npm - webcake-storefront-mcp - Versions diffs - 1.0.3 → 1.1.0 - Mend

webcake-storefront-mcp 1.0.3 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/auth/oauth-server.js +236 -0
package/dist/http.js +289 -10
package/dist/legal.js +127 -0
package/dist/web-guide.js +370 -0
package/package.json +1 -1

package/dist/auth/oauth-server.js ADDED Viewed

@@ -0,0 +1,236 @@
+/**
+ * A THIN OAuth 2.1 Authorization Server, embedded in the MCP server itself.
+ *
+ * Ported from webcake-landing-mcp with one key adaptation: the credential is a
+ * PAIR (jwt + wsid) instead of a single `ljwt`. The consent page is the
+ * storefront's /mcp-storefront (not /mcp-connect), and the /oauth/callback
+ * receives both `token` (jwt) and `wsid` from the SPA. Both are stored against
+ * the authorization code and carried through to the access token so the HTTP
+ * layer can inject BOTH x-webcake-jwt AND x-webcake-session-id headers.
+ *
+ * Store: in-memory only (no Postgres dependency in the storefront MCP). For a
+ * multi-instance deploy, replace with a shared store behind the same interface.
+ */
+import { randomBytes, createHash } from "node:crypto";
+// ---- TTLs ------------------------------------------------------------------
+const TEN_MIN = 10 * 60 * 1000;
+const ACCESS_TTL = Number(process.env.WEBCAKE_OAUTH_ACCESS_TTL_MS) || 60 * 60 * 1000; // 1h
+const REFRESH_TTL = Number(process.env.WEBCAKE_OAUTH_REFRESH_TTL_MS) || 30 * 24 * 60 * 60 * 1000; // 30d
+const CODE_TTL = TEN_MIN;
+const PENDING_TTL = TEN_MIN;
+function now() {
+    return Date.now();
+}
+function token(bytes = 32) {
+    return randomBytes(bytes).toString("base64url");
+}
+// ---- In-memory store -------------------------------------------------------
+class MemoryStore {
+    clients = new Map();
+    pending = new Map();
+    codes = new Map();
+    access = new Map();
+    refresh = new Map();
+    sweep() {
+        const t = now();
+        for (const [k, v] of this.pending)
+            if (v.expiresAt < t)
+                this.pending.delete(k);
+        for (const [k, v] of this.codes)
+            if (v.expiresAt < t)
+                this.codes.delete(k);
+        for (const [k, v] of this.access)
+            if (v.expiresAt < t)
+                this.access.delete(k);
+        for (const [k, v] of this.refresh)
+            if (v.expiresAt < t)
+                this.refresh.delete(k);
+    }
+    putClient(c) { this.clients.set(c.client_id, c); }
+    getClient(id) { return this.clients.get(id); }
+    putPending(state, p) { this.sweep(); this.pending.set(state, p); }
+    takePending(state) {
+        this.sweep();
+        const p = this.pending.get(state);
+        this.pending.delete(state);
+        return p && p.expiresAt >= now() ? p : undefined;
+    }
+    putCode(code, c) { this.codes.set(code, c); }
+    takeCode(code) {
+        this.sweep();
+        const c = this.codes.get(code);
+        this.codes.delete(code);
+        return c && c.expiresAt >= now() ? c : undefined;
+    }
+    putAccess(t, a) { this.access.set(t, a); }
+    getAccess(t) {
+        const a = this.access.get(t);
+        if (a && a.expiresAt < now()) {
+            this.access.delete(t);
+            return undefined;
+        }
+        return a;
+    }
+    putRefresh(t, r) { this.refresh.set(t, r); }
+    takeRefresh(t) {
+        this.sweep();
+        const r = this.refresh.get(t);
+        this.refresh.delete(t);
+        return r && r.expiresAt >= now() ? r : undefined;
+    }
+    revoke(t) { this.access.delete(t); this.refresh.delete(t); }
+}
+const store = new MemoryStore();
+// ---- PKCE ------------------------------------------------------------------
+export function s256(verifier) {
+    return createHash("sha256").update(verifier).digest("base64url");
+}
+export function verifyPkce(verifier, challenge) {
+    if (!verifier || !challenge)
+        return false;
+    const a = s256(verifier);
+    if (a.length !== challenge.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a.charCodeAt(i) ^ challenge.charCodeAt(i);
+    return diff === 0;
+}
+export function registerClient(body) {
+    const uris = Array.isArray(body?.redirect_uris)
+        ? body.redirect_uris.filter((u) => typeof u === "string" && /^https?:\/\//i.test(u))
+        : [];
+    if (uris.length === 0) {
+        return { ok: false, error: "invalid_redirect_uri", error_description: "redirect_uris must contain at least one absolute http(s) URI." };
+    }
+    const client = {
+        client_id: token(16),
+        client_name: typeof body?.client_name === "string" ? body.client_name : undefined,
+        redirect_uris: uris,
+        created_at: now(),
+    };
+    store.putClient(client);
+    return { ok: true, client };
+}
+export function getClient(clientId) {
+    if (!clientId)
+        return undefined;
+    return store.getClient(clientId);
+}
+export function startAuthorize(p) {
+    const client = p.client_id ? store.getClient(p.client_id) : undefined;
+    if (!client) {
+        return { ok: false, error: "invalid_client", error_description: "Unknown client_id. Register first via /register.", redirectable: false };
+    }
+    if (!p.redirect_uri || !client.redirect_uris.includes(p.redirect_uri)) {
+        return { ok: false, error: "invalid_request", error_description: "redirect_uri does not match a registered URI.", redirectable: false };
+    }
+    if (p.response_type !== "code") {
+        return { ok: false, error: "unsupported_response_type", error_description: "Only response_type=code is supported.", redirectable: true };
+    }
+    if (!p.code_challenge || (p.code_challenge_method ?? "").toUpperCase() !== "S256") {
+        return { ok: false, error: "invalid_request", error_description: "PKCE with code_challenge_method=S256 is required.", redirectable: true };
+    }
+    const internalState = token(24);
+    store.putPending(internalState, {
+        client_id: client.client_id,
+        redirect_uri: p.redirect_uri,
+        code_challenge: p.code_challenge,
+        state: p.state ?? undefined,
+        scope: p.scope ?? undefined,
+        expiresAt: now() + PENDING_TTL,
+    });
+    return { ok: true, internalState };
+}
+/**
+ * The consent page (/mcp-storefront) bounced back with the user's jwt + wsid and our
+ * internalState. Mint a one-time authorization code bound to that credential pair.
