taskover-mcp 1.0.1 → 1.2.0

package/auth-flow.js

@@ -0,0 +1,228 @@
+const crypto = require("crypto");
+const http = require("http");
+const credentialStore = require("./credential-store.js");
+
+const API_BASE = "https://api.taskover.gg";
+const AUTH_PAGE_BASE = "https://taskover.com";
+
+function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString("base64url");
+  const challenge = crypto.createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+function generateState() {
+  return crypto.randomBytes(32).toString("hex");
+}
+
+async function openBrowser(url) {
+  try {
+    const { default: open } = await import("open");
+    await open(url);
+    return true;
+  } catch (_) {
+    const { exec } = require("child_process");
+    const cmd = process.platform === "win32" ? `start "" "${url}"`
+              : process.platform === "darwin" ? `open "${url}"`
+              : `xdg-open "${url}"`;
+    try { exec(cmd); return true; } catch (_e) { return false; }
+  }
+}
+
+function startCallbackServer(expectedState) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer();
+    let callbackUsed = false;
+
+    server.listen(0, "127.0.0.1", () => {
+      const port = server.address().port;
+      const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+      const codePromise = new Promise((resolveCode, rejectCode) => {
+        server.on("request", (req, res) => {
+          const url = new URL(req.url, `http://127.0.0.1:${port}`);
+
+          if (url.pathname !== "/callback") {
+            res.writeHead(404).end();
+            return;
+          }
+
+          if (callbackUsed) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Already processed", "This authorization has already been handled.", "#fbbf24"));
+            return;
+          }
+
+          const code = url.searchParams.get("code");
+          const returnedState = url.searchParams.get("state");
+          const error = url.searchParams.get("error");
+
+          if (!returnedState || returnedState !== expectedState) {
+            callbackUsed = true;
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Security Error", "State parameter mismatch. This may be a CSRF attack. The authorization has been rejected.", "#ef4444"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error("State mismatch on callback — possible CSRF. Auth rejected."));
+            return;
+          }
+
+          callbackUsed = true;
+
+          if (error) {
+            const msg = error === "user_cancelled" ? "You cancelled the authorization." : `Auth error: ${error}`;
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end(htmlPage("Cancelled", msg, "#fbbf24"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error(msg));
+            return;
+          }
+
+          if (!code) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Error", "No authorization code received.", "#ef4444"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error("No auth code received in callback"));
+            return;
+          }
+
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(htmlPage("Connected!", "You can close this tab. Your AI assistant is authenticated.", "#4ade80"));
+          setTimeout(() => server.close(), 500);
+          resolveCode(code);
+        });
+
+        setTimeout(() => {
+          if (!callbackUsed) {
+            callbackUsed = true;
+            server.close();
+            rejectCode(new Error("Auth timed out (5 min). Try your request again to re-launch authorization."));
+          }
+        }, 300000);
+      });
+
+      resolve({ port, redirectUri, codePromise, server });
+    });
+
+    server.on("error", (err) => {
+      if (err.code === "EADDRINUSE" || err.code === "EACCES") {
+        reject(new Error(`Cannot bind localhost port for auth callback: ${err.message}. Is another instance running?`));
+      } else {
+        reject(err);
+      }
+    });
+  });
+}
+
+function escapeHtml(s) { return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;"); }
+
+function htmlPage(title, message, color) {
+  return `<!DOCTYPE html><html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head>`
+    + `<body style="font-family:system-ui,sans-serif;background:#161920;color:${color};`
+    + `display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center">`
+    + `<div><h2>${escapeHtml(title)}</h2><p style="color:#afafba">${escapeHtml(message)}</p></div></body></html>`;
+}
+
+async function exchangeCodeForTokens(code, codeVerifier, state, deviceLabel) {
+  const res = await fetch(`${API_BASE}/api/mcp/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      state,
+      device_label: deviceLabel,
+    }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Token exchange failed (HTTP ${res.status})`);
+  }
+
+  return res.json();
+}
+
+async function refreshAccessToken(refreshToken) {
+  const res = await fetch(`${API_BASE}/api/mcp/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+    }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Token refresh failed (HTTP ${res.status})`);
+  }
+
+  return res.json();
+}
+
+// Full browser PKCE auth flow. Does NOT check cached credentials.
+// Called by auth-gate when no valid tokens exist.
+async function authenticateFull(hostType) {
+  console.error("[AUTH] Opening browser for login...");
+
+  const pkce = generatePKCE();
+  const state = generateState();
+
+  let callbackResult;
+  try {
+    callbackResult = await startCallbackServer(state);
+  } catch (err) {
+    console.error(`[AUTH] ${err.message}`);
+    console.error("[AUTH] Fallback: set TASKOVER_API_KEY environment variable for headless auth.");
+    throw err;
+  }
+
+  const { port, redirectUri, codePromise } = callbackResult;
+
+  const authUrl = new URL(`${AUTH_PAGE_BASE}/mcp-auth`);
+  authUrl.searchParams.set("code_challenge", pkce.challenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("host", hostType || "MCP");
+
+  console.error("[AUTH] If your browser doesn't open, visit:");
+  console.error(`[AUTH] ${authUrl.toString()}`);
+
+  const opened = await openBrowser(authUrl.toString());
+  if (!opened) {
+    console.error("[AUTH] Could not open browser automatically. Please open the URL above.");
+  }
+
+  console.error("[AUTH] Waiting for browser authorization...");
+  let code;
+  try {
+    code = await codePromise;
+  } catch (err) {
+    console.error(`[AUTH] ${err.message}`);
+    throw err;
+  }
+
+  console.error("[AUTH] Exchanging authorization code...");
+  const tokens = await exchangeCodeForTokens(code, pkce.verifier, state, hostType);
+
+  const storageType = await credentialStore.write({
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    expires_at: Date.now() + (tokens.expires_in * 1000),
+    host_type: hostType,
+  });
+
+  console.error(`[AUTH] Authenticated successfully! (credentials stored in ${storageType})`);
+  return { accessToken: tokens.access_token, refreshToken: tokens.refresh_token };
+}
+
+async function logout() {
+  await credentialStore.clear();
+  console.error("[AUTH] Logged out. Credentials cleared.");
+}
+
+module.exports = { authenticateFull, refreshAccessToken, logout };

