taskover-mcp 1.0.1 → 1.2.0

package/migrate-json-to-sqlite.js

@@ -0,0 +1,256 @@
+#!/usr/bin/env node
+/**
+ * One-time migration: imports data/tracker.json into data/taskover.db
+ * Run: node mcp-server/migrate-json-to-sqlite.js
+ */
+
+const fs = require("fs");
+const path = require("path");
+const { initDb, getDb, closeDb, saveToDisk } = require("./db");
+
+const JSON_FILE = path.join(__dirname, "..", "data", "tracker.json");
+
+async function migrate() {
+  if (!fs.existsSync(JSON_FILE)) {
+    console.log("No tracker.json found — nothing to migrate.");
+    return;
+  }
+
+  const raw = fs.readFileSync(JSON_FILE, "utf-8");
+  const data = JSON.parse(raw);
+  await initDb();
+  const db = getDb();
+
+  const now = new Date().toISOString();
+  const today = now.split("T")[0];
+
+  let counts = {};
+
+  // Projects
+  for (const p of data.projects || []) {
+    const d = { ...p }; delete d.id;
+    db.prepare("INSERT OR REPLACE INTO projects (id, data, created_at, last_updated) VALUES (?, ?, ?, ?)")
+      .run(p.id, JSON.stringify(d), p.createdAt || now, p.lastUpdated || now);
+  }
+  counts.projects = (data.projects || []).length;
+
+  // Tasks
+  for (const t of data.tasks || []) {
+    const d = { ...t }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO tasks (id, project_id, status, data, created_at, last_updated) VALUES (?, ?, ?, ?, ?, ?)")
+      .run(t.id, t.projectId, t.status || "todo", JSON.stringify(d), t.createdAt || now, t.lastUpdated || now);
+  }
+  counts.tasks = (data.tasks || []).length;
+
+  // Systems
+  for (const s of data.systems || []) {
+    const d = { ...s }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO systems (id, project_id, data, created_at, last_updated) VALUES (?, ?, ?, ?, ?)")
+      .run(s.id, s.projectId, JSON.stringify(d), s.createdAt || now, s.lastUpdated || today);
+  }
+  counts.systems = (data.systems || []).length;
+
+  // Sessions
+  for (const s of data.sessions || []) {
+    const d = { ...s }; delete d.id; delete d.projectId; delete d.date;
+    db.prepare("INSERT OR REPLACE INTO sessions (id, project_id, date, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(s.id, s.projectId, s.date || today, JSON.stringify(d), s.timestamp || now);
+  }
+  counts.sessions = (data.sessions || []).length;
+
+  // Changelog
+  for (const c of data.changelog || []) {
+    const d = { ...c }; delete d.id; delete d.projectId; delete d.date;
+    db.prepare("INSERT OR REPLACE INTO changelog (id, project_id, date, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(c.id, c.projectId, c.date || today, JSON.stringify(d), c.timestamp || now);
+  }
+  counts.changelog = (data.changelog || []).length;
+
+  // Bugs
+  for (const b of data.bugs || []) {
+    const d = { ...b }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO bugs (id, project_id, status, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(b.id, b.projectId, b.status || "open", JSON.stringify(d), b.createdAt || now);
+  }
+  counts.bugs = (data.bugs || []).length;
+
+  // Decisions
+  for (const dd of data.decisions || []) {
+    const d = { ...dd }; delete d.id; delete d.projectId; delete d.date;
+    db.prepare("INSERT OR REPLACE INTO decisions (id, project_id, date, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(dd.id, dd.projectId, dd.date || today, JSON.stringify(d), dd.timestamp || now);
+  }
+  counts.decisions = (data.decisions || []).length;
+
+  // Blueprints
+  for (const bp of data.blueprints || []) {
+    const d = { ...bp }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO blueprints (id, project_id, data, last_updated) VALUES (?, ?, ?, ?)")
+      .run(bp.id, bp.projectId, JSON.stringify(d), bp.lastUpdated || today);
+  }
+  counts.blueprints = (data.blueprints || []).length;
+
+  // Notes
+  for (const n of data.notes || []) {
+    const d = { ...n }; delete d.id; delete d.projectId; delete d.parentType; delete d.parentId;
+    db.prepare("INSERT OR REPLACE INTO notes (id, project_id, parent_type, parent_id, data, created_at) VALUES (?, ?, ?, ?, ?, ?)")