+ */
+export function completeAuthorize(internalState, jwt, wsid) {
+    const p = internalState ? store.takePending(internalState) : undefined;
+    if (!p) {
+        return { ok: false, error: "invalid_request", error_description: "Authorization session expired or unknown — restart the connection." };
+    }
+    if (!jwt) {
+        return { ok: false, error: "access_denied", error_description: "No WebCake token returned from login." };
+    }
+    const code = token(32);
+    store.putCode(code, {
+        client_id: p.client_id,
+        redirect_uri: p.redirect_uri,
+        code_challenge: p.code_challenge,
+        scope: p.scope,
+        cred: { jwt, wsid: wsid ?? "" },
+        expiresAt: now() + CODE_TTL,
+    });
+    return { ok: true, redirectUri: p.redirect_uri, code, state: p.state };
+}
+function issueTokens(cred, client_id, scope) {
+    const access = token(32);
+    const refresh = token(32);
+    store.putAccess(access, { cred, scope, expiresAt: now() + ACCESS_TTL });
+    store.putRefresh(refresh, { cred, client_id, scope, expiresAt: now() + REFRESH_TTL });
+    return { access_token: access, token_type: "Bearer", expires_in: Math.floor(ACCESS_TTL / 1000), refresh_token: refresh, scope };
+}
+export function exchangeToken(p) {
+    if (p.grant_type === "authorization_code") {
+        const c = p.code ? store.takeCode(p.code) : undefined;
+        if (!c) {
+            return { ok: false, status: 400, error: "invalid_grant", error_description: "Unknown or expired authorization code." };
+        }
+        if (c.client_id !== p.client_id) {
+            return { ok: false, status: 400, error: "invalid_grant", error_description: "client_id does not match the authorization code." };
+        }
+        if (c.redirect_uri !== p.redirect_uri) {
+            return { ok: false, status: 400, error: "invalid_grant", error_description: "redirect_uri does not match the authorization request." };
+        }
+        if (!p.code_verifier || !verifyPkce(p.code_verifier, c.code_challenge)) {
+            return { ok: false, status: 400, error: "invalid_grant", error_description: "PKCE verification failed." };
+        }
+        return { ok: true, body: issueTokens(c.cred, c.client_id, c.scope) };
+    }
+    if (p.grant_type === "refresh_token") {
+        const r = p.refresh_token ? store.takeRefresh(p.refresh_token) : undefined;
+        if (!r) {
+            return { ok: false, status: 400, error: "invalid_grant", error_description: "Unknown or expired refresh token." };
+        }
+        return { ok: true, body: issueTokens(r.cred, r.client_id, r.scope) };
+    }
+    return { ok: false, status: 400, error: "unsupported_grant_type", error_description: "grant_type must be authorization_code or refresh_token." };
+}
+// ---- Resource-server side: resolve a Bearer access token to the cred pair --
+/** Returns the { jwt, wsid } for a valid, unexpired access token, else undefined. */
+export function resolveAccessToken(accessToken) {
+    if (!accessToken)
+        return undefined;
+    return store.getAccess(accessToken)?.cred;
+}
+/** Revoke an access or refresh token (best-effort; for /revoke). */
+export function revokeToken(t) {
+    if (!t)
+        return;
+    store.revoke(t);
+}
+// ---- Metadata documents (RFC 8414 / RFC 9728) ------------------------------
+export function authServerMetadata(issuer) {
+    return {
+        issuer,
+        authorization_endpoint: `${issuer}/authorize`,
+        token_endpoint: `${issuer}/token`,
+        registration_endpoint: `${issuer}/register`,
+        revocation_endpoint: `${issuer}/revoke`,
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code", "refresh_token"],
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint_auth_methods_supported: ["none"],
+        scopes_supported: ["storefront:read", "storefront:write"],
+    };
+}
+export function protectedResourceMetadata(resource, issuer) {
+    return {
+        resource,
+        authorization_servers: [issuer],
+        scopes_supported: ["storefront:read", "storefront:write"],
+        bearer_methods_supported: ["header"],
+    };
+}

package/dist/http.js CHANGED Viewed

@@ -1,13 +1,34 @@
 // Remote MCP over Streamable-HTTP. Each client session carries its own credentials,
 // supplied per-request via headers (x-webcake-jwt / x-webcake-site-id / x-webcake-api-url)
 // or query params (?jwt=&site_id=&api_url=) for clients that can't set custom headers.
+//
+// Also serves: a marketing landing page at /, /privacy, /terms, /favicon.ico,
+// /favicon.svg, /health, and a full OAuth 2.1 flow so the claude.ai connector can
+// authenticate. See src/auth/oauth-server.ts for the OAuth AS implementation.
 import { createServer as createHttpServer } from "node:http";
 import { randomUUID } from "node:crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 import { createServer } from "./server.js";
-import { makeApi } from "./config.js";
+import { makeApi, resolveEnv, ENVIRONMENTS, DEFAULT_ENV } from "./config.js";
+import { landingHtml, faviconSvg } from "./web-guide.js";
+import { privacyHtml, termsHtml } from "./legal.js";
+import { registerClient, startAuthorize, completeAuthorize, exchangeToken, resolveAccessToken, revokeToken, authServerMetadata, protectedResourceMetadata, } from "./auth/oauth-server.js";
 const MCP_PATH = "/mcp";
+// OAuth 2.1 endpoints.
+const WELL_KNOWN_PR = "/.well-known/oauth-protected-resource";
+const WELL_KNOWN_AS = "/.well-known/oauth-authorization-server";
+const OAUTH_REGISTER = "/register";
+const OAUTH_AUTHORIZE = "/authorize";
+const OAUTH_CALLBACK = "/oauth/callback";
+const OAUTH_TOKEN = "/token";
+const OAUTH_REVOKE = "/revoke";
+// OAuth enforcement is ON by default: a request with NO credential gets a
+// 401 + WWW-Authenticate so Claude/ChatGPT kick off the OAuth flow.
