webcake-landing-mcp 1.0.7 → 1.0.8

package/README.md

@@ -184,6 +184,48 @@ The MCP config is the same as the local one, but `command`/`args` point at `npx`
 > npx caches the package after the first run, so subsequent launches are fast. Use a pinned version
 > (`webcake-landing-mcp@1.0.0`) if you need a reproducible build.
 
+## Run as a remote connector (Streamable HTTP)
+
+The server also speaks the **remote MCP** (Streamable HTTP) transport, so it can be added through
+Claude's **"Add custom connector"** dialog via a URL — not just as a local stdio server.
+
+Start it in HTTP mode (default port `8787`, or set `PORT` / `--port`):
+
+```bash
+npx -y webcake-landing-mcp serve --port 8787
+# → MCP endpoint at http://localhost:8787/mcp   (GET / or /health returns a status JSON)
+```
+
+Expose it over **HTTPS** at a public URL (a reverse proxy, a tunnel like `ngrok http 8787`, or any
+host), then in Claude → **Add custom connector**:
+
+- **Name**: `webcake-landing`
+- **Remote MCP server URL**: `https://<your-host>/mcp`
+
+### Auth — per-request, multi-user (no shared token)
+
+In stdio mode the JWT comes from env. In HTTP mode each request carries the caller's **own** credentials
+via headers, so a hosted server is multi-user and never bakes in a shared secret:
+
+| Header | Maps to | Notes |
+|--------|---------|-------|
+| `x-webcake-jwt` (or `Authorization: Bearer <jwt>`) | `WEBCAKE_JWT` | the account token — sent per request |
+| `x-webcake-org-id` | `WEBCAKE_ORG_ID` | default org |
+| `x-webcake-api-base` | `WEBCAKE_API_BASE` | usually set once via env on the host instead |
+| `x-webcake-host` | `WEBCAKE_HOST` | Phoenix host-routing header |
+| `x-webcake-app-base` | `WEBCAKE_APP_BASE` | editor/preview URL base |
+
+Any header that is absent falls back to the corresponding env var — so you can also run it **single-user**
+by setting `WEBCAKE_API_BASE` + `WEBCAKE_JWT` in the host's env and keeping the URL private.
+
+> ⚠️ The reference + generation tools (`get_generation_guide`, `list_elements`, `validate_page`, …) need
+> no secret; only the persistence tools (`create_page`, `update_page`, …) use the JWT. If a request has no
+> JWT, those tools return `missing_env` instead of touching the network.
+>
+> Note: the basic claude.ai connector dialog may not let you set custom headers (it offers OAuth, which this
+> server does not implement yet). For the header-based flow, use a client/proxy that can inject headers, or
+> run single-user with env vars behind a private URL.
+
 ## Manual Setup (local)
 
 ```bash
@@ -197,6 +239,53 @@ npm run smoke      # offline self-test of factory + validator (prints "ALL GOOD"
 The reference/validation tools work with **zero config**. Env vars are only needed for the persistence
 tools (`create_page`, `update_page`, `list_pages`, `get_page`, `list_organizations`).
 
+## Connect once — grab your token automatically (`login`)
+
+Instead of copying a JWT by hand, run:
+
+```bash
+# Production — zero config (defaults: connect via webcake.io, API via api.webcake.io):
+npx -y webcake-landing-mcp login
+
+# Local dev — point at your local SPA (5173) + API (5800):
+node dist/index.js login \
+  --connect-url http://localhost:5173/mcp-connect \
+  --api-base http://localhost:5800
+```
+
+It opens your browser → (log into Webcake if needed) → the token is saved to
+`~/.webcake-landing-mcp/auth.json`, which the server then reads automatically.
+
+You're already logged in to Webcake in your browser, so `login` just opens a Webcake "connect"
+page that reads your `jwt` cookie server-side and hands the token back to a localhost callback —
+no copy-paste. The saved token is used by **both** the stdio server and a single-user `serve`
+deployment (env vars still take precedence). JWTs last 90–365 days, so you rarely reconnect.