package/auth-gate.js

@@ -0,0 +1,253 @@
+// mcp-server/auth-gate.js
+// Singleton just-in-time auth coordinator.
+// All tool calls that need auth go through ensureAuth().
+// Guarantees: single browser popup, request hold+resume, bounded timeout.
+//
+// WRITE SAFETY GUARANTEE:
+// The JIT auth flow guarantees at-most-once execution for mutating requests:
+// 1. ensureAuth() blocks until auth succeeds — the write has not been attempted yet.
+// 2. After auth, callRpc() executes the write exactly once.
+// 3. On 401 during an RPC call, the server rejected the request (nothing was written).
+//    handleAuthFailure() re-authenticates, then callRpc() retries — this is the first real execution.
+// 4. No write is ever sent to the server more than once for a single tool invocation.
+// 5. Network-level failures (timeout, connection reset) are NOT retried — they surface
+//    as errors to the user. This ensures at-most-once even for partial server processing.
+
+const credentialStore = require("./credential-store.js");
+
+const COOLDOWN_MS = 10000; // 10s min gap between auth attempts after failure
+const MAX_REAUTH_ATTEMPTS = 2; // max consecutive re-auth attempts before giving up
+const BOOT_GRACE_MS = 8000; // 8s after boot — suppress browser auth from auto-discovery calls
+
+// Structured lifecycle logging — concise, non-sensitive, never prints tokens or user data.
+function _log(event, detail) {
+  console.error(`[AUTH] ${event}${detail ? " — " + detail : ""}`);
+}
+
+// States
+const IDLE = "IDLE";
+const AUTHENTICATED = "AUTHENTICATED";
+const AUTH_IN_PROGRESS = "AUTH_IN_PROGRESS";
+const FAILED = "FAILED";
+
+let _state = IDLE;
+let _accessToken = null;
+let _refreshToken = null;
+let _pendingAuthPromise = null; // dedup guard for concurrent ensureAuth() calls
+let _pendingRefreshPromise = null; // dedup guard for concurrent 401 handling
+let _lastFailureTime = 0;
+let _reAuthAttempts = 0;
+let _bootTime = Date.now(); // tracks server start for boot grace period
+let _authFlow = null; // lazy-loaded to avoid circular deps
+let _cloudAdapter = null;
+
+function _getAuthFlow() {
+  if (!_authFlow) _authFlow = require("./auth-flow.js");
+  return _authFlow;
+}
+
+function _getCloudAdapter() {
+  if (!_cloudAdapter) _cloudAdapter = require("./cloud-adapter.js");
+  return _cloudAdapter;
+}
+
+// Called at boot to try loading cached credentials without browser.
+// Does NOT launch browser auth if missing — just loads what's there.
+// NOTE: Does NOT validate token against the server (unlike old authenticate()).
+// If the token was revoked server-side, the first tool call will get 401
+// and handleAuthFailure() will handle it gracefully.
+async function tryLoadCachedTokens() {
+  try {
+    const cached = await credentialStore.read();
+    if (cached && cached.access_token && cached.refresh_token) {
+      // Check if access token is still valid (with 30s margin)
+      if (cached.expires_at && Date.now() < cached.expires_at - 30000) {
+        _accessToken = cached.access_token;
+        _refreshToken = cached.refresh_token;
+        _state = AUTHENTICATED;
+        _getCloudAdapter().setTokens(_accessToken, _refreshToken);
+        _log("cached_auth_loaded");
+        return true;
+      }
+      // Try refresh silently
+      try {
+        const authFlow = _getAuthFlow();
