webcake-landing-mcp 1.0.77 → 1.0.79

package/dist/auth/oauth-server.js

@@ -15,49 +15,215 @@
  *   - Token endpoint (POST /token)  authorization_code + refresh_token
  *   - Authorization Server + Protected Resource metadata (the /.well-known docs)
  *
- * Access tokens are OPAQUE random strings mapped to the user's `ljwt` in this
+ * Access tokens are OPAQUE random strings mapped to the user's `ljwt` in the
  * store (so they can be revoked and the ljwt never leaves the server). The HTTP
  * layer resolves a Bearer access token to its ljwt and injects it as the normal
  * `x-webcake-jwt` header, so the rest of the server (persistence/config.ts) is
  * UNCHANGED and the legacy `?jwt=` / `x-webcake-jwt` paths keep working untouched.
  *
- * STORE: in-memory + single-process. Fine for one `serve` instance; move the maps
- * to Redis (same interface) before running multiple instances behind a load balancer.
+ * STORE: Postgres when DATABASE_URL is set (tokens survive a `serve` restart and
+ * are shared across instances behind a load balancer), else in-memory maps
+ * (single-instance `serve`, stdio/`npx`, offline tests). Both implement the same
+ * async `OAuthStore` interface; the rest of this module is backend-agnostic. All
+ * exported state functions are async — callers (src/http.ts) `await` them.
  */
 import { randomBytes, createHash } from "node:crypto";
+import { getPg, ensureOAuthSchema } from "../persistence/postgres.js";
 // ---- TTLs (override via env where useful) ---------------------------------
 const TEN_MIN = 10 * 60 * 1000;
 const ACCESS_TTL = Number(process.env.WEBCAKE_OAUTH_ACCESS_TTL_MS) || 60 * 60 * 1000; // 1h
 const REFRESH_TTL = Number(process.env.WEBCAKE_OAUTH_REFRESH_TTL_MS) || 30 * 24 * 60 * 60 * 1000; // 30d
 const CODE_TTL = TEN_MIN;
 const PENDING_TTL = TEN_MIN;
-// ---- In-memory maps -------------------------------------------------------
-const clients = new Map();
-const pending = new Map(); // key: internal state we send to /mcp-connect
-const codes = new Map(); // key: authorization code
-const accessTokens = new Map(); // key: access token
-const refreshTokens = new Map(); // key: refresh token
 function now() {
     return Date.now();
 }
 function token(bytes = 32) {
     return randomBytes(bytes).toString("base64url");
 }
-/** Lazy sweep of anything expired — cheap, called on the hot paths. */
-function sweep() {
-    const t = now();
-    for (const [k, v] of pending)
-        if (v.expiresAt < t)
-            pending.delete(k);
-    for (const [k, v] of codes)
-        if (v.expiresAt < t)
-            codes.delete(k);
-    for (const [k, v] of accessTokens)
-        if (v.expiresAt < t)
-            accessTokens.delete(k);
-    for (const [k, v] of refreshTokens)
-        if (v.expiresAt < t)
-            refreshTokens.delete(k);
+// ---- In-memory store (default; no DATABASE_URL) ---------------------------
+class MemoryStore {
+    clients = new Map();
+    pending = new Map();
+    codes = new Map();
+    access = new Map();
+    refresh = new Map();
+    /** Lazy sweep of anything expired — cheap, called on the hot paths. */
+    sweep() {
+        const t = now();
+        for (const [k, v] of this.pending)
+            if (v.expiresAt < t)
+                this.pending.delete(k);
+        for (const [k, v] of this.codes)
+            if (v.expiresAt < t)
+                this.codes.delete(k);
+        for (const [k, v] of this.access)
+            if (v.expiresAt < t)
+                this.access.delete(k);
+        for (const [k, v] of this.refresh)
+            if (v.expiresAt < t)
+                this.refresh.delete(k);
+    }
+    async putClient(c) {
+        this.clients.set(c.client_id, c);
+    }
+    async getClient(id) {
+        return this.clients.get(id);
+    }
+    async putPending(state, p) {
+        this.sweep();
+        this.pending.set(state, p);
+    }
+    async takePending(state) {
+        this.sweep();
+        const p = this.pending.get(state);
+        this.pending.delete(state);
+        return p && p.expiresAt >= now() ? p : undefined;
+    }
+    async putCode(code, c) {
+        this.codes.set(code, c);
+    }
+    async takeCode(code) {
+        this.sweep();
+        const c = this.codes.get(code);
+        this.codes.delete(code);