+
+Two URLs, don't mix them up:
+
+- **Connect page = the SPA** (`--connect-url` / `WEBCAKE_CONNECT_URL`): `https://webcake.io/mcp-connect`
+  in prod, `http://localhost:5173/mcp-connect` locally. Otherwise derived from `WEBCAKE_APP_BASE` +
+  `/mcp-connect`, defaulting to `https://webcake.io/mcp-connect`.
+- **API base = the backend** (`--api-base` / `WEBCAKE_API_BASE`): `https://api.webcake.io` in prod,
+  `http://localhost:5800` locally. Defaults to `https://api.webcake.io`.
+
+Other flags: `--org-id`, `--port`, `--no-open`. Saved-file dir: `WEBCAKE_CONFIG_DIR` (default
+`~/.webcake-landing-mcp`).
+
+**Backend endpoint to add** (in your Webcake backend — it owns the session cookie):
+
+```
+GET /mcp-connect?redirect_uri=<loopback>&state=<s>
+   → read the `jwt` cookie (the logged-in user's token)
+   → 302 to  <redirect_uri>?token=<jwt>&state=<s>
+   (if there's no cookie: 302 to the login page first, then back here)
+```
+
+For safety, only honor `redirect_uri` values on `http://127.0.0.1:*` / `http://localhost:*`.
+
+> Multi-user remote (the claude.ai connector dialog) can't do this browser loopback — there each
+> user sends their own token via the `x-webcake-jwt` header (see the remote-connector section above).
+
 ## Environment Variables
 
 | Variable | Required | Description |
@@ -206,6 +295,8 @@ tools (`create_page`, `update_page`, `list_pages`, `get_page`, `list_organizatio
 | `WEBCAKE_ORG_ID` | No | Default organization id for `create_page` (overridden by its `organization_id` arg). Omit → personal page. |
 | `WEBCAKE_HOST` | No | Optional `Host` header (Phoenix routes by host, e.g. `builder.localhost`). |
 | `WEBCAKE_APP_BASE` | No | Optional base used to build editor/preview URLs in the result. |
+| `WEBCAKE_CONNECT_URL` | No | The SPA "connect" page for `login` (default `https://webcake.io/mcp-connect`; else `WEBCAKE_APP_BASE` + `/mcp-connect`). |
+| `WEBCAKE_CONFIG_DIR` | No | Dir for the saved `auth.json` written by `login` (default `~/.webcake-landing-mcp`). |
 
 > \* `WEBCAKE_API_BASE` and `WEBCAKE_JWT` are only needed for the persistence tools. The reference and
 > validation tools (`get_generation_guide`, `list_elements`, `get_element`, `validate_page`, …) work without them.

package/dist/auth/login.js

@@ -0,0 +1,115 @@
+/**
+ * `webcake-landing-mcp login` — grab the user's Webcake JWT automatically via the
+ * browser, no copy-paste.
+ *
+ * Flow (works for local stdio AND a single-user remote deploy):
+ *   1. open a loopback server on 127.0.0.1:<port>,
+ *   2. open the browser to the Webcake "connect" URL with redirect_uri=<loopback>,
+ *   3. the user is already logged in to Webcake, so Webcake reads their `jwt`
+ *      cookie server-side and 302s back to the loopback with ?token=<jwt>,
+ *   4. we save it to the credentials file (persistence/config.ts#saveSavedConfig),
+ *      which the stdio/http server then reads automatically.
+ *
+ * Backend contract (added to landing_page_backend — owned by the user):
+ *   GET {WEBCAKE_CONNECT_URL}?redirect_uri=<loopback>&state=<s>
+ *     → read cookie `jwt` → 302 to <redirect_uri>?token=<jwt>&state=<s>
+ *       (or 302 to the login page first, then back). Restrict redirect_uri to
+ *       http://127.0.0.1:* / http://localhost:* for safety.