+        const tokens = await authFlow.refreshAccessToken(cached.refresh_token);
+        await credentialStore.write({
+          access_token: tokens.access_token,
+          refresh_token: tokens.refresh_token,
+          expires_at: Date.now() + (tokens.expires_in * 1000),
+          host_type: cached.host_type,
+        });
+        _accessToken = tokens.access_token;
+        _refreshToken = tokens.refresh_token;
+        _state = AUTHENTICATED;
+        _getCloudAdapter().setTokens(_accessToken, _refreshToken);
+        _log("token_refresh_success", "silent startup refresh");
+        return true;
+      } catch (_) {
+        // Refresh failed — credentials are stale, clear them.
+        // Do NOT launch browser. Just go to IDLE.
+        await credentialStore.clear();
+        _log("token_refresh_failed", "cached credentials expired, will authenticate on first tool use");
+        return false;
+      }
+    }
+    return false;
+  } catch (err) {
+    // If credential store or cloud adapter fails to load, boot unauthenticated
+    _log("cached_auth_error", err.message);
+    return false;
+  }
+}
+
+// The main gate. Every protected tool call awaits this.
+// Returns { accessToken, refreshToken } or throws.
+// When auth is in progress, all concurrent callers share the same pending promise
+// so only ONE browser popup ever opens and all held requests resume together.
+//
+// callerMethod: optional RPC method name for logging which tool triggered auth.
+async function ensureAuth(callerMethod) {
+  // Fast path: already authenticated
+  if (_state === AUTHENTICATED && _accessToken) {
+    return { accessToken: _accessToken, refreshToken: _refreshToken };
+  }
+
+  // Dedup: if auth is already in progress, all callers share the same promise
+  if (_state === AUTH_IN_PROGRESS && _pendingAuthPromise) {
+    _log("ensureAuth_dedup", `method=${callerMethod || "unknown"}, sharing pending auth`);
+    return _pendingAuthPromise;
+  }
+
+  // Boot grace period: suppress browser popups from MCP host auto-discovery calls
+  // (e.g. Claude calling taskovergg_dashboard immediately on connect).
+  // During the grace window, return a passive error instead of opening the browser.
+  // After the grace period, real user-initiated calls trigger auth normally.
+  if (_state === IDLE) {
+    const sinceBoot = Date.now() - _bootTime;
+    if (sinceBoot < BOOT_GRACE_MS) {
+      _log("boot_grace_suppressed", `method=${callerMethod || "unknown"}, ${Math.ceil((BOOT_GRACE_MS - sinceBoot) / 1000)}s remaining`);
+      throw new Error("AUTH_NOT_READY:TaskOver is not connected yet. Use any TaskOver tool to start authorization.");
+    }
+  }
+
+  // Cooldown after failure to prevent popup loops
+  if (_state === FAILED) {
+    const elapsed = Date.now() - _lastFailureTime;
+    if (elapsed < COOLDOWN_MS) {
+      _log("reauth_cooldown_active", `${Math.ceil((COOLDOWN_MS - elapsed) / 1000)}s remaining`);
+      throw new Error("AUTH_FAILED_RETRY:Authorization was recently declined or timed out. Please try again in a moment.");
+    }
+  }
+
+  // Launch browser auth — transitions to AUTH_IN_PROGRESS
+  _log("ensureAuth_trigger", `method=${callerMethod || "unknown"}`);
+  _state = AUTH_IN_PROGRESS;
+  _pendingAuthPromise = _doJitAuth();
+
+  try {
