text,
-        });
-        break;
-      case "taskovergg_toggle_question":
-        result = store.toggleQuestion(args.question_id);
-        break;
-
-      // Board Columns (Blocks)
-      case "taskovergg_add_board_column": {
-        const pid = args.project_id;
-        if (!pid) { result = { error: "No active project" }; break; }
-        const proj = store.getProject(pid);
-        if (!proj) { result = { error: `Project not found: ${pid}` }; break; }
-        const newCol = {
-          id: Date.now(),
-          name: args.name,
-          color: args.color || "#9B95A0",
-          tag: args.name.toLowerCase().replace(/[^a-z0-9]+/g, "-"),
-          cards: [],
-        };
-        const existingCols = proj.customBoardCols || [];
-        store.updateProjectField(pid, "customBoardCols", [...existingCols, newCol]);
-        result = newCol;
-        break;
-      }
-
-      // Stories (Narrative Bible)
-      case "taskovergg_get_stories":
-        result = store.getStories(args.project_id);
-        break;
-      case "taskovergg_add_story":
-        result = store.addStory({
-          projectId: args.project_id, sectionId: args.section_id,
-          section: args.section, content: args.content,
-        });
-        break;
-      case "taskovergg_update_story":
-        result = store.updateStory(args.story_id, {
-          section: args.section, content: args.content,
-        });
-        break;
-
-      // Scenes
-      case "taskovergg_get_scenes":
-        result = store.getScenes(args.project_id);
-        break;
-      case "taskovergg_add_scene":
-        result = store.addScene({
-          projectId: args.project_id, number: args.number, title: args.title,
-          location: args.location, characters: args.characters,
-          mood: args.mood, round: args.round, content: args.content,
-        });
-        break;
-      case "taskovergg_update_scene":
-        result = store.updateScene(args.scene_id, {
-          number: args.number, title: args.title, location: args.location,
-          characters: args.characters, mood: args.mood, round: args.round, content: args.content,
-        });
-        break;
-      case "taskovergg_delete_scene":
-        result = store.deleteScene(args.scene_id);
-        break;
-
-      // Story Bible (Story NEW tab)
-      case "taskovergg_get_story_bible":
-        result = store.getStoryBible(args.project_id);
-        break;
-      case "taskovergg_update_story_bible":
-        result = store.updateStoryBible(args.project_id, {
-          title: args.title, logline: args.logline, genre: args.genre,
-          tone: args.tone, script: args.script,
-        });
-        break;
-      case "taskovergg_add_story_character":
-        result = store.addStoryCharacter(args.project_id, {
-          name: args.name, role: args.role, description: args.description,
-        });
-        break;
-      case "taskovergg_update_story_character":
-        result = store.updateStoryCharacter(args.project_id, args.character_id, {
-          name: args.name, role: args.role, description: args.description,
-        });
-        break;
-      case "taskovergg_get_scene_content":
-        result = store.getSceneContent(args.scene_id);
-        break;
-      case "taskovergg_update_scene_content":
-        result = store.updateSceneContent(args.project_id, args.scene_id, {
-          title: args.title, location: args.location, mood: args.mood,
-          content: args.content, round: args.round,
-          characters: args.characters, objectives: args.objectives,
-        });
-        break;
-
-      default:
-        return { content: [{ type: "text", text: `Unknown tool: ${name}` }], isError: true };
-    }
-
-    return {
-      content: [{
-        type: "text",
-        text: typeof result === "string" ? result : JSON.stringify(result, null, 2),
-      }],
-    };
-
+    const rpcArgs = mapping.args(cleaned, raw);
+    const result = await cloudAdapter.callRpc(mapping.rpc, rpcArgs);
+    return { content: [{ type: "text", text: typeof result === "string" ? result : JSON.stringify(result, null, 2) }] };
   } catch (err) {
-    return {
-      content: [{ type: "text", text: `Error: ${err && err.message ? err.message : String(err)}` }],
-      isError: true,
-    };
+    if (err.message === "AUTH_FAILED") {
+      console.error("[ERROR] Authentication failed. Shutting down.");
+      process.exit(1);
+    }
+    if (err.message.startsWith("RATE_LIMITED:")) {
+      const secs = err.message.split(":")[1];
+      return { content: [{ type: "text", text: `Rate limited. Try again in ${secs} seconds.` }] };
+    }
+    return { content: [{ type: "text", text: `Error: ${err.message}` }] };
   }
 });
 