+ */
+import { createServer } from "node:http";
+import { randomBytes } from "node:crypto";
+import { spawn } from "node:child_process";
+import { saveSavedConfig } from "../persistence/config.js";
+// Production defaults — the connect page lives on the SPA (webcake.io), the API
+// lives on api.webcake.io. For local dev override with --connect-url / --api-base
+// (e.g. http://localhost:5173/mcp-connect and http://localhost:5800) or the
+// WEBCAKE_APP_BASE / WEBCAKE_API_BASE env vars.
+const DEFAULT_CONNECT_URL = "https://webcake.io/mcp-connect";
+const DEFAULT_API_BASE = "https://api.webcake.io";
+function parseArgs(argv) {
+    const get = (name) => {
+        const i = argv.indexOf(name);
+        return i !== -1 ? argv[i + 1] : undefined;
+    };
+    return {
+        connectUrl: get("--connect-url"),
+        apiBase: get("--api-base"),
+        orgId: get("--org-id"),
+        port: get("--port") ? Number(get("--port")) : undefined,
+        open: !argv.includes("--no-open"),
+    };
+}
+function openBrowser(url) {
+    const platform = process.platform;
+    const cmd = platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+    const args = platform === "win32" ? ["/c", "start", "", url] : [url];
+    try {
+        spawn(cmd, args, { stdio: "ignore", detached: true }).unref();
+    }
+    catch {
+        /* ignore — the URL is also printed */
+    }
+}
+const SUCCESS_HTML = `<!doctype html><meta charset="utf-8"><title>Connected</title>
+<body style="font-family:system-ui;text-align:center;padding:48px">
+<h2>✓ Connected to Webcake</h2><p>You can close this tab and return to your terminal.</p></body>`;
+function resolveConnectUrl(opts) {
+    if (opts.connectUrl)
+        return opts.connectUrl;
+    if (process.env.WEBCAKE_CONNECT_URL)
+        return process.env.WEBCAKE_CONNECT_URL;
+    // The connect page is on the SPA (WEBCAKE_APP_BASE), NOT the API base.
+    const appBase = process.env.WEBCAKE_APP_BASE;
+    if (appBase)
+        return `${appBase.replace(/\/+$/, "")}/mcp-connect`;
+    return DEFAULT_CONNECT_URL;
+}
+export async function runLogin(argv) {
+    const opts = parseArgs(argv);
+    const connectUrl = resolveConnectUrl(opts);
+    const apiBase = opts.apiBase || process.env.WEBCAKE_API_BASE || DEFAULT_API_BASE;
+    const state = randomBytes(16).toString("hex");
+    await new Promise((resolve, reject) => {
+        const server = createServer((req, res) => {
+            const url = new URL(req.url || "/", "http://127.0.0.1");
+            if (url.pathname !== "/callback") {
+                res.writeHead(404).end("Not found");
+                return;
+            }
+            const token = url.searchParams.get("token");
+            if (!token || url.searchParams.get("state") !== state) {
+                res.writeHead(400, { "content-type": "text/html" }).end("<p>Invalid or expired login — re-run the command.</p>");
+                return;
+            }
+            const path = saveSavedConfig({
+                jwt: token,
+                ...(apiBase ? { base: apiBase.replace(/\/+$/, "") } : {}),
+                ...(opts.orgId ? { orgId: opts.orgId } : {}),
+                savedAt: new Date().toISOString(),
+            });
+            res.writeHead(200, { "content-type": "text/html" }).end(SUCCESS_HTML);
+            console.error(`\n✓ Connected. Token saved to ${path}`);
+            if (!apiBase) {
+                console.error("  tip: also set WEBCAKE_API_BASE (or pass --api-base) so the server knows the backend URL.");
+            }
+            server.close();
+            resolve();
+        });
+        server.on("error", reject);
+        server.listen(opts.port ?? 0, "127.0.0.1", () => {
+            const addr = server.address();
+            const port = typeof addr === "object" && addr ? addr.port : opts.port;
+            const redirectUri = `http://127.0.0.1:${port}/callback`;
+            const sep = connectUrl.includes("?") ? "&" : "?";
+            const full = `${connectUrl}${sep}redirect_uri=${encodeURIComponent(redirectUri)}&state=${state}`;
+            console.error("Opening your browser to connect to Webcake (log in there if prompted):");
+            console.error("  " + full + "\n");
+            if (opts.open)
+                openBrowser(full);
+        });
+        setTimeout(() => {
+            server.close();
+            reject(new Error("login timed out after 180s."));
+        }, 180_000).unref();
+    });
+}

package/dist/http.js

@@ -0,0 +1,86 @@
+/**
+ * Remote transport: a Streamable-HTTP server so the MCP can be added as a Claude
+ * "custom connector" via a public URL — alongside the stdio mode in index.ts.