+    const result = await _pendingAuthPromise;
+    return result;
+  } finally {
+    _pendingAuthPromise = null;
+  }
+}
+
+async function _doJitAuth() {
+  const hostType = process.env.TASKOVER_HOST_TYPE || "MCP";
+
+  try {
+    _log("jit_auth_start", `host=${hostType}`);
+    const authFlow = _getAuthFlow();
+    const auth = await authFlow.authenticateFull(hostType);
+
+    _accessToken = auth.accessToken;
+    _refreshToken = auth.refreshToken;
+    _state = AUTHENTICATED;
+    _lastFailureTime = 0;
+    _reAuthAttempts = 0;
+    _getCloudAdapter().setTokens(_accessToken, _refreshToken);
+
+    _log("jit_auth_success");
+    return { accessToken: _accessToken, refreshToken: _refreshToken };
+  } catch (err) {
+    _state = FAILED;
+    _lastFailureTime = Date.now();
+    _log("jit_auth_failed", err.message);
+    throw new Error(`AUTH_FAILED_RETRY:${err.message}`);
+  }
+}
+
+// Called by cloud-adapter when a 401 is received during an RPC call.
+// Tries refresh first, falls back to full browser re-auth.
+// DEDUP: If another caller already refreshed successfully (state is AUTHENTICATED),
+// return current tokens. If a refresh is already in progress, share the pending promise.
+async function handleAuthFailure() {
+  // Dedup: if another concurrent 401 handler already refreshed, use those tokens
+  if (_state === AUTHENTICATED && _accessToken) {
+    return { accessToken: _accessToken, refreshToken: _refreshToken };
+  }
+
+  // Dedup: if refresh is already in progress, share the pending promise
+  if (_pendingRefreshPromise) {
+    return _pendingRefreshPromise;
+  }
+
+  // Max-retry guard to prevent infinite re-auth loops
+  _reAuthAttempts++;
+  if (_reAuthAttempts > MAX_REAUTH_ATTEMPTS) {
+    _log("reauth_max_attempts", `limit=${MAX_REAUTH_ATTEMPTS}`);
+    _reAuthAttempts = 0;
+    throw new Error("AUTH_FAILED_RETRY:Too many re-authentication attempts. Please try again later.");
+  }
+
+  _pendingRefreshPromise = _doHandleAuthFailure();
+  try {
+    return await _pendingRefreshPromise;
+  } finally {
+    _pendingRefreshPromise = null;
+  }
+}
+
+async function _doHandleAuthFailure() {
+  // Try refresh first
+  if (_refreshToken) {
+    try {
+      _log("token_refresh_start");
+      const authFlow = _getAuthFlow();
+      const tokens = await authFlow.refreshAccessToken(_refreshToken);
+      await credentialStore.write({
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token,
+        expires_at: Date.now() + (tokens.expires_in * 1000),
+      });
+      _accessToken = tokens.access_token;
+      _refreshToken = tokens.refresh_token;
+      _state = AUTHENTICATED;
+      _reAuthAttempts = 0;
+      _getCloudAdapter().setTokens(_accessToken, _refreshToken);
+      _log("token_refresh_success");
+      return { accessToken: _accessToken, refreshToken: _refreshToken };
+    } catch (_) {
+      _log("token_refresh_failed", "clearing credentials, will re-authenticate");
+      await credentialStore.clear();
+    }
+  }
+
+  // Refresh failed — need full re-auth
+  _state = IDLE;
+  _accessToken = null;
+  _refreshToken = null;
+  return ensureAuth();
+}
+
+function isAuthenticated() {
+  return _state === AUTHENTICATED && !!_accessToken;
+}
+
+module.exports = {
+  tryLoadCachedTokens,
+  ensureAuth,
+  handleAuthFailure,
+  isAuthenticated,
+};