+      .run(n.id, n.projectId, n.parentType || "project", n.parentId || n.projectId, JSON.stringify(d), n.createdAt || now);
+  }
+  counts.notes = (data.notes || []).length;
+
+  // Backups
+  for (const b of data.backups || []) {
+    const d = { ...b }; delete d.id; delete d.projectId; delete d.date;
+    db.prepare("INSERT OR REPLACE INTO backups_log (id, project_id, date, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(b.id, b.projectId, b.date || today, JSON.stringify(d), b.timestamp || now);
+  }
+  counts.backups = (data.backups || []).length;
+
+  // Levels
+  for (const l of data.levels || []) {
+    const d = { ...l }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO levels (id, project_id, data, created_at, last_updated) VALUES (?, ?, ?, ?, ?)")
+      .run(l.id, l.projectId, JSON.stringify(d), l.createdAt || now, l.lastUpdated || now);
+  }
+  counts.levels = (data.levels || []).length;
+
+  // Plugins
+  for (const pl of data.plugins || []) {
+    const d = { ...pl }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO plugins (id, project_id, data, created_at, last_updated) VALUES (?, ?, ?, ?, ?)")
+      .run(pl.id, pl.projectId, JSON.stringify(d), pl.createdAt || now, pl.lastUpdated || now);
+  }
+  counts.plugins = (data.plugins || []).length;
+
+  // Build Errors
+  for (const e of data.buildErrors || []) {
+    const d = { ...e }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO build_errors (id, project_id, status, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(e.id, e.projectId, e.status || "open", JSON.stringify(d), e.createdAt || now);
+  }
+  counts.buildErrors = (data.buildErrors || []).length;
+
+  // Optimize Items
+  for (const o of data.optimizeItems || []) {
+    const d = { ...o }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO optimize_items (id, project_id, status, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(o.id, o.projectId, o.status || "open", JSON.stringify(d), o.createdAt || now);
+  }
+  counts.optimizeItems = (data.optimizeItems || []).length;
+
+  // Perf Budget
+  for (const pb of data.perfBudget || []) {
+    const d = { ...pb }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO perf_budget (id, project_id, data, created_at) VALUES (?, ?, ?, ?)")
+      .run(pb.id, pb.projectId, JSON.stringify(d), pb.createdAt || now);
+  }
+  counts.perfBudget = (data.perfBudget || []).length;
+
+  // Playtests
+  for (const pt of data.playtests || []) {
+    const d = { ...pt }; delete d.id; delete d.projectId; delete d.date;
+    db.prepare("INSERT OR REPLACE INTO playtests (id, project_id, date, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(pt.id, pt.projectId, pt.date || today, JSON.stringify(d), pt.createdAt || now);
+  }
+  counts.playtests = (data.playtests || []).length;
+
+  // Milestones
+  for (const m of data.milestones || []) {
+    const d = { ...m }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO milestones (id, project_id, status, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(m.id, m.projectId, m.status || "upcoming", JSON.stringify(d), m.createdAt || now);
+  }
+  counts.milestones = (data.milestones || []).length;
+
+  // Iterations
+  for (const it of data.iterations || []) {
+    const d = { ...it }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO iterations (id, project_id, data, created_at) VALUES (?, ?, ?, ?)")
+      .run(it.id, it.projectId, JSON.stringify(d), it.createdAt || now);
+  }
+  counts.iterations = (data.iterations || []).length;
+
+  // Dialogues
+  for (const dl of data.dialogues || []) {
+    const d = { ...dl }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO dialogues (id, project_id, data, created_at) VALUES (?, ?, ?, ?)")
+      .run(dl.id, dl.projectId, JSON.stringify(d), dl.createdAt || now);
+  }
+  counts.dialogues = (data.dialogues || []).length;
+
+  // Sounds
+  for (const s of data.sounds || []) {
+    const d = { ...s }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO sounds (id, project_id, data, created_at) VALUES (?, ?, ?, ?)")
+      .run(s.id, s.projectId, JSON.stringify(d), s.createdAt || now);
+  }
+  counts.sounds = (data.sounds || []).length;
+
+  // Controls
+  for (const c of data.controls || []) {
+    const d = { ...c }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO controls (id, project_id, data, created_at) VALUES (?, ?, ?, ?)")