+ *
+ * Stateful sessions: an `initialize` POST (no session id) spins up a fresh
+ * McpServer + transport and returns an `mcp-session-id`; later requests reuse it
+ * via that header. Every request's headers carry the caller's OWN Webcake JWT
+ * (see persistence/config.ts#configFromHeaders), so a hosted server is multi-user
+ * and never bakes a shared token into env.
+ *
+ * All logging stays on stderr (console.error), same as stdio mode.
+ */
+import { randomUUID } from "node:crypto";
+import { createServer as createHttpServer } from "node:http";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { createServer } from "./server.js";
+const MCP_PATH = "/mcp";
+function sendJson(res, status, body) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(JSON.stringify(body));
+}
+function rpcError(res, status, message) {
+    sendJson(res, status, { jsonrpc: "2.0", error: { code: -32000, message }, id: null });
+}
+async function readBody(req) {
+    const chunks = [];
+    for await (const c of req)
+        chunks.push(c);
+    const raw = Buffer.concat(chunks).toString("utf8").trim();
+    return raw ? JSON.parse(raw) : undefined;
+}
+export async function startHttpServer(port) {
+    // mcp-session-id -> live transport (each bound to its own McpServer instance).
+    const transports = new Map();
+    const httpServer = createHttpServer(async (req, res) => {
+        const path = (req.url ?? "").split("?")[0];
+        // Lightweight health check for hosting platforms.
+        if (req.method === "GET" && (path === "/" || path === "/health")) {
+            return sendJson(res, 200, { ok: true, server: "webcake-landing", transport: "streamable-http", endpoint: MCP_PATH });
+        }
+        if (path !== MCP_PATH)
+            return rpcError(res, 404, `Not found. Send MCP requests to ${MCP_PATH}.`);
+        const sidHeader = req.headers["mcp-session-id"];
+        const sessionId = Array.isArray(sidHeader) ? sidHeader[0] : sidHeader;
+        try {
+            // Existing session: delegate any method (POST/GET/DELETE) to its transport.
+            if (sessionId && transports.has(sessionId)) {
+                const transport = transports.get(sessionId);
+                const body = req.method === "POST" ? await readBody(req) : undefined;
+                await transport.handleRequest(req, res, body);
+                return;
+            }
+            // New session: only a POST `initialize` may open one.
+            if (req.method === "POST") {
+                const body = await readBody(req);
+                if (!sessionId && isInitializeRequest(body)) {
+                    const transport = new StreamableHTTPServerTransport({
+                        sessionIdGenerator: () => randomUUID(),
+                        onsessioninitialized: (id) => {
+                            transports.set(id, transport);
+                        },
+                    });
+                    transport.onclose = () => {
+                        if (transport.sessionId)
+                            transports.delete(transport.sessionId);
+                    };
+                    const server = createServer();
+                    await server.connect(transport);
+                    await transport.handleRequest(req, res, body);
+                    return;
+                }
+                return rpcError(res, 400, "Bad Request: no valid mcp-session-id (send an initialize request first).");
+            }
+            return rpcError(res, 400, "Bad Request: missing or unknown mcp-session-id.");
+        }
+        catch (err) {
+            console.error("[webcake-http] request error:", err);
+            if (!res.headersSent)
+                rpcError(res, 500, "Internal server error.");
+        }
+    });
+    await new Promise((resolve) => httpServer.listen(port, resolve));
+    // stderr only.