+        return c && c.expiresAt >= now() ? c : undefined;
+    }
+    async putAccess(t, a) {
+        this.access.set(t, a);
+    }
+    async getAccess(t) {
+        const a = this.access.get(t);
+        if (a && a.expiresAt < now()) {
+            this.access.delete(t);
+            return undefined;
+        }
+        return a;
+    }
+    async putRefresh(t, r) {
+        this.refresh.set(t, r);
+    }
+    async takeRefresh(t) {
+        this.sweep();
+        const r = this.refresh.get(t);
+        this.refresh.delete(t);
+        return r && r.expiresAt >= now() ? r : undefined;
+    }
+    async revoke(t) {
+        this.access.delete(t);
+        this.refresh.delete(t);
+    }
+}
+// ---- Postgres store (when DATABASE_URL is set) ----------------------------
+class PgStore {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async putClient(c) {
+        await this.pool.query(`INSERT INTO oauth_clients (client_id, client_name, redirect_uris, created_at)
+       VALUES ($1,$2,$3,$4)
+       ON CONFLICT (client_id) DO UPDATE SET client_name=$2, redirect_uris=$3`, [c.client_id, c.client_name ?? null, JSON.stringify(c.redirect_uris), c.created_at]);
+    }
+    async getClient(id) {
+        const { rows } = await this.pool.query(`SELECT client_id, client_name, redirect_uris, created_at FROM oauth_clients WHERE client_id=$1`, [id]);
+        const r = rows[0];
+        if (!r)
+            return undefined;
+        return {
+            client_id: r.client_id,
+            client_name: r.client_name ?? undefined,
+            redirect_uris: Array.isArray(r.redirect_uris) ? r.redirect_uris : JSON.parse(r.redirect_uris),
+            created_at: Number(r.created_at),
+        };
+    }
+    async putPending(state, p) {
+        await this.pool.query(`INSERT INTO oauth_pending (state, client_id, redirect_uri, code_challenge, client_state, scope, expires_at)
+       VALUES ($1,$2,$3,$4,$5,$6,$7)`, [state, p.client_id, p.redirect_uri, p.code_challenge, p.state ?? null, p.scope ?? null, p.expiresAt]);
+    }
+    async takePending(state) {
+        const { rows } = await this.pool.query(`DELETE FROM oauth_pending WHERE state=$1 RETURNING client_id, redirect_uri, code_challenge, client_state, scope, expires_at`, [state]);
+        const r = rows[0];
+        if (!r || Number(r.expires_at) < now())
+            return undefined;
+        return {
+            client_id: r.client_id,
+            redirect_uri: r.redirect_uri,
+            code_challenge: r.code_challenge,
+            state: r.client_state ?? undefined,
+            scope: r.scope ?? undefined,
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async putCode(code, c) {
+        await this.pool.query(`INSERT INTO oauth_codes (code, client_id, redirect_uri, code_challenge, scope, ljwt, expires_at)
+       VALUES ($1,$2,$3,$4,$5,$6,$7)`, [code, c.client_id, c.redirect_uri, c.code_challenge, c.scope ?? null, c.ljwt, c.expiresAt]);
+    }
+    async takeCode(code) {
+        const { rows } = await this.pool.query(`DELETE FROM oauth_codes WHERE code=$1 RETURNING client_id, redirect_uri, code_challenge, scope, ljwt, expires_at`, [code]);
+        const r = rows[0];
+        if (!r || Number(r.expires_at) < now())
+            return undefined;
+        return {
+            client_id: r.client_id,
+            redirect_uri: r.redirect_uri,
+            code_challenge: r.code_challenge,
+            scope: r.scope ?? undefined,
+            ljwt: r.ljwt,
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async putAccess(t, a) {
+        await this.pool.query(`INSERT INTO oauth_access_tokens (token, ljwt, scope, expires_at) VALUES ($1,$2,$3,$4)`, [t, a.ljwt, a.scope ?? null, a.expiresAt]);
+    }
+    async getAccess(t) {
+        const { rows } = await this.pool.query(`SELECT ljwt, scope, expires_at FROM oauth_access_tokens WHERE token=$1`, [t]);
+        const r = rows[0];
+        if (!r)
+            return undefined;
+        if (Number(r.expires_at) < now()) {
+            await this.pool.query(`DELETE FROM oauth_access_tokens WHERE token=$1`, [t]);
+            return undefined;
+        }
+        return { ljwt: r.ljwt, scope: r.scope ?? undefined, expiresAt: Number(r.expires_at) };
+    }
+    async putRefresh(t, r) {