+// Opt out with WEBCAKE_OAUTH=0 (or false/no/off).
+const OAUTH_ENFORCED = !/^(0|false|no|off)$/i.test(process.env.WEBCAKE_OAUTH ?? "");
+// Social/search crawlers fetch the root with Accept: */* but should still get HTML.
+const BOT_UA = /facebookexternalhit|facebot|twitterbot|linkedinbot|slackbot|slack-imgproxy|telegrambot|whatsapp|discordbot|pinterest|redditbot|googlebot|bingbot|applebot|yandexbot|baiduspider|embedly|quora link preview|outbrain|vkshare|w3c_validator|skypeuripreview|zalo/i;
 const QUERY_TO_HEADER = {
     jwt: "x-webcake-jwt",
     token: "x-webcake-jwt",
@@ -28,8 +49,10 @@ function applyQueryAuth(req) {
     const params = new URLSearchParams((req.url ?? "").slice(q + 1));
     for (const [param, head] of Object.entries(QUERY_TO_HEADER)) {
         const value = params.get(param);
-        if (value && req.headers[head] == null)
+        if (value && req.headers[head] == null) {
             req.headers[head] = value;
+            req.rawHeaders.push(head, value);
+        }
     }
 }
 function apiFromRequest(req) {
@@ -59,23 +82,278 @@ function readBody(req) {
         req.on("error", reject);
     });
 }
-function rpcError(res, status, message) {
+async function readRawBody(req) {
+    const chunks = [];
+    for await (const c of req)
+        chunks.push(c);
+    return Buffer.concat(chunks).toString("utf8").trim();
+}
+function parseBodyParams(raw, contentType) {
+    if (!raw)
+        return {};
+    if (contentType.includes("application/json")) {
+        try {
+            const o = JSON.parse(raw);
+            return o && typeof o === "object" ? o : {};
+        }
+        catch {
+            return {};
+        }
+    }
+    const out = {};
+    for (const [k, v] of new URLSearchParams(raw))
+        out[k] = v;
+    return out;
+}
+function sendJson(res, status, body) {
     res.writeHead(status, { "content-type": "application/json" });
-    res.end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message }, id: null }));
+    res.end(JSON.stringify(body));
+}
+function rpcError(res, status, message) {
+    sendJson(res, status, { jsonrpc: "2.0", error: { code: -32000, message }, id: null });
+}
+function oauthError(res, status, error, description) {
+    res.writeHead(status, { "content-type": "application/json", "cache-control": "no-store" });
+    res.end(JSON.stringify({ error, error_description: description }));
+}
+function htmlError(res, status, message) {
+    res.writeHead(status, { "content-type": "text/html; charset=utf-8" });
+    res.end(`<!doctype html><meta charset="utf-8"><body style="font-family:system-ui;padding:40px;max-width:520px;margin:auto"><h2>WebCake Storefront MCP</h2><p>${message}</p></body>`);
+}
+/** The public origin of this server, honouring reverse-proxy headers. */
+function publicBase(req) {
+    const fwdHost = req.headers["x-forwarded-host"];
+    const host = (Array.isArray(fwdHost) ? fwdHost[0] : fwdHost) || req.headers.host || "localhost";
+    const fwdProto = req.headers["x-forwarded-proto"];
+    const isLocal = /^(localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/i.test(host);
+    const proto = (Array.isArray(fwdProto) ? fwdProto[0] : fwdProto)?.split(",")[0] || (isLocal ? "http" : "https");
+    return `${proto}://${host}`;
+}
+/** The storefront consent page URL — /mcp-storefront on the builder app. */
+function storefrontConsentUrl() {
+    const preset = resolveEnv(process.env.WEBCAKE_ENV) ?? ENVIRONMENTS[DEFAULT_ENV];
+    const appUrl = (process.env.WEBCAKE_APP_URL || preset.appUrl).replace(/\/$/, "");
+    return `${appUrl}/mcp-storefront`;
+}
+/** Extract the Bearer token from the Authorization header, if any. */
+function bearerFrom(req) {
+    const auth = req.headers["authorization"];
+    const v = Array.isArray(auth) ? auth[0] : auth;
+    if (!v || !/^Bearer\s+/i.test(v))
+        return undefined;
+    return v.replace(/^Bearer\s+/i, "").trim() || undefined;
+}
+/**
+ * Handle every OAuth 2.1 endpoint. Returns true when the request was handled.
+ *
+ * KEY ADAPTATION vs. landing-mcp: the credential is a PAIR { jwt, wsid }.
+ * The /oauth/callback receives both `token` (jwt) and `wsid` from the consent
+ * page redirect_uri. Both are stored and later injected as x-webcake-jwt AND
+ * x-webcake-session-id headers onto /mcp requests.