+    console.error(`[webcake-elements] MCP Streamable-HTTP server ready on http://localhost:${port}${MCP_PATH}`);
+}

package/dist/index.js

@@ -2,11 +2,16 @@
 /**
  * Webcake landing MCP server (stdio) — entry point.
  *
- * Thin dispatcher: `webcake-landing-mcp install|uninstall|--help` runs the
- * bundled IDE installer; otherwise it starts the stdio MCP server. The server
- * itself (McpServer + tool registration) is built in ./server.ts; the knowledge,
- * factory, validator, and HTTP client live under ./core, ./domains, ./tools, and
- * ./persistence.
+ * Thin dispatcher:
+ *   - `webcake-landing-mcp install|uninstall|--help` → bundled IDE installer
+ *   - `webcake-landing-mcp login` → grab the Webcake JWT via the browser and save it
+ *     (~/.webcake-landing-mcp/auth.json); see ./auth/login.ts
+ *   - `webcake-landing-mcp serve [--port N]` (or PORT env) → remote Streamable-HTTP
+ *     server (for Claude "custom connector" via a public URL); see ./http.ts
+ *   - no subcommand → stdio MCP server (the default; for desktop/CLI configs)
+ * The server itself (McpServer + tool registration) is built in ./server.ts; the
+ * knowledge, factory, validator, and HTTP client live under ./core, ./domains,
+ * ./tools, and ./persistence.
  *
  * stdout is the MCP channel — all logging goes to stderr (console.error) only.
  */
@@ -27,6 +32,19 @@ async function main() {
         await runInstaller(rest);
         return;
     }
+    if (sub === "login") {
+        const { runLogin } = await import("./auth/login.js");
+        await runLogin(process.argv.slice(3));
+        return;
+    }
+    if (sub === "serve" || sub === "http" || sub === "serve-http") {
+        const { startHttpServer } = await import("./http.js");
+        const flagIdx = process.argv.indexOf("--port");
+        const raw = (flagIdx !== -1 ? process.argv[flagIdx + 1] : undefined) ?? process.env.PORT;
+        const port = Number(raw);
+        await startHttpServer(Number.isFinite(port) && port > 0 ? port : 8787);
+        return;
+    }
     const transport = new StdioServerTransport();
     const server = createServer();
     await server.connect(transport);

package/dist/persistence/config.js

@@ -1,6 +1,31 @@
-export function readConfig() {
-    const base = process.env.WEBCAKE_API_BASE;
-    const jwt = process.env.WEBCAKE_JWT;
+/**
+ * Resolve the persistence config. Three sources, in priority order:
+ *  1. per-request `overrides` (remote/Streamable-HTTP mode: each client sends its
+ *     OWN Webcake JWT via HTTP headers — see `configFromHeaders` — so a hosted
+ *     server is multi-user and never bakes a shared secret into env), then
+ *  2. environment variables (stdio / single-user mode), then
+ *  3. the saved credentials file written by `webcake-landing-mcp login`
+ *     (~/.webcake-landing-mcp/auth.json) — so a user can connect once via the
+ *     browser instead of pasting a token.
+ *
+ * The JWT is never hard-coded (the repo is public). `readConfig` returns
+ * { config: null, missing } when required values are absent so the persistence
+ * tools can report exactly what to provide.