+        await this.pool.query(`INSERT INTO oauth_refresh_tokens (token, ljwt, client_id, scope, expires_at) VALUES ($1,$2,$3,$4,$5)`, [t, r.ljwt, r.client_id, r.scope ?? null, r.expiresAt]);
+    }
+    async takeRefresh(t) {
+        const { rows } = await this.pool.query(`DELETE FROM oauth_refresh_tokens WHERE token=$1 RETURNING ljwt, client_id, scope, expires_at`, [t]);
+        const r = rows[0];
+        if (!r || Number(r.expires_at) < now())
+            return undefined;
+        return {
+            ljwt: r.ljwt,
+            client_id: r.client_id,
+            scope: r.scope ?? undefined,
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async revoke(t) {
+        await this.pool.query(`DELETE FROM oauth_access_tokens WHERE token=$1`, [t]);
+        await this.pool.query(`DELETE FROM oauth_refresh_tokens WHERE token=$1`, [t]);
+    }
+}
+// ---- Backend selection (memoized) -----------------------------------------
+const memoryStore = new MemoryStore();
+let storePromise;
+/** Resolve the active store ONCE: Postgres if configured + schema ready, else memory. */
+function getStore() {
+    if (storePromise)
+        return storePromise;
+    storePromise = (async () => {
+        const pool = getPg();
+        if (pool && (await ensureOAuthSchema(pool)))
+            return new PgStore(pool);
+        return memoryStore;
+    })().catch((e) => {
+        console.error("[oauth] store init failed, using in-memory:", e?.message ?? e);
+        return memoryStore;
+    });
+    return storePromise;
 }
 // ---- PKCE -----------------------------------------------------------------
 /** base64url( SHA256(verifier) ) — the S256 transform. */
@@ -76,7 +242,7 @@ export function verifyPkce(verifier, challenge) {
         diff |= a.charCodeAt(i) ^ challenge.charCodeAt(i);
     return diff === 0;
 }
-export function registerClient(body) {
+export async function registerClient(body) {
     const uris = Array.isArray(body?.redirect_uris)
         ? body.redirect_uris.filter((u) => typeof u === "string" && /^https?:\/\//i.test(u))
         : [];
@@ -89,11 +255,13 @@ export function registerClient(body) {
         redirect_uris: uris,
         created_at: now(),
     };
-    clients.set(client.client_id, client);
+    (await getStore()).putClient(client).catch((e) => console.error("[oauth] putClient:", e?.message ?? e));
     return { ok: true, client };
 }
-export function getClient(clientId) {
-    return clientId ? clients.get(clientId) : undefined;
+export async function getClient(clientId) {
+    if (!clientId)
+        return undefined;
+    return (await getStore()).getClient(clientId);
 }
 /**
  * Validate an /authorize request and park it. Returns an `internalState` to send
@@ -101,9 +269,9 @@ export function getClient(clientId) {
  * `redirectable: false` means the error must be shown as a page (we can't trust
  * the redirect_uri); `true` means it's safe to bounce the error to the client.
  */
-export function startAuthorize(p) {
-    sweep();
-    const client = getClient(p.client_id);
+export async function startAuthorize(p) {
+    const store = await getStore();
+    const client = p.client_id ? await store.getClient(p.client_id) : undefined;
     if (!client) {
         return { ok: false, error: "invalid_client", error_description: "Unknown client_id. Register first via /register.", redirectable: false };
     }
@@ -118,7 +286,7 @@ export function startAuthorize(p) {
         return { ok: false, error: "invalid_request", error_description: "PKCE with code_challenge_method=S256 is required.", redirectable: true };
     }
     const internalState = token(24);
-    pending.set(internalState, {
+    await store.putPending(internalState, {
         client_id: client.client_id,
         redirect_uri: p.redirect_uri,
         code_challenge: p.code_challenge,
@@ -134,18 +302,17 @@ export function startAuthorize(p) {
  * parked PKCE challenge, and return where to redirect the user (the client's
  * redirect_uri with ?code=&state=).
  */
-export function completeAuthorize(internalState, ljwt) {
-    sweep();
-    if (!internalState || !pending.has(internalState)) {
+export async function completeAuthorize(internalState, ljwt) {
+    const store = await getStore();
+    const p = internalState ? await store.takePending(internalState) : undefined;
+    if (!p) {