+ */
+async function handleOAuth(req, res, path) {
+    const issuer = publicBase(req);
+    // ---- Metadata ----
+    if (req.method === "GET" && path === WELL_KNOWN_PR) {
+        res.writeHead(200, { "content-type": "application/json", "access-control-allow-origin": "*" });
+        res.end(JSON.stringify(protectedResourceMetadata(`${issuer}${MCP_PATH}`, issuer)));
+        return true;
+    }
+    if (req.method === "GET" && path === WELL_KNOWN_AS) {
+        res.writeHead(200, { "content-type": "application/json", "access-control-allow-origin": "*" });
+        res.end(JSON.stringify(authServerMetadata(issuer)));
+        return true;
+    }
+    // ---- Dynamic Client Registration ----
+    if (path === OAUTH_REGISTER) {
+        if (req.method === "OPTIONS") {
+            res.writeHead(204, { "access-control-allow-origin": "*", "access-control-allow-headers": "*", "access-control-allow-methods": "POST,OPTIONS" });
+            res.end();
+            return true;
+        }
+        if (req.method !== "POST") {
+            oauthError(res, 405, "invalid_request", "Use POST.");
+            return true;
+        }
+        const raw = await readRawBody(req);
+        const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
+        const result = registerClient(body);
+        if (!result.ok) {
+            oauthError(res, 400, result.error, result.error_description);
+            return true;
+        }
+        res.writeHead(201, { "content-type": "application/json", "access-control-allow-origin": "*", "cache-control": "no-store" });
+        res.end(JSON.stringify({
+            client_id: result.client.client_id,
+            client_id_issued_at: Math.floor(result.client.created_at / 1000),
+            redirect_uris: result.client.redirect_uris,
+            token_endpoint_auth_method: "none",
+            grant_types: ["authorization_code", "refresh_token"],
+            response_types: ["code"],
+        }));
+        return true;
+    }
+    // ---- Authorize: validate + redirect to storefront consent page ----
+    if (req.method === "GET" && path === OAUTH_AUTHORIZE) {
+        const sp = new URL(req.url ?? "/", "http://x").searchParams;
+        const result = startAuthorize({
+            client_id: sp.get("client_id"),
+            redirect_uri: sp.get("redirect_uri"),
+            response_type: sp.get("response_type"),
+            code_challenge: sp.get("code_challenge"),
+            code_challenge_method: sp.get("code_challenge_method"),
+            state: sp.get("state"),
+            scope: sp.get("scope"),
+        });
+        if (!result.ok) {
+            if (result.redirectable) {
+                const r = new URL(sp.get("redirect_uri"));
+                r.searchParams.set("error", result.error);
+                r.searchParams.set("error_description", result.error_description);
+                const st = sp.get("state");
+                if (st)
+                    r.searchParams.set("state", st);
+                res.writeHead(302, { location: r.toString() });
+                res.end();
+                return true;
+            }
+            htmlError(res, 400, result.error_description);
+            return true;
+        }
+        // Build the consent URL: /mcp-storefront?redirect_uri=<callback>&state=<internalState>
+        // The SPA will redirect back to callback with ?token=<jwt>&wsid=<wsid>&state=<internalState>
+        const callback = `${issuer}${OAUTH_CALLBACK}`;
+        const consentBase = storefrontConsentUrl();
+        const loginUrl = `${consentBase}?redirect_uri=${encodeURIComponent(callback)}&state=${encodeURIComponent(result.internalState)}`;
+        res.writeHead(302, { location: loginUrl });
+        res.end();
+        return true;
+    }
+    // ---- Callback: SPA sent back token (jwt) + wsid + state ----
+    if (req.method === "GET" && path === OAUTH_CALLBACK) {
+        const sp = new URL(req.url ?? "/", "http://x").searchParams;
+        // Accept both 'token' and 'jwt' from the SPA (login.ts uses both aliases).
+        const jwt = sp.get("token") || sp.get("jwt");
+        const wsid = sp.get("wsid") || sp.get("session_id") || "";
+        const done = completeAuthorize(sp.get("state"), jwt, wsid);
+        if (!done.ok) {
+            htmlError(res, 400, done.error_description);
+            return true;
+        }
+        const r = new URL(done.redirectUri);
+        r.searchParams.set("code", done.code);
+        if (done.state)
+            r.searchParams.set("state", done.state);
+        res.writeHead(302, { location: r.toString() });
+        res.end();
+        return true;
+    }
+    // ---- Token ----
+    if (path === OAUTH_TOKEN) {
+        if (req.method === "OPTIONS") {
+            res.writeHead(204, { "access-control-allow-origin": "*", "access-control-allow-headers": "*", "access-control-allow-methods": "POST,OPTIONS" });
+            res.end();
+            return true;
+        }
+        if (req.method !== "POST") {
+            oauthError(res, 405, "invalid_request", "Use POST.");
+            return true;
+        }
+        const raw = await readRawBody(req);
+        const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
+        const result = exchangeToken(body);
+        if (!result.ok) {
+            oauthError(res, result.status, result.error, result.error_description);
+            return true;
+        }
+        res.writeHead(200, { "content-type": "application/json", "access-control-allow-origin": "*", "cache-control": "no-store" });
+        res.end(JSON.stringify(result.body));
+        return true;
+    }
+    // ---- Revoke ----
+    if (path === OAUTH_REVOKE) {
+        if (req.method !== "POST") {
+            oauthError(res, 405, "invalid_request", "Use POST.");
+            return true;
+        }
+        const raw = await readRawBody(req);
+        const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
+        revokeToken(body.token);
+        res.writeHead(200, { "content-type": "application/json", "cache-control": "no-store" });
+        res.end("{}");
+        return true;
+    }
+    return false;
 }
 export async function startHttpServer(port) {
     const transports = new Map();
     const httpServer = createHttpServer(async (req, res) => {
         const path = (req.url ?? "").split("?")[0];
-        if (path === "/health") {
-            res.writeHead(200, { "content-type": "application/json" });
-            res.end(JSON.stringify({ ok: true }));
+        // ---- Favicon / brand icon ----
+        if (req.method === "GET" && (path === "/favicon.ico" || path === "/favicon.svg")) {
+            res.writeHead(200, { "content-type": "image/svg+xml", "cache-control": "public, max-age=86400" });
+            res.end(faviconSvg());
+            return;
+        }
+        // ---- Legal pages ----
+        if (req.method === "GET" && (path === "/privacy" || path === "/privacy-policy")) {
+            res.writeHead(200, { "content-type": "text/html; charset=utf-8", "cache-control": "public, max-age=3600" });
+            res.end(privacyHtml());
             return;
         }
+        if (req.method === "GET" && (path === "/terms" || path === "/tos")) {
+            res.writeHead(200, { "content-type": "text/html; charset=utf-8", "cache-control": "public, max-age=3600" });
+            res.end(termsHtml());
+            return;
+        }
+        // ---- Health + landing page ----
+        if (req.method === "GET" && (path === "/" || path === "/health")) {
+            if (path === "/") {
+                const accept = String(req.headers["accept"] ?? "");
+                const ua = String(req.headers["user-agent"] ?? "");
+                if (accept.includes("text/html") || BOT_UA.test(ua)) {
+                    res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+                    res.end(landingHtml(publicBase(req)));
+                    return;
+                }
+            }
+            sendJson(res, 200, { ok: true, server: "webcake-storefront", transport: "streamable-http", endpoint: MCP_PATH });
+            return;
+        }
+        // ---- OAuth 2.1 endpoints (always served) ----
+        if (await handleOAuth(req, res, path))
+            return;
+        // ---- 404 for anything other than /mcp ----
         if (path !== MCP_PATH) {
-            return rpcError(res, 404, `Not found. Send MCP requests to ${MCP_PATH}.`);
+            rpcError(res, 404, `Not found. Send MCP requests to ${MCP_PATH}.`);
+            return;
         }
+        // ---- /mcp handling ----
+        // Accept credentials via query params for clients that can't set headers.
         applyQueryAuth(req);
+        // Resolve an OAuth Bearer access token to { jwt, wsid } and inject both headers
+        // so apiFromRequest picks them up — existing header/query paths remain untouched.