+ *
+ *   WEBCAKE_API_BASE  e.g. http://localhost:5800   (required to call the backend)
+ *   WEBCAKE_JWT       the account JWT               (required to call the backend)
+ *   WEBCAKE_ORG_ID    optional default organization id for create_page
+ *   WEBCAKE_HOST      optional Host header override (Phoenix routes by host)
+ *   WEBCAKE_APP_BASE  optional base for editor/preview URLs in the result
+ *   WEBCAKE_CONFIG_DIR  optional dir for the saved auth.json (default ~/.webcake-landing-mcp)
+ */
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
+export function readConfig(overrides = {}) {
+    const saved = readSavedConfig();
+    const base = overrides.base ?? process.env.WEBCAKE_API_BASE ?? saved.base;
+    const jwt = overrides.jwt ?? process.env.WEBCAKE_JWT ?? saved.jwt;
     const missing = [];
     if (!base)
         missing.push("WEBCAKE_API_BASE");
@@ -12,10 +37,60 @@ export function readConfig() {
         config: {
             base: base.replace(/\/+$/, ""),
             jwt: jwt,
-            orgId: process.env.WEBCAKE_ORG_ID,
-            host: process.env.WEBCAKE_HOST,
-            appBase: process.env.WEBCAKE_APP_BASE?.replace(/\/+$/, ""),
+            orgId: overrides.orgId ?? process.env.WEBCAKE_ORG_ID ?? saved.orgId,
+            host: overrides.host ?? process.env.WEBCAKE_HOST ?? saved.host,
+            appBase: (overrides.appBase ?? process.env.WEBCAKE_APP_BASE ?? saved.appBase)?.replace(/\/+$/, ""),
         },
         missing: [],
     };
 }
+function header(headers, name) {
+    const v = headers?.[name];
+    return Array.isArray(v) ? v[0] : v ?? undefined;
+}
+/**
+ * Build request-scoped config overrides from HTTP headers. Lets a remote client
+ * send its own credentials per request instead of a server-wide env token:
+ *   x-webcake-jwt        the account JWT (or `Authorization: Bearer <jwt>`)
+ *   x-webcake-org-id     organization id
+ *   x-webcake-api-base   backend base URL (usually set once via env instead)
+ *   x-webcake-host       Host header override
+ *   x-webcake-app-base   editor/preview URL base
+ * Any header that is absent falls back to the corresponding env var in readConfig.
+ */
+export function configFromHeaders(headers) {
+    const auth = header(headers, "authorization");
+    const bearer = auth && /^Bearer\s+/i.test(auth) ? auth.replace(/^Bearer\s+/i, "").trim() : undefined;
+    return {
+        base: header(headers, "x-webcake-api-base"),
+        jwt: header(headers, "x-webcake-jwt") ?? bearer,
+        orgId: header(headers, "x-webcake-org-id"),
+        host: header(headers, "x-webcake-host"),
+        appBase: header(headers, "x-webcake-app-base"),
+    };
+}
+/** Directory for the saved auth file (override with WEBCAKE_CONFIG_DIR). */
+export function configDir() {
+    return process.env.WEBCAKE_CONFIG_DIR || join(homedir(), ".webcake-landing-mcp");
+}
+export function savedConfigPath() {
+    return join(configDir(), "auth.json");
+}
+/** Read the saved credentials; {} when the file is absent or unreadable. */
+export function readSavedConfig() {
+    try {
+        const parsed = JSON.parse(readFileSync(savedConfigPath(), "utf8"));
+        return parsed && typeof parsed === "object" ? parsed : {};
+    }
+    catch {
+        return {};
+    }
+}
+/** Merge + persist credentials to the saved file (0600). Returns the path written. */
+export function saveSavedConfig(partial) {
+    const dir = configDir();
+    mkdirSync(dir, { recursive: true });
+    const path = savedConfigPath();
+    writeFileSync(path, JSON.stringify({ ...readSavedConfig(), ...partial }, null, 2), { mode: 0o600 });
+    return path;
+}

package/dist/tools/persistence.js

@@ -4,21 +4,27 @@
  * default to dry_run=true and return a JWT-redacted request preview; they only
  * hit the network when dry_run===false. Validation uses the injected Domain;
  * the HTTP calls go through the Webcake client.