         return { ok: false, error: "invalid_request", error_description: "Authorization session expired or unknown — restart the connection." };
     }
-    const p = pending.get(internalState);
-    pending.delete(internalState);
     if (!ljwt) {
         return { ok: false, error: "access_denied", error_description: "No Webcake token returned from login." };
     }
     const code = token(32);
-    codes.set(code, {
+    await store.putCode(code, {
         client_id: p.client_id,
         redirect_uri: p.redirect_uri,
         code_challenge: p.code_challenge,
@@ -155,21 +322,20 @@ export function completeAuthorize(internalState, ljwt) {
     });
     return { ok: true, redirectUri: p.redirect_uri, code, state: p.state };
 }
-function issueTokens(ljwt, client_id, scope) {
+async function issueTokens(store, ljwt, client_id, scope) {
     const access = token(32);
     const refresh = token(32);
-    accessTokens.set(access, { ljwt, scope, expiresAt: now() + ACCESS_TTL });
-    refreshTokens.set(refresh, { ljwt, client_id, scope, expiresAt: now() + REFRESH_TTL });
+    await store.putAccess(access, { ljwt, scope, expiresAt: now() + ACCESS_TTL });
+    await store.putRefresh(refresh, { ljwt, client_id, scope, expiresAt: now() + REFRESH_TTL });
     return { access_token: access, token_type: "Bearer", expires_in: Math.floor(ACCESS_TTL / 1000), refresh_token: refresh, scope };
 }
-export function exchangeToken(p) {
-    sweep();
+export async function exchangeToken(p) {
+    const store = await getStore();
     if (p.grant_type === "authorization_code") {
-        if (!p.code || !codes.has(p.code)) {
+        const c = p.code ? await store.takeCode(p.code) : undefined; // one-time use
+        if (!c) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "Unknown or expired authorization code." };
         }
-        const c = codes.get(p.code);
-        codes.delete(p.code); // one-time use
         if (c.client_id !== p.client_id) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "client_id does not match the authorization code." };
         }
@@ -179,38 +345,30 @@ export function exchangeToken(p) {
         if (!p.code_verifier || !verifyPkce(p.code_verifier, c.code_challenge)) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "PKCE verification failed." };
         }
-        return { ok: true, body: issueTokens(c.ljwt, c.client_id, c.scope) };
+        return { ok: true, body: await issueTokens(store, c.ljwt, c.client_id, c.scope) };
     }
     if (p.grant_type === "refresh_token") {
-        if (!p.refresh_token || !refreshTokens.has(p.refresh_token)) {
+        const r = p.refresh_token ? await store.takeRefresh(p.refresh_token) : undefined; // rotate
+        if (!r) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "Unknown or expired refresh token." };
         }
-        const r = refreshTokens.get(p.refresh_token);
-        refreshTokens.delete(p.refresh_token); // rotate
-        return { ok: true, body: issueTokens(r.ljwt, r.client_id, r.scope) };
+        return { ok: true, body: await issueTokens(store, r.ljwt, r.client_id, r.scope) };
     }
     return { ok: false, status: 400, error: "unsupported_grant_type", error_description: "grant_type must be authorization_code or refresh_token." };
 }
 // ---- Resource-server side: resolve a Bearer access token to its ljwt -------
 /** Returns the user's ljwt for a valid, unexpired access token, else undefined. */
-export function resolveAccessToken(accessToken) {
+export async function resolveAccessToken(accessToken) {
     if (!accessToken)
         return undefined;
-    const a = accessTokens.get(accessToken);
-    if (!a)
-        return undefined;
-    if (a.expiresAt < now()) {
-        accessTokens.delete(accessToken);
-        return undefined;
-    }
-    return a.ljwt;
+    const a = await (await getStore()).getAccess(accessToken);
+    return a?.ljwt;
 }
 /** Revoke an access or refresh token (best-effort; for /revoke). */
-export function revokeToken(t) {
+export async function revokeToken(t) {
     if (!t)
         return;
-    accessTokens.delete(t);
-    refreshTokens.delete(t);
+    await (await getStore()).revoke(t);
 }
 // ---- Metadata documents (RFC 8414 / RFC 9728) -----------------------------
 /** /.well-known/oauth-authorization-server */