package/cloud-adapter.js

@@ -44,6 +44,14 @@ const MCP_ALLOWED_READS = new Set([
   "getStories", "getScenes", "getSceneContent", "getStoryBible",
   "search",
   "dashboard", "contextExport",
+  // Blueprint Intelligence reads
+  "getDiscoveredBpDetail", "getSyncDebugInfo",
+  "computeBlueprintComplexity", "computeBlueprintHealth",
+  "getBlueprintTimeline", "generateBlueprintSummary",
+  "computeBlueprintReview", "computeProjectBlueprintReview",
+  "getBlueprintStandards", "getBlueprintViolations",
+  "buildBlueprintDependencyGraph", "computeImpactAnalysis",
+  "getBlueprintUsageMap", "getBlueprintIntelligenceDashboard",
 ]);
 
 // REVISED per M0 matrix (52 write methods). Removed: updateBug (no MCP tool),
@@ -80,6 +88,9 @@ const MCP_ALLOWED_WRITES = new Set([
   "addScene", "updateScene",
   "updateStoryBible",
   "addStoryCharacter",
+  // Blueprint Intelligence writes
+  "syncDiscoveredBps", "createBlueprintSnapshot",
+  "toggleBlueprintStandard", "evaluateBlueprintStandards", "resolveBlueprintViolation",
 ]);
 
 // SECURITY: Methods that are NEVER allowed through MCP, regardless of future changes.
@@ -102,10 +113,24 @@ const MCP_ALLOWED_METHODS = new Set([...MCP_ALLOWED_READS, ...MCP_ALLOWED_WRITES
 
 let _apiKey = null;
 
+// Token-based auth state (browser auth — set via setTokens, managed by auth-gate)
+let _accessToken = null;
+let _refreshToken = null;
+
 function init(apiKey) {
   _apiKey = apiKey;
 }
 
+// Called by auth-gate after successful auth or refresh. Can be called multiple times.
+function setTokens(accessToken, refreshToken) {
+  _accessToken = accessToken;
+  _refreshToken = refreshToken;
+}
+
+function isInitialized() {
+  return !!(_apiKey || _accessToken);
+}
+
 function isAllowed(method) {
   return MCP_ALLOWED_METHODS.has(method);
 }
@@ -114,8 +139,8 @@ function isWrite(method) {
   return MCP_ALLOWED_WRITES.has(method);
 }
 
-async function callRpc(method, args) {
-  if (!_apiKey) throw new Error("Cloud adapter not initialized -- no API key");
+async function _doRpcCall(method, args, token) {
+  if (!token) throw new Error("Cloud adapter not initialized — no token");
   if (!isAllowed(method)) throw new Error(`Method "${method}" is not allowed through MCP`);
 
   const body = JSON.stringify({ method, args: args || [] });
@@ -131,7 +156,7 @@ async function callRpc(method, args) {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
-        "Authorization": `Bearer ${_apiKey}`,
+        "Authorization": `Bearer ${token}`,
       },
       body,
       signal: controller.signal,
@@ -139,16 +164,22 @@ async function callRpc(method, args) {
 
     clearTimeout(timer);
 