+ *
+ * Credentials resolve per request: in remote/Streamable-HTTP mode each call's
+ * headers (extra.requestInfo.headers) carry the client's own Webcake JWT, so a
+ * hosted server is multi-user; in stdio/single-user mode they come from env.
  */
 import { z } from "zod";
 import { text } from "../mcp/response.js";
-import { readConfig } from "../persistence/config.js";
+import { readConfig, configFromHeaders } from "../persistence/config.js";
 import { buildRequestRedacted, buildUpdateRequestRedacted, createPage, listOrganizations, listPages, getPageSource, updatePageSource, } from "../persistence/webcake-client.js";
 export function registerPersistenceTools(server, domain) {
+    // Resolve config from THIS request's headers (remote per-user JWT) first, then env.
+    const cfgFor = (extra) => readConfig(configFromHeaders(extra?.requestInfo?.headers));
     // 8) List organizations -----------------------------------------------------
-    server.tool("list_organizations", "List the account's Webcake organizations (id, name, is_default). The default org (type===1, usually the personal workspace) is where pages normally go. Call this BEFORE create_page, show the options to the user and ask which org to use — defaulting to the is_default one. Needs WEBCAKE_API_BASE + WEBCAKE_JWT.", {}, async () => {
-        const { config, missing } = readConfig();
+    server.tool("list_organizations", "List the account's Webcake organizations (id, name, is_default). The default org (type===1, usually the personal workspace) is where pages normally go. Call this BEFORE create_page, show the options to the user and ask which org to use — defaulting to the is_default one. Needs WEBCAKE_API_BASE + WEBCAKE_JWT.", {}, async (_args, extra) => {
+        const { config, missing } = cfgFor(extra);
         if (!config) {
             return text({
                 ok: false,
                 reason: "missing_env",
                 missing_env: missing,
-                hint: "Configure WEBCAKE_API_BASE and WEBCAKE_JWT in the MCP server env.",
+                hint: "Configure WEBCAKE_API_BASE and WEBCAKE_JWT in the MCP server env (stdio), or send the JWT via the x-webcake-jwt header (remote).",
             });
         }
         return text(await listOrganizations(config));
@@ -37,7 +43,7 @@ export function registerPersistenceTools(server, domain) {
             .boolean()
             .optional()
             .describe("Default TRUE — preview the request without sending. Set false to actually create."),
-    }, async ({ source, name, organization_id, dry_run }) => {
+    }, async ({ source, name, organization_id, dry_run }, extra) => {
         const pageName = name ?? "AI Page";
         const isDry = dry_run !== false; // default true (safe)
         const orgId = organization_id != null ? `${organization_id}` : undefined;
@@ -52,7 +58,7 @@ export function registerPersistenceTools(server, domain) {
             });
         }
         const parsed = domain.coerce(source);
-        const { config, missing } = readConfig();
+        const { config, missing } = cfgFor(extra);
         if (isDry) {
             return text({
                 dry_run: true,
@@ -63,7 +69,7 @@ export function registerPersistenceTools(server, domain) {
                 request: config
                     ? buildRequestRedacted(config, pageName, parsed, orgId)
                     : {
-                        note: "Set WEBCAKE_API_BASE + WEBCAKE_JWT to enable real creation. Would POST to {WEBCAKE_API_BASE}/api/v1/ai/create_page_from_source.",
+                        note: "Set WEBCAKE_API_BASE + WEBCAKE_JWT (env) or send the x-webcake-jwt header to enable real creation. Would POST to {WEBCAKE_API_BASE}/api/v1/ai/create_page_from_source.",
                     },
                 hint: "Re-run with dry_run=false to actually create the page.",
             });
@@ -73,22 +79,22 @@ export function registerPersistenceTools(server, domain) {
                 created: false,
                 reason: "missing_env",
                 missing_env: missing,
-                hint: "Configure WEBCAKE_API_BASE and WEBCAKE_JWT in the MCP server env, then retry.",