package/dist/changelog.json

@@ -1,4 +1,18 @@
 [
+  {
+    "v": "1.0.79",
+    "d": "15/06/2026",
+    "type": "Changed",
+    "en": "The Privacy Policy served at /privacy is updated with GDPR-style data-category headings, per-category purpose statements, documentation of…",
+    "vi": "Trang Privacy Policy tại /privacy được cập nhật với các tiêu đề phân loại dữ liệu theo chuẩn GDPR, ghi rõ mục đích xử lý từng loại dữ liệu, bổ sung…"
+  },
+  {
+    "v": "1.0.78",
+    "d": "15/06/2026",
+    "type": "Added",
+    "en": "The OAuth token store (clients, authorization codes, access and refresh tokens) now uses Postgres when DATABASE_URL, WEBCAKE_POSTGRES_URL, or…",
+    "vi": "Kho lưu trữ OAuth token (clients, authorization code, access và refresh token) nay sử dụng Postgres khi DATABASE_URL, WEBCAKE_POSTGRES_URL, hoặc…"
+  },
   {
     "v": "1.0.77",
     "d": "15/06/2026",
@@ -26,19 +40,5 @@
     "type": "Added",
     "en": "ingest_html and ingest_url now extract Tailwind gradient utilities (bg-gradient-to-*/from-*/via-*/to-*) from the page's class attributes, resolve…",
     "vi": "ingest_html và ingest_url nay trích xuất các utility gradient Tailwind (bg-gradient-to-*/from-*/via-*/to-*) từ các thuộc tính class của trang,…"
-  },
-  {
-    "v": "1.0.73",
-    "d": "13/06/2026",
-    "type": "Added",
-    "en": "ingest_html and ingest_url now extract the full design system from a tailwind.config script block when present (Google Stitch and other Tailwind-CDN…",
-    "vi": "ingest_html và ingest_url nay trích xuất toàn bộ design system từ block script tailwind.config khi có (trang Google Stitch và các trang Tailwind-CDN…"
-  },
-  {
-    "v": "1.0.72",
-    "d": "13/06/2026",
-    "type": "Fixed",
-    "en": "When cloning a LadiPage or Webcake-published page via ingest_html / ingest_url, html-box elements' passthrough HTML content now has its…",
-    "vi": "Khi clone trang LadiPage hoặc Webcake-published qua ingest_html / ingest_url, nội dung HTML passthrough của các phần tử html-box nay được đổi tên…"
   }
 ]