-    if (res.status === 401) {
-      throw new Error("AUTH_FAILED");
-    }
+    if (res.status === 401) throw new Error("AUTH_FAILED");
     if (res.status === 429) {
       const retryAfter = res.headers.get("retry-after") || "60";
       throw new Error(`RATE_LIMITED:${retryAfter}`);
     }
     if (!res.ok) {
-      const errBody = await res.text().catch(() => "");
-      throw new Error(`Cloud API error ${res.status}: ${errBody.slice(0, 200)}`);
+      // Privacy: extract machine-readable code only — raw error body may echo customer content.
+      let errDetail = "";
+      try {
+        const errJson = await res.json();
+        // Data Control denials have a server-generated message safe to surface (no customer content)
+        if (errJson.code && errJson.code.startsWith("DATA_CONTROL_") && errJson.message) throw new Error(errJson.message);
+        if (errJson.code) errDetail = ` code=${errJson.code}`;
+        else if (typeof errJson.error === "string" && errJson.error.length <= 60) errDetail = ` msg=${errJson.error}`;
+      } catch (e) { if (e.message && !e.message.startsWith("Cloud API")) throw e; await res.text().catch(() => ""); /* drain body */ }
+      throw new Error(`Cloud API error ${res.status}${errDetail}`);
     }
 
     // SECURITY: Enforce response size limit using byte-accurate check.
@@ -170,12 +201,35 @@ async function callRpc(method, args) {
   }
 }
 
+async function callRpc(method, args) {
+  // In API-key mode, just use the key directly — no auth gate involvement
+  if (_apiKey) {
+    return _doRpcCall(method, args, _apiKey);
+  }
+
+  // Browser-auth mode: ensure we have tokens via auth gate.
+  // Use the returned token directly (not the module-level _accessToken)
+  // to avoid stale-read issues if setTokens hasn't been called yet.
+  const authGate = require("./auth-gate.js");
+  const { accessToken } = await authGate.ensureAuth(method);
+  if (!accessToken) throw new Error("AUTH_FAILED_RETRY:No access token available");
+
+  try {
+    return await _doRpcCall(method, args, accessToken);
+  } catch (err) {
+    if (err.message === "AUTH_FAILED") {
+      // Token expired/revoked mid-session — let auth gate handle refresh or re-auth
+      const refreshed = await authGate.handleAuthFailure();
+      if (!refreshed.accessToken) throw new Error("AUTH_FAILED_RETRY:Re-authentication failed");
+      return await _doRpcCall(method, args, refreshed.accessToken);
+    }
+    throw err;
+  }
+}
+
 async function validateKey() {
-  // SECURITY: Validate auth via dedicated lightweight endpoint.
-  // /api/auth/validate confirms the key is valid and returns userId + displayName.
-  // Does NOT load business data (unlike listProjects which fetches all projects).
-  // /api/health is unauthenticated and must NEVER be used for key validation.
-  if (!_apiKey) return { valid: false, error: "No API key configured" };
+  const token = _accessToken || _apiKey;
+  if (!token) return { valid: false, error: "No token or API key configured" };
 
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
@@ -183,39 +237,32 @@ async function validateKey() {
   try {
     const res = await fetch(`${API_BASE}/api/auth/validate`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${_apiKey}`,
-      },
+      headers: { "Authorization": `Bearer ${token}` },
       signal: controller.signal,
     });
 
     clearTimeout(timer);
 
-    if (res.status === 401) {
-      return { valid: false, error: "API key is invalid or expired. Generate a new key at taskover.gg -> Settings -> Security." };
-    }
-    if (!res.ok) {
-      return { valid: false, error: `Unexpected response from api.taskover.gg (HTTP ${res.status})` };
-    }
+    if (res.status === 401) return { valid: false, error: "Token/key invalid or expired." };
+    if (!res.ok) return { valid: false, error: `Unexpected response (HTTP ${res.status})` };
 
     const data = await res.json();
     return { valid: true, displayName: data.displayName || "user" };
   } catch (err) {
     clearTimeout(timer);
-    if (err.name === "AbortError") {
-      return { valid: false, error: "Cannot reach api.taskover.gg (timeout). Check your internet connection." };
-    }
+    if (err.name === "AbortError") return { valid: false, error: "Cannot reach api.taskover.gg (timeout)" };
     return { valid: false, error: `Cannot reach api.taskover.gg: ${err.message}` };
   }
 }
 
 module.exports = {
   init,
+  setTokens,
   isAllowed,
   isWrite,
   callRpc,
   validateKey,
+  isInitialized,
   MCP_ALLOWED_METHODS,
   MCP_ALLOWED_READS,
   MCP_ALLOWED_WRITES,