+        const bearer = bearerFrom(req);
+        const oauthCred = resolveAccessToken(bearer);
+        if (oauthCred) {
+            if (req.headers["x-webcake-jwt"] == null) {
+                req.headers["x-webcake-jwt"] = oauthCred.jwt;
+                req.rawHeaders.push("x-webcake-jwt", oauthCred.jwt);
+            }
+            if (oauthCred.wsid && req.headers["x-webcake-session-id"] == null) {
+                req.headers["x-webcake-session-id"] = oauthCred.wsid;
+                req.rawHeaders.push("x-webcake-session-id", oauthCred.wsid);
+            }
+        }
+        // Enforce OAuth when enabled: a request with no recognised credential gets 401.
+        if (OAUTH_ENFORCED && !oauthCred && req.headers["x-webcake-jwt"] == null) {
+            res.writeHead(401, {
+                "www-authenticate": `Bearer resource_metadata="${publicBase(req)}${WELL_KNOWN_PR}"`,
+                "content-type": "application/json",
+            });
+            res.end(JSON.stringify({ error: "invalid_token", error_description: "Authentication required — connect via OAuth." }));
+            return;
+        }
         const sidHeader = header(req, "mcp-session-id");
         try {
             // Reuse an existing session.
@@ -105,9 +383,10 @@ export async function startHttpServer(port) {
                     await transport.handleRequest(req, res, body);
                     return;
                 }
-                return rpcError(res, 400, "Bad Request: send an initialize request first (no valid mcp-session-id).");
+                rpcError(res, 400, "Bad Request: send an initialize request first (no valid mcp-session-id).");
+                return;
             }
-            return rpcError(res, 400, "Bad Request: missing or unknown mcp-session-id.");
+            rpcError(res, 400, "Bad Request: missing or unknown mcp-session-id.");
         }
         catch (e) {
             const msg = e instanceof Error ? e.message : String(e);

package/dist/legal.js ADDED Viewed

@@ -0,0 +1,127 @@
+/**
+ * Privacy Policy + Terms of Service pages for the WebCake Storefront MCP connector.
+ *
+ * Hosted at /privacy (also /privacy-policy) and /terms (also /tos) so the
+ * Claude Connectors Directory submission can point at stable, self-hosted URLs.
+ * Plain self-contained HTML — no external deps, served by http.ts.
+ */
+const CONTACT_EMAIL = process.env.WEBCAKE_SUPPORT_EMAIL || "vuluu040320@gmail.com";
+const LAST_UPDATED = "2026-06-23";
+function page(title, bodyHtml) {
+    return `<!doctype html><html lang="en"><head><meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1"><title>${title} — WebCake Storefront MCP</title>
+<style>
+  :root{color-scheme:light dark}
+  body{margin:0;font-family:system-ui,-apple-system,"Segoe UI",Roboto,sans-serif;line-height:1.65;color:#1e293b;background:#f8fafc}
+  @media(prefers-color-scheme:dark){body{color:#e2e8f0;background:#0f172a}}
+  main{max-width:760px;margin:0 auto;padding:48px 24px 80px}
+  h1{font-size:1.9rem;margin:0 0 4px}
+  h2{font-size:1.2rem;margin:32px 0 8px}
+  .meta{color:#64748b;font-size:.9rem;margin-bottom:28px}
+  a{color:#108B67}
+  code{font-family:ui-monospace,SFMono-Regular,Menlo,monospace;background:rgba(127,127,127,.15);padding:1px 5px;border-radius:4px}
+  ul{padding-left:22px}
+  footer{margin-top:48px;padding-top:20px;border-top:1px solid rgba(127,127,127,.25);color:#64748b;font-size:.85rem}
+</style></head>
+<body><main>${bodyHtml}
+<footer>WebCake Storefront MCP &middot; <a href="https://webcake.io">webcake.io</a> &middot; <a href="https://github.com/vuluu2k/webcake-storefront-mcp">source</a> &middot; Contact: <a href="mailto:${CONTACT_EMAIL}">${CONTACT_EMAIL}</a></footer>
+</main></body></html>`;
+}
+export function privacyHtml() {
+    return page("Privacy Policy", `<h1>Privacy Policy</h1>
+<div class="meta">Last updated: ${LAST_UPDATED}</div>
+<p>WebCake Storefront MCP ("the connector") is a Model Context Protocol server that lets an AI assistant
+build and manage storefront pages, products, articles, and orders in your
+<a href="https://webcake.io">WebCake / StoreCake</a> account. This policy explains what data the connector
+handles, why, who receives it, and how long it is kept.</p>
+<h2>Categories of personal data we access</h2>
+<ul>
+  <li><strong>Your WebCake identity, JWT, and session ID.</strong> When you connect via OAuth, you log in to
+  WebCake through the browser and the connector receives your bearer JWT and workspace session ID (<code>wsid</code>).
+  These are used <em>solely</em> to call the WebCake / StoreCake backend API on your behalf. They are never
+  shared with the AI assistant or any third party.</li>
+  <li><strong>Storefront content you ask the assistant to create or edit.</strong> Page source, product details,
+  article text, customer look-ups, and order data flow through the connector to your WebCake account.