package/dist/http.js

@@ -189,7 +189,7 @@ async function handleOAuth(req, res, path) {
             return oauthError(res, 405, "invalid_request", "Use POST."), true;
         const raw = await readRawBody(req);
         const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
-        const result = registerClient(body);
+        const result = await registerClient(body);
         if (!result.ok)
             return oauthError(res, 400, result.error, result.error_description), true;
         res.writeHead(201, { "content-type": "application/json", "access-control-allow-origin": "*", "cache-control": "no-store" });
@@ -206,7 +206,7 @@ async function handleOAuth(req, res, path) {
     // ---- Authorize: validate + delegate to the SPA login, parking the request ----
     if (req.method === "GET" && path === OAUTH_AUTHORIZE) {
         const sp = new URL(req.url ?? "/", "http://x").searchParams;
-        const result = startAuthorize({
+        const result = await startAuthorize({
             client_id: sp.get("client_id"),
             redirect_uri: sp.get("redirect_uri"),
             response_type: sp.get("response_type"),
@@ -238,7 +238,7 @@ async function handleOAuth(req, res, path) {
     // ---- Login callback: the SPA handed back the user's ljwt → mint a code ----
     if (req.method === "GET" && path === OAUTH_CALLBACK) {
         const sp = new URL(req.url ?? "/", "http://x").searchParams;
-        const done = completeAuthorize(sp.get("state"), sp.get("token"));
+        const done = await completeAuthorize(sp.get("state"), sp.get("token"));
         if (!done.ok)
             return htmlError(res, 400, done.error_description), true;
         const r = new URL(done.redirectUri);
@@ -258,7 +258,7 @@ async function handleOAuth(req, res, path) {
             return oauthError(res, 405, "invalid_request", "Use POST."), true;
         const raw = await readRawBody(req);
         const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
-        const result = exchangeToken(body);
+        const result = await exchangeToken(body);
         if (!result.ok)
             return oauthError(res, result.status, result.error, result.error_description), true;
         res.writeHead(200, { "content-type": "application/json", "access-control-allow-origin": "*", "cache-control": "no-store" });
@@ -271,7 +271,7 @@ async function handleOAuth(req, res, path) {
             return oauthError(res, 405, "invalid_request", "Use POST."), true;
         const raw = await readRawBody(req);
         const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
-        revokeToken(body.token);
+        await revokeToken(body.token);
         res.writeHead(200, { "content-type": "application/json", "cache-control": "no-store" });
         res.end("{}");
         return true;
@@ -393,7 +393,7 @@ export async function startHttpServer(port) {
         // normal x-webcake-jwt header, so persistence/config.ts is unchanged. A legacy
         // raw JWT sent via x-webcake-jwt / ?jwt= still wins and passes straight through.
         const bearer = bearerFrom(req);
-        const oauthLjwt = resolveAccessToken(bearer);
+        const oauthLjwt = await resolveAccessToken(bearer);
         if (oauthLjwt && req.headers["x-webcake-jwt"] == null) {
             req.headers["x-webcake-jwt"] = oauthLjwt;
             req.rawHeaders.push("x-webcake-jwt", oauthLjwt);

package/dist/legal.js

@@ -36,38 +36,52 @@ export function privacyHtml() {
 <div class="meta">Last updated: ${LAST_UPDATED}</div>
 <p>Webcake Landing MCP ("the connector") is a Model Context Protocol server that lets an AI assistant
 build and edit landing pages in your <a href="https://webcake.io">Webcake</a> account. This policy explains
-what data the connector handles and how.</p>
+what categories of data the connector handles, why, who receives it, and how long it is kept.</p>
 