+      .run(c.id, c.projectId, JSON.stringify(d), c.createdAt || now);
+  }
+  counts.controls = (data.controls || []).length;
+
+  // Assets
+  for (const a of data.assets || []) {
+    const d = { ...a }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO assets (id, project_id, status, data, created_at, last_updated) VALUES (?, ?, ?, ?, ?, ?)")
+      .run(a.id, a.projectId, a.status || "concept", JSON.stringify(d), a.createdAt || now, a.lastUpdated || now);
+  }
+  counts.assets = (data.assets || []).length;
+
+  // Refs
+  for (const r of data.refs || []) {
+    const d = { ...r }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO refs (id, project_id, data, created_at) VALUES (?, ?, ?, ?)")
+      .run(r.id, r.projectId, JSON.stringify(d), r.createdAt || now);
+  }
+  counts.refs = (data.refs || []).length;
+
+  // Marketing Items
+  for (const m of data.marketingItems || []) {
+    const d = { ...m }; delete d.id; delete d.projectId; delete d.status;
+    db.prepare("INSERT OR REPLACE INTO marketing_items (id, project_id, status, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(m.id, m.projectId, m.status || "todo", JSON.stringify(d), m.createdAt || now);
+  }
+  counts.marketingItems = (data.marketingItems || []).length;
+
+  // Wiki Pages
+  for (const w of data.wikiPages || []) {
+    const d = { ...w }; delete d.id; delete d.projectId;
+    db.prepare("INSERT OR REPLACE INTO wiki_pages (id, project_id, data, created_at, last_updated) VALUES (?, ?, ?, ?, ?)")
+      .run(w.id, w.projectId, JSON.stringify(d), w.createdAt || now, w.lastUpdated || now);
+  }
+  counts.wikiPages = (data.wikiPages || []).length;
+
+  // Ship Checked
+  for (const s of data.shipChecked || []) {
+    db.prepare("INSERT OR REPLACE INTO ship_checked (project_id, step_id) VALUES (?, ?)")
+      .run(s.projectId, s.stepId);
+  }
+  counts.shipChecked = (data.shipChecked || []).length;
+
+  // Open Questions
+  for (const q of data.openQuestions || []) {
+    const d = { ...q }; delete d.id; delete d.projectId; delete d.resolved;
+    db.prepare("INSERT OR REPLACE INTO open_questions (id, project_id, resolved, data, created_at) VALUES (?, ?, ?, ?, ?)")
+      .run(q.id, q.projectId, q.resolved ? 1 : 0, JSON.stringify(d), q.createdAt || now);
+  }
+  counts.openQuestions = (data.openQuestions || []).length;
+
+  saveToDisk();
+  closeDb();
+
+  console.log("\nMigration complete!");
+  console.log("Records imported:");
+  for (const [k, v] of Object.entries(counts)) {
+    if (v > 0) console.log(`  ${k}: ${v}`);
+  }
+  console.log(`\nDatabase: data/taskover.db`);
+  console.log(`Original JSON preserved at: data/tracker.json`);
+}
+
+migrate().catch(e => { console.error("Migration failed:", e); process.exit(1); });

package/package.json

@@ -1,16 +1,29 @@
-{
-  "name": "taskover-mcp",
-  "version": "1.0.1",
-  "description": "MCP server for TaskOver.gg - connect your AI assistant to your game dev projects",
-  "main": "index.js",
-  "bin": "index.js",
-  "keywords": ["mcp", "taskover", "gamedev", "project-management", "claude"],
-  "author": "TaskOver, LLC <hello@taskover.gg>",
-  "license": "MIT",
-  "homepage": "https://taskover.gg",
-  "repository": { "type": "git", "url": "https://github.com/taskover/mcp" },
-  "engines": { "node": ">=20.0.0" },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0"
-  }
-}
+{
+  "name": "taskover-mcp",
+  "version": "1.2.0",
+  "description": "MCP server for TaskOver game dev project management",
+  "main": "index.js",
+  "bin": {
+    "taskover": "./index.js"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.700.0",
+    "@aws-sdk/s3-request-presigner": "^3.700.0",
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@sentry/node": "^8.40.0",
+    "file-type": "^16.5.4",
+    "keytar": "^7.9.0",
+    "open": "^11.0.0",
+    "otpauth": "^9.5.0",
+    "pdfkit": "^0.15.2",
+    "qrcode": "^1.5.4",
+    "sharp": "^0.34.5",
+    "sql.js": "^1.14.0",
+    "stripe": "^17.4.0",
+    "ws": "^8.19.0"
+  },
+  "optionalDependencies": {
+    "@node-rs/argon2": "^2.0.2",
+    "better-sqlite3": "^11.10.0"
+  }
+}

package/publish/auth-flow.js

@@ -0,0 +1,275 @@
+const crypto = require("crypto");
+const http = require("http");
+const credentialStore = require("./credential-store.js");
+
+const API_BASE = "https://api.taskover.gg";