-// ===== START =====
-
-const MCP_TRANSPORT = (process.env.MCP_TRANSPORT || "stdio").toLowerCase();
-const MCP_PORT = parseInt(process.env.MCP_PORT || "8484", 10);
 
-async function startStdio() {
-  const transport = new StdioServerTransport();
-  await server.connect(transport);
-  console.error("TaskOver MCP server running (stdio)");
-}
-
-async function startHttp() {
-  const http = require("http");
-  const { randomUUID } = require("crypto");
-  const { StreamableHTTPServerTransport } = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
-
-  const transport = new StreamableHTTPServerTransport({
-    sessionIdGenerator: () => randomUUID(),
-  });
-  await server.connect(transport);
-
-  const httpServer = http.createServer(async (req, res) => {
-    // Only bind to /mcp endpoint
-    const url = req.url.split("?")[0];
-    if (url === "/mcp") {
-      await transport.handleRequest(req, res);
-    } else if (url === "/health") {
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", transport: "http", tools: TOOLS.length }));
-    } else {
-      res.writeHead(404);
-      res.end("Not found");
-    }
-  });
-
-  httpServer.listen(MCP_PORT, "127.0.0.1", () => {
-    console.error(`TaskOver MCP server running (http) on http://127.0.0.1:${MCP_PORT}/mcp`);
-  });
-}
+// ===== START =====
 
 async function main() {
   if (CLOUD_MODE) {
-    // Validate key before accepting connections
     const check = await cloudAdapter.validateKey();
     if (!check.valid) {
       console.error(`[ERROR] ${check.error}`);
       process.exit(1);
     }
-    console.error(`[CLOUD] Connected to api.taskover.gg as ${check.displayName}`);
+    console.error("[CLOUD] Connected to api.taskover.gg (API key mode)");
   } else {
-    await initDb();
+    try {
+      const hostType = process.env.TASKOVER_HOST_TYPE || "MCP";
+      const auth = await authFlow.authenticate(hostType);
+      cloudAdapter.initWithToken(auth.accessToken, auth.refreshToken);
+      if (auth.displayName) {
+        console.error(`[AUTH] Connected as ${auth.displayName}`);
+      } else {
+        console.error("[AUTH] Connected to api.taskover.gg");
+      }
+    } catch (err) {
+      console.error(`[ERROR] ${err.message}`);
+      console.error("[HINT] Set TASKOVER_API_KEY for headless/CI environments.");
+      process.exit(1);
+    }
   }
 
-  if (MCP_TRANSPORT === "http" || MCP_TRANSPORT === "sse") {
-    await startHttp();
-  } else {
-    await startStdio();
-  }
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error("TaskOver MCP server running (stdio)");
 }
 
 main().catch((err) => {
-  // SECURITY: Never log the API key in crash output
+  // SECURITY: Never log secrets in crash output
   const msg = err.message || String(err);
-  console.error(`[FATAL] ${msg.replace(/tok_[a-zA-Z0-9]+/g, "tok_[REDACTED]")}`);
+  const redacted = msg
+    .replace(/tok_[a-zA-Z0-9]+/g, "tok_[REDACTED]")
+    .replace(/ht_[a-zA-Z0-9]+/g, "ht_[REDACTED]");
+  console.error(`[FATAL] ${redacted}`);
   process.exit(1);
 });

package/package.json

@@ -1,16 +1,21 @@
 {
   "name": "taskover-mcp",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "MCP server for TaskOver.gg - connect your AI assistant to your game dev projects",
   "main": "index.js",
   "bin": "index.js",
-  "keywords": ["mcp", "taskover", "gamedev", "project-management", "claude"],
+  "files": ["index.js", "cloud-adapter.js", "tool-map.js", "auth-flow.js", "credential-store.js", "README.md"],
+  "keywords": ["mcp", "taskover", "gamedev", "project-management", "claude", "cursor", "windsurf"],
   "author": "TaskOver, LLC <hello@taskover.gg>",
   "license": "MIT",
   "homepage": "https://taskover.gg",
   "repository": { "type": "git", "url": "https://github.com/taskover/mcp" },
   "engines": { "node": ">=20.0.0" },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0"
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "open": "^11.0.0"
+  },
+  "optionalDependencies": {
+    "keytar": "^7.9.0"
   }
 }