+                hint: "Configure WEBCAKE_API_BASE and WEBCAKE_JWT (env), or send the x-webcake-jwt header (remote), then retry.",
             });
         }
         const outcome = await createPage(config, pageName, parsed, orgId);
         return text({ created: outcome.ok, ...outcome, warnings: result.warnings });
     });
     // 10) List pages ------------------------------------------------------------
-    server.tool("list_pages", "List the pages owned by the account (id, name, organization_id, updated_at), most-recent first. Use it to let the user pick a page to edit (then get_page → modify → update_page). Needs WEBCAKE_API_BASE + WEBCAKE_JWT.", {}, async () => {
-        const { config, missing } = readConfig();
+    server.tool("list_pages", "List the pages owned by the account (id, name, organization_id, updated_at), most-recent first. Use it to let the user pick a page to edit (then get_page → modify → update_page). Needs WEBCAKE_API_BASE + WEBCAKE_JWT.", {}, async (_args, extra) => {
+        const { config, missing } = cfgFor(extra);
         if (!config)
             return text({ ok: false, reason: "missing_env", missing_env: missing });
         return text(await listPages(config));
     });
     // 11) Get page (read source) ------------------------------------------------
-    server.tool("get_page", "Fetch an existing page's decoded source tree { page, popup, settings, options, cartConfigs } so you can EDIT it. Returns name + organization_id too. Edit the returned `source`, then validate_page and update_page. Needs WEBCAKE_API_BASE + WEBCAKE_JWT.", { page_id: z.string().describe("The page id (from list_pages or a URL).") }, async ({ page_id }) => {
-        const { config, missing } = readConfig();
+    server.tool("get_page", "Fetch an existing page's decoded source tree { page, popup, settings, options, cartConfigs } so you can EDIT it. Returns name + organization_id too. Edit the returned `source`, then validate_page and update_page. Needs WEBCAKE_API_BASE + WEBCAKE_JWT.", { page_id: z.string().describe("The page id (from list_pages or a URL).") }, async ({ page_id }, extra) => {
+        const { config, missing } = cfgFor(extra);
         if (!config)
             return text({ ok: false, reason: "missing_env", missing_env: missing });
         return text(await getPageSource(config, page_id));
@@ -100,7 +106,7 @@ export function registerPersistenceTools(server, domain) {
             .any()
             .describe("The full edited page source { page, popup, settings, options, cartConfigs } (object or JSON string)."),
         dry_run: z.boolean().optional().describe("Default TRUE — preview without sending. Set false to actually save."),
-    }, async ({ page_id, source, dry_run }) => {
+    }, async ({ page_id, source, dry_run }, extra) => {
         const isDry = dry_run !== false;
         const result = domain.validate(source);
         if (!result.valid) {
@@ -113,7 +119,7 @@ export function registerPersistenceTools(server, domain) {
             });
         }
         const parsed = domain.coerce(source);
-        const { config, missing } = readConfig();
+        const { config, missing } = cfgFor(extra);
         if (isDry) {
             return text({
                 dry_run: true,
@@ -123,7 +129,7 @@ export function registerPersistenceTools(server, domain) {
                 missing_env: missing,
                 request: config
                     ? buildUpdateRequestRedacted(config, page_id, parsed)
-                    : { note: "Set WEBCAKE_API_BASE + WEBCAKE_JWT to enable real updates." },
+                    : { note: "Set WEBCAKE_API_BASE + WEBCAKE_JWT (env) or send the x-webcake-jwt header to enable real updates." },
                 hint: "Re-run with dry_run=false to actually save the edit.",
             });
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "webcake-landing-mcp",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "MCP server exposing Webcake landing-page element schemas + AI usage hints, and persisting LLM-generated page sources to a Webcake backend.",
   "type": "module",
   "bin": {