+  <em>Purpose:</em> to carry out the actions you request.</li>
+  <li><strong>Images.</strong> When you ask the assistant to resize or process images, they are handled transiently
+  in memory and forwarded to the WebCake CDN. No image is retained on the connector after the request completes.</li>
+</ul>
+<h2>What we store and for how long</h2>
+<ul>
+  <li><strong>OAuth tokens (in-process memory only).</strong> The connector holds your JWT and session ID in an
+  in-memory token store <strong>only for the lifetime of the server process</strong>. There is no database;
+  tokens are never written to disk by the connector. Access tokens expire automatically after ~1 hour, refresh
+  tokens after ~30 days. A server restart clears all tokens.</li>
+  <li><strong>Local CLI config (stdio mode).</strong> When you run <code>npx webcake-storefront-mcp login</code>,
+  your token and session ID are saved to a local SQLite file on <em>your own machine</em> (at
+  <code>~/.webcake-storefront-mcp.db</code> or similar). This file stays on your device and is not transmitted
+  anywhere by the connector.</li>
+  <li>The connector does <strong>not</strong> run an analytics database, does <strong>not</strong> sell or share
+  data, and does <strong>not</strong> perform tracking or behavioral profiling.</li>
+</ul>
+<h2>Categories of recipients</h2>
+<p>Your data is shared only with the services required to fulfil your request:</p>
+<ul>
+  <li><strong>WebCake / StoreCake API</strong> (<code>api.storefront.webcake.io</code>) — stores and serves
+  your storefront pages, products, and orders; governed by WebCake's own terms.</li>
+  <li><strong>WebCake CDN</strong> — hosts images and published page assets that you explicitly create or upload.</li>
+</ul>
+<h2>Data we do NOT collect</h2>
+<p>The connector never asks for or stores payment-card data, passwords, health data, government identifiers,
+or MFA/OTP codes. It operates only on the storefront content you explicitly instruct the assistant to
+create — it does <strong>not</strong> read, reconstruct, or infer your conversation history.</p>
+<h2>Data retention &amp; deletion</h2>
+<p>OAuth tokens expire automatically or are cleared on server restart. You can revoke access at any time by
+disconnecting the connector in Claude / ChatGPT settings, or by running <code>npx webcake-storefront-mcp logout</code>.
+Storefront content you create lives in your WebCake account and is managed there. To request deletion of
+anything else, contact us below.</p>
+<h2>Security</h2>
+<p>All traffic uses HTTPS. The connector implements OAuth 2.1 with PKCE; your raw WebCake token is never
+exposed to the AI assistant — only resolved server-side per request via an opaque OAuth access token.</p>
+<h2>Contact</h2>
+<p>Questions or requests: <a href="mailto:${CONTACT_EMAIL}">${CONTACT_EMAIL}</a> or open an issue at
+<a href="https://github.com/vuluu2k/webcake-storefront-mcp/issues">github.com/vuluu2k/webcake-storefront-mcp</a>.</p>`);
+}
+export function termsHtml() {
+    return page("Terms of Service", `<h1>Terms of Service</h1>
+<div class="meta">Last updated: ${LAST_UPDATED}</div>
+<p>By connecting to and using the WebCake Storefront MCP connector ("the service") you agree to these terms.</p>
+<h2>What the service does</h2>
+<p>The service exposes tools that let an AI assistant create, update, and manage storefront pages, products,
+articles, customers, and orders in your WebCake / StoreCake account. It acts on your behalf using credentials
+you authorize through the WebCake OAuth login flow.</p>
+<h2>Your responsibilities</h2>
+<ul>
+  <li>You must have a valid WebCake / StoreCake account and the necessary permissions for any sites you target.</li>
+  <li>You are responsible for all content you generate and publish through the service, and for complying with
+  WebCake's terms of service and applicable law.</li>
+  <li>Do not use the service to create, distribute, or publish unlawful, infringing, or harmful content.</li>
+  <li>Do not attempt to use the service to access accounts or data you are not authorized to access.</li>
+</ul>
+<h2>Availability &amp; changes</h2>
+<p>The service is provided "as is" without warranty of any kind. We may update, suspend, or discontinue it at
+any time and may change these terms; continued use after a change constitutes acceptance of the new terms.</p>
+<h2>Limitation of liability</h2>
+<p>To the fullest extent permitted by applicable law, the operators of the connector are not liable for
+indirect, incidental, or consequential damages arising from use of the service. The service relies on
+third-party platforms (WebCake, the AI assistant host) whose own terms also apply.</p>
+<h2>Intellectual property</h2>
+<p>The connector is open-source software released under the MIT License. The WebCake trademarks and platform
+are owned by their respective holders.</p>
+<h2>Contact</h2>
+<p><a href="mailto:${CONTACT_EMAIL}">${CONTACT_EMAIL}</a> &middot;
+<a href="https://github.com/vuluu2k/webcake-storefront-mcp/issues">GitHub Issues</a></p>`);
+}

package/dist/web-guide.js ADDED Viewed

@@ -0,0 +1,370 @@
+/**
+ * Marketing landing page for the WebCake Storefront MCP connector.
+ *
+ * Served at GET / when the client sends Accept: text/html or is a known bot UA.
+ * Programmatic requests (healthcheck probes, MCP clients) still get JSON.