-<h2>What we access</h2>
+<h2>Categories of personal data we access</h2>
 <ul>
   <li><strong>Your Webcake identity &amp; access token.</strong> When you connect, you log in to Webcake and the
-  connector receives a per-user access token mapped to your Webcake landing-page credential. It is used solely
+  connector receives a per-user access token mapped to your Webcake landing-page credential. <em>Purpose:</em> solely
   to call the Webcake backend on your behalf (create, read, update, publish pages, list your organizations).</li>
   <li><strong>Page content you ask the assistant to build or edit.</strong> The page-source JSON (text, images,
-  layout) flows through the connector to your Webcake account.</li>
+  layout) flows through the connector to your Webcake account. <em>Purpose:</em> to assemble and save the page you request.</li>
   <li><strong>Images.</strong> External image URLs in a page are re-hosted to the Webcake CDN on save. Optional
-  stock-photo search is served via the Pexels API.</li>
+  stock-photo search uses the Pexels API and icon lookup uses the Iconify API. <em>Purpose:</em> to supply the
+  visuals for your page.</li>
 </ul>
 
-<h2>What we store</h2>
+<h2>What we store and for how long</h2>
 <ul>
-  <li><strong>OAuth tokens are kept in memory only</strong>, for the lifetime of the running server, and expire
-  automatically (access tokens ~1 hour, refresh tokens ~30 days). They are never written to disk by the
-  connector and are removed on logout/revoke or when they expire.</li>
-  <li>The connector does <strong>not</strong> run an analytics database, does not sell data, and does not share
-  your data with third parties beyond the services required to perform your request (below).</li>
+  <li><strong>OAuth tokens.</strong> Stored in the connector's database (PostgreSQL) when the server is configured
+  with one — so a logged-in session survives a server restart and works across instances — otherwise only in
+  process memory. Either way they <strong>expire automatically</strong> (access tokens ~1 hour, refresh tokens
+  ~30 days) and are removed on logout/revoke or expiry.</li>
+  <li><strong>Transient draft cache.</strong> If a page fails validation while being created, its draft page-source
+  is cached briefly (about 2 hours, in Redis or memory) so you can fix and retry without re-sending everything.
+  It is removed on success or expiry.</li>
+  <li>The connector does <strong>not</strong> run an analytics database, does <strong>not</strong> sell data, and
+  does <strong>not</strong> perform tracking, behavioral profiling, or advertising.</li>
 </ul>
 
-<h2>Third-party services</h2>
+<h2>Categories of recipients (third-party services)</h2>
+<p>Your data is shared only with the services required to perform your request:</p>
 <ul>
-  <li><strong>Webcake</strong> (api.webcake.io) — stores and serves your pages; governed by Webcake's own terms.</li>
+  <li><strong>Webcake</strong> (api.webcake.io, the Webcake CDN, and the publish/build host) — stores, renders,
+  and serves your pages; governed by Webcake's own terms.</li>
   <li><strong>Pexels</strong> (pexels.com) — stock-photo search, only when you request images.</li>
+  <li><strong>Iconify</strong> (iconify.design) — resolves icon names to SVG, only when a page uses icons.</li>
 </ul>
 
+<h2>Data we do NOT collect</h2>
+<p>The connector never asks for or stores payment-card data, health data, government identifiers, or
+authentication secrets (passwords, API keys, MFA/OTP codes) as tool inputs. It operates only on the page
+content you explicitly ask the assistant to build — it does <strong>not</strong> read, reconstruct, or infer
+your full conversation or chat history.</p>
+
 <h2>Data retention &amp; deletion</h2>
-<p>Tokens expire automatically as described above; you can revoke access at any time by disconnecting the
-connector in Claude/ChatGPT settings, or by logging out of Webcake. Pages you create live in your Webcake
-account and are managed there. To request deletion of anything else, contact us below.</p>
+<p>Tokens and the draft cache expire automatically as described above; you can revoke access at any time by
+disconnecting the connector in Claude/ChatGPT settings, or by logging out of Webcake. Pages you create live in
+your Webcake account and are managed there. To request deletion of anything else, contact us below.</p>
 
 <h2>Security</h2>
 <p>All traffic uses HTTPS. Authentication follows OAuth 2.1 with PKCE; the connector validates a short-lived