+const AUTH_PAGE_BASE = "https://taskover.gg";
+
+function generatePKCE() {
+  const verifier = crypto.randomBytes(32).toString("base64url");
+  const challenge = crypto.createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+
+function generateState() {
+  return crypto.randomBytes(32).toString("hex");
+}
+
+async function openBrowser(url) {
+  try {
+    const { default: open } = await import("open");
+    await open(url);
+    return true;
+  } catch (_) {
+    const { exec } = require("child_process");
+    const cmd = process.platform === "win32" ? `start "" "${url}"`
+              : process.platform === "darwin" ? `open "${url}"`
+              : `xdg-open "${url}"`;
+    try { exec(cmd); return true; } catch (_e) { return false; }
+  }
+}
+
+function startCallbackServer(expectedState) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer();
+    let callbackUsed = false;
+
+    server.listen(0, "127.0.0.1", () => {
+      const port = server.address().port;
+      const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+      const codePromise = new Promise((resolveCode, rejectCode) => {
+        server.on("request", (req, res) => {
+          const url = new URL(req.url, `http://127.0.0.1:${port}`);
+
+          if (url.pathname !== "/callback") {
+            res.writeHead(404).end();
+            return;
+          }
+
+          if (callbackUsed) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Already processed", "This authorization has already been handled.", "#fbbf24"));
+            return;
+          }
+
+          const code = url.searchParams.get("code");
+          const returnedState = url.searchParams.get("state");
+          const error = url.searchParams.get("error");
+
+          if (!returnedState || returnedState !== expectedState) {
+            callbackUsed = true;
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Security Error", "State parameter mismatch. This may be a CSRF attack. The authorization has been rejected.", "#ef4444"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error("State mismatch on callback — possible CSRF. Auth rejected."));
+            return;
+          }
+
+          callbackUsed = true;
+
+          if (error) {
+            const msg = error === "user_cancelled" ? "You cancelled the authorization." : `Auth error: ${error}`;
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end(htmlPage("Cancelled", msg, "#fbbf24"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error(msg));
+            return;
+          }
+
+          if (!code) {
+            res.writeHead(400, { "Content-Type": "text/html" });
+            res.end(htmlPage("Error", "No authorization code received.", "#ef4444"));
+            setTimeout(() => server.close(), 500);
+            rejectCode(new Error("No auth code received in callback"));
+            return;
+          }
+
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(htmlPage("Connected!", "You can close this tab. Your AI assistant is authenticated.", "#4ade80"));
+          setTimeout(() => server.close(), 500);
+          resolveCode(code);
+        });
+
+        setTimeout(() => {
+          if (!callbackUsed) {
+            callbackUsed = true;
+            server.close();
+            rejectCode(new Error("Auth timed out (5 min). Restart MCP server to try again."));
+          }
+        }, 300000);
+      });
+
+      resolve({ port, redirectUri, codePromise, server });
+    });
+
+    server.on("error", (err) => {
+      if (err.code === "EADDRINUSE" || err.code === "EACCES") {
+        reject(new Error(`Cannot bind localhost port for auth callback: ${err.message}. Is another instance running?`));
+      } else {
+        reject(err);
+      }
+    });
+  });
+}
+
+function escapeHtml(s) { return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;"); }
+
+function htmlPage(title, message, color) {
+  return `<!DOCTYPE html><html><head><meta charset="utf-8"><title>${escapeHtml(title)}</title></head>`
+    + `<body style="font-family:system-ui,sans-serif;background:#161920;color:${color};`
+    + `display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center">`
+    + `<div><h2>${escapeHtml(title)}</h2><p style="color:#afafba">${escapeHtml(message)}</p></div></body></html>`;
+}
+