+ */
+const GITHUB_URL = "https://github.com/vuluu2k/webcake-storefront-mcp";
+const NPM_URL = "https://www.npmjs.com/package/webcake-storefront-mcp";
+const WEBCAKE_URL = "https://webcake.io";
+const FAVICON_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
+  <rect width="32" height="32" rx="7" fill="url(#g)"/>
+  <defs><linearGradient id="g" x1="0" y1="0" x2="1" y2="1">
+    <stop offset="0%" stop-color="#3FBB57"/>
+    <stop offset="100%" stop-color="#108B67"/>
+  </linearGradient></defs>
+  <text x="16" y="22" text-anchor="middle" font-family="system-ui,sans-serif" font-weight="700" font-size="17" fill="white">S</text>
+  <circle cx="24" cy="9" r="4" fill="#FFD591"/>
+</svg>`;
+export function faviconSvg() {
+    return FAVICON_SVG;
+}
+export function landingHtml(origin = "") {
+    const mcpUrl = `${origin}/mcp`;
+    const npxCmd = `npx webcake-storefront-mcp@latest`;
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>WebCake Storefront MCP — Build storefronts with AI</title>
+<meta name="description" content="An MCP server that exposes ~101 tools for building and managing WebCake / StoreCake storefronts from any AI assistant — Claude, Cursor, Windsurf, and more.">
+<meta property="og:type" content="website">
+<meta property="og:title" content="WebCake Storefront MCP">
+<meta property="og:description" content="Build, edit, and publish storefront pages, products, articles, and more — straight from your AI assistant.">
+<meta property="og:image" content="${origin}/favicon.svg">
+<meta property="og:url" content="${origin}">
+<meta name="twitter:card" content="summary">
+<meta name="twitter:title" content="WebCake Storefront MCP">
+<meta name="twitter:description" content="~101 MCP tools for AI-powered storefront building on WebCake / StoreCake.">
+<meta name="twitter:image" content="${origin}/favicon.svg">
+<link rel="icon" type="image/svg+xml" href="/favicon.svg">
+<style>
+:root {
+  --green: #108B67;
+  --green-light: #3FBB57;
+  --accent: #FFD591;
+  --bg: #f8fafc;
+  --bg2: #f1f5f9;
+  --text: #1e293b;
+  --muted: #64748b;
+  --border: rgba(0,0,0,.08);
+  --card: #fff;
+  color-scheme: light dark;
+}
+@media (prefers-color-scheme: dark) {
+  :root {
+    --bg: #0f172a;
+    --bg2: #1e293b;
+    --text: #e2e8f0;
+    --muted: #94a3b8;
+    --border: rgba(255,255,255,.08);
+    --card: #1e293b;
+  }
+}
+*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+body{font-family:system-ui,-apple-system,"Segoe UI",Roboto,sans-serif;background:var(--bg);color:var(--text);line-height:1.6}
+a{color:var(--green);text-decoration:none}
+a:hover{text-decoration:underline}
+.container{max-width:900px;margin:0 auto;padding:0 24px}
+/* Nav */
+nav{border-bottom:1px solid var(--border);padding:14px 0}
+.nav-inner{display:flex;align-items:center;justify-content:space-between}
+.nav-logo{display:flex;align-items:center;gap:10px;font-weight:700;font-size:1.05rem;color:var(--text);text-decoration:none}
+.nav-logo svg{flex-shrink:0}
+.nav-links{display:flex;align-items:center;gap:20px;font-size:.9rem}
+.nav-links a{color:var(--muted)}
+.nav-links a:hover{color:var(--text);text-decoration:none}
+.btn{display:inline-flex;align-items:center;gap:6px;padding:8px 18px;border-radius:8px;font-size:.9rem;font-weight:600;cursor:pointer;border:none;transition:opacity .15s}
+.btn-primary{background:var(--green);color:#fff}
+.btn-primary:hover{opacity:.88;text-decoration:none}
+.btn-outline{background:transparent;color:var(--text);border:1px solid var(--border)}
+.btn-outline:hover{background:var(--bg2);text-decoration:none}
+/* Hero */
+.hero{padding:80px 0 64px;text-align:center}
+.hero-badge{display:inline-flex;align-items:center;gap:6px;background:var(--bg2);border:1px solid var(--border);border-radius:99px;padding:5px 14px;font-size:.82rem;color:var(--muted);margin-bottom:28px}
+.hero h1{font-size:clamp(2rem,5vw,3.2rem);font-weight:800;line-height:1.15;letter-spacing:-.02em;margin-bottom:20px}
+.hero h1 span{color:var(--green)}
+.hero p{font-size:1.15rem;color:var(--muted);max-width:580px;margin:0 auto 36px}
+.hero-actions{display:flex;align-items:center;justify-content:center;gap:12px;flex-wrap:wrap}
+.hero-mcp{margin-top:40px;background:var(--bg2);border:1px solid var(--border);border-radius:12px;padding:18px 24px;display:inline-block;text-align:left;max-width:620px;width:100%}
+.hero-mcp label{font-size:.78rem;color:var(--muted);text-transform:uppercase;letter-spacing:.05em;display:block;margin-bottom:8px}
+.hero-mcp-row{display:flex;align-items:center;gap:10px}
+.hero-mcp code{font-family:ui-monospace,SFMono-Regular,Menlo,monospace;font-size:.95rem;flex:1;word-break:break-all;color:var(--text)}
+.copy-btn{background:var(--card);border:1px solid var(--border);border-radius:6px;padding:5px 10px;font-size:.8rem;color:var(--muted);cursor:pointer;white-space:nowrap;transition:background .15s}
+.copy-btn:hover{background:var(--bg2)}
+/* Badges */
+.badges{display:flex;align-items:center;justify-content:center;gap:8px;flex-wrap:wrap;margin:28px 0}
+.badges img{height:20px}
+/* Features */
+.section{padding:56px 0}
+.section-label{font-size:.82rem;font-weight:600;text-transform:uppercase;letter-spacing:.08em;color:var(--green);margin-bottom:10px}
+.section h2{font-size:clamp(1.5rem,3vw,2.1rem);font-weight:700;letter-spacing:-.01em;margin-bottom:12px}
+.section p.lead{color:var(--muted);font-size:1.05rem;max-width:560px;margin-bottom:40px}
+.grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(240px,1fr));gap:20px}
+.card{background:var(--card);border:1px solid var(--border);border-radius:14px;padding:26px}
+.card-icon{font-size:1.6rem;margin-bottom:12px}
+.card h3{font-size:1rem;font-weight:700;margin-bottom:6px}
+.card p{font-size:.9rem;color:var(--muted)}
+/* Tools list */
+.tools-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(200px,1fr));gap:10px}
+.tool-chip{background:var(--bg2);border:1px solid var(--border);border-radius:8px;padding:9px 14px;font-size:.83rem;font-family:ui-monospace,SFMono-Regular,Menlo,monospace;color:var(--text)}
+/* Install */
+.install-block{background:var(--card);border:1px solid var(--border);border-radius:14px;padding:32px;margin-top:32px}
+.install-block h3{font-size:1.1rem;font-weight:700;margin-bottom:6px}
+.install-block p{color:var(--muted);font-size:.9rem;margin-bottom:18px}