+async function exchangeCodeForTokens(code, codeVerifier, state, deviceLabel) {
+  const res = await fetch(`${API_BASE}/api/mcp/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      state,
+      device_label: deviceLabel,
+    }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Token exchange failed (HTTP ${res.status})`);
+  }
+
+  return res.json();
+}
+
+async function refreshAccessToken(refreshToken) {
+  const res = await fetch(`${API_BASE}/api/mcp/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+    }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Token refresh failed (HTTP ${res.status})`);
+  }
+
+  return res.json();
+}
+
+async function authenticate(hostType) {
+  const cached = await credentialStore.read();
+  if (cached && cached.access_token && cached.refresh_token) {
+    if (cached.expires_at && Date.now() < cached.expires_at - 30000) {
+      return { accessToken: cached.access_token, refreshToken: cached.refresh_token };
+    }
+
+    try {
+      const res = await fetch(`${API_BASE}/api/auth/validate`, {
+        method: "POST",
+        headers: { "Authorization": `Bearer ${cached.access_token}` },
+        signal: AbortSignal.timeout(5000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        return { accessToken: cached.access_token, refreshToken: cached.refresh_token, displayName: data.displayName || "user" };
+      }
+    } catch (_) {}
+
+    try {
+      console.error("[AUTH] Access token expired, refreshing...");
+      const tokens = await refreshAccessToken(cached.refresh_token);
+      await credentialStore.write({
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token,
+        expires_at: Date.now() + (tokens.expires_in * 1000),
+        host_type: hostType,
+      });
+      return { accessToken: tokens.access_token, refreshToken: tokens.refresh_token };
+    } catch (err) {
+      console.error(`[AUTH] Refresh failed: ${err.message}. Starting browser login...`);
+      await credentialStore.clear();
+    }
+  }
+
+  console.error("[AUTH] Opening browser for login...");
+
+  const pkce = generatePKCE();
+  const state = generateState();
+
+  let callbackResult;
+  try {
+    callbackResult = await startCallbackServer(state);
+  } catch (err) {
+    console.error(`[AUTH] ${err.message}`);
+    console.error("[AUTH] Fallback: set TASKOVER_API_KEY environment variable for headless auth.");
+    throw err;
+  }
+
+  const { port, redirectUri, codePromise } = callbackResult;
+
+  const authUrl = new URL(`${AUTH_PAGE_BASE}/mcp-auth`);
+  authUrl.searchParams.set("code_challenge", pkce.challenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("host", hostType || "MCP");
+
+  console.error("[AUTH] If your browser doesn't open, visit:");
+  console.error(`[AUTH] ${authUrl.toString()}`);
+
+  const opened = await openBrowser(authUrl.toString());
+  if (!opened) {
+    console.error("[AUTH] Could not open browser automatically. Please open the URL above.");
+  }
+
+  console.error("[AUTH] Waiting for browser authorization...");
+  let code;
+  try {
+    code = await codePromise;
+  } catch (err) {
+    console.error(`[AUTH] ${err.message}`);
+    throw err;
+  }
+
+  console.error("[AUTH] Exchanging authorization code...");
+  const tokens = await exchangeCodeForTokens(code, pkce.verifier, state, hostType);
+
+  const storageType = await credentialStore.write({
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    expires_at: Date.now() + (tokens.expires_in * 1000),
+    host_type: hostType,
+  });
+
+  console.error(`[AUTH] Authenticated successfully! (credentials stored in ${storageType})`);
+  return { accessToken: tokens.access_token, refreshToken: tokens.refresh_token };
+}
+
+async function reauthenticate(currentRefreshToken) {
+  try {
+    const tokens = await refreshAccessToken(currentRefreshToken);
+    await credentialStore.write({
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_at: Date.now() + (tokens.expires_in * 1000),
+    });
+    return tokens;
+  } catch (err) {
+    await credentialStore.clear();
+    throw new Error("Session expired. Restart the MCP server to re-authenticate via browser.");
+  }
+}
+
+async function logout() {
+  await credentialStore.clear();
+  console.error("[AUTH] Logged out. Credentials cleared.");
+}
+
+module.exports = { authenticate, reauthenticate, logout };