+.code-block{background:var(--bg2);border:1px solid var(--border);border-radius:10px;padding:16px 20px;font-family:ui-monospace,SFMono-Regular,Menlo,monospace;font-size:.9rem;position:relative}
+.code-block .copy-btn{position:absolute;top:10px;right:10px}
+.install-tabs{display:flex;gap:6px;margin-bottom:16px;flex-wrap:wrap}
+.tab-btn{background:var(--bg2);border:1px solid var(--border);border-radius:8px;padding:6px 14px;font-size:.85rem;cursor:pointer;color:var(--muted);transition:all .15s}
+.tab-btn.active,.tab-btn:hover{background:var(--green);color:#fff;border-color:var(--green)}
+/* Footer */
+footer{border-top:1px solid var(--border);padding:40px 0;text-align:center;color:var(--muted);font-size:.88rem}
+footer a{color:var(--muted)}
+footer a:hover{color:var(--text)}
+.footer-links{display:flex;align-items:center;justify-content:center;gap:20px;flex-wrap:wrap;margin-bottom:12px}
+@media(max-width:600px){
+  .hero{padding:52px 0 40px}
+  .hero-mcp-row{flex-direction:column;align-items:flex-start}
+  nav .btn-outline{display:none}
+}
+</style>
+</head>
+<body>
+<nav>
+  <div class="container">
+    <div class="nav-inner">
+      <a class="nav-logo" href="/">
+        <svg width="28" height="28" viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
+          <rect width="32" height="32" rx="7" fill="url(#ng)"/>
+          <defs><linearGradient id="ng" x1="0" y1="0" x2="1" y2="1">
+            <stop offset="0%" stop-color="#3FBB57"/><stop offset="100%" stop-color="#108B67"/>
+          </linearGradient></defs>
+          <text x="16" y="22" text-anchor="middle" font-family="system-ui,sans-serif" font-weight="700" font-size="17" fill="white">S</text>
+          <circle cx="24" cy="9" r="4" fill="#FFD591"/>
+        </svg>
+        WebCake Storefront MCP
+      </a>
+      <div class="nav-links">
+        <a href="${GITHUB_URL}" target="_blank" rel="noopener">GitHub</a>
+        <a href="/privacy">Privacy</a>
+        <a href="/terms">Terms</a>
+        <a class="btn btn-primary" href="${WEBCAKE_URL}" target="_blank" rel="noopener">Get WebCake</a>
+      </div>
+    </div>
+  </div>
+</nav>
+<main>
+  <div class="hero">
+    <div class="container">
+      <div class="hero-badge">
+        <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5"><path d="M13 2L3 14h9l-1 8 10-12h-9l1-8z"/></svg>
+        ~101 tools &middot; Model Context Protocol
+      </div>
+      <h1>Build your <span>storefront</span><br>from a prompt</h1>
+      <p>An MCP server that connects any AI assistant to your WebCake / StoreCake account — create pages, manage products, publish articles, and more without leaving your IDE.</p>
+      <div class="hero-actions">
+        <a class="btn btn-primary" href="${GITHUB_URL}" target="_blank" rel="noopener">
+          <svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M12 2C6.477 2 2 6.477 2 12c0 4.418 2.865 8.166 6.839 9.489.5.092.682-.217.682-.482 0-.237-.009-.868-.013-1.703-2.782.604-3.369-1.342-3.369-1.342-.454-1.155-1.11-1.462-1.11-1.462-.908-.62.069-.608.069-.608 1.003.07 1.531 1.03 1.531 1.03.892 1.529 2.341 1.087 2.91.832.092-.647.35-1.088.636-1.338-2.22-.253-4.555-1.11-4.555-4.943 0-1.091.39-1.984 1.029-2.683-.103-.253-.446-1.27.098-2.647 0 0 .84-.268 2.75 1.026A9.578 9.578 0 0112 6.836a9.59 9.59 0 012.504.337c1.909-1.294 2.747-1.026 2.747-1.026.546 1.377.203 2.394.1 2.647.64.699 1.028 1.592 1.028 2.683 0 3.842-2.339 4.687-4.566 4.935.359.309.678.919.678 1.852 0 1.336-.012 2.415-.012 2.743 0 .267.18.579.688.481C19.138 20.163 22 16.418 22 12c0-5.523-4.477-10-10-10z"/></svg>
+          GitHub
+        </a>
+        <a class="btn btn-outline" href="${NPM_URL}" target="_blank" rel="noopener">npm package</a>
+      </div>
+      <div class="badges">
+        <a href="${NPM_URL}" target="_blank" rel="noopener"><img src="https://img.shields.io/npm/v/webcake-storefront-mcp?label=npm&color=108B67" alt="npm version"></a>
+        <a href="${NPM_URL}" target="_blank" rel="noopener"><img src="https://img.shields.io/npm/dm/webcake-storefront-mcp?color=3FBB57" alt="npm downloads"></a>
+        <a href="${GITHUB_URL}/blob/main/LICENSE" target="_blank" rel="noopener"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT license"></a>
+      </div>
+      <div class="hero-mcp">
+        <label>Remote MCP URL (paste into Claude / Cursor / Windsurf)</label>
+        <div class="hero-mcp-row">
+          <code id="mcp-url">${mcpUrl}</code>
+          <button class="copy-btn" onclick="copyText('mcp-url',this)">Copy</button>
+        </div>
+      </div>
+    </div>
+  </div>
+  <div class="section" style="background:var(--bg2);padding-top:56px;padding-bottom:56px">
+    <div class="container">
+      <div class="section-label">Why Storefront MCP</div>
+      <h2>Everything you need to run a storefront, as MCP tools</h2>
+      <p class="lead">Drop it into your AI IDE and describe what you want — the assistant calls the right tools automatically.</p>
+      <div class="grid">
+        <div class="card">
+          <div class="card-icon">🏗️</div>
+          <h3>Page builder</h3>
+          <p>Create, edit, and publish full storefront pages — sections, layout, custom CSS/JS, and global sections — from natural language.</p>
+        </div>
+        <div class="card">
+          <div class="card-icon">🛍️</div>
+          <h3>Product & collection management</h3>
+          <p>List collections, inspect schemas, query records, and manage the catalog that powers your store.</p>
+        </div>
+        <div class="card">
+          <div class="card-icon">📝</div>
+          <h3>Articles & content</h3>
+          <p>Full CRUD for blog articles — create, draft, update, publish, and delete — with full content control.</p>
+        </div>
+        <div class="card">
+          <div class="card-icon">⚙️</div>
+          <h3>CMS file & function editing</h3>
+          <p>Read, write, and deploy HTTP functions and CMS files directly. Debug and run functions in place.</p>
+        </div>
+        <div class="card">
+          <div class="card-icon">👥</div>
+          <h3>Customer & order data</h3>
+          <p>Look up customers by ID, phone, or email. Read order data. Send transactional emails via the automation API.</p>
+        </div>
+        <div class="card">
+          <div class="card-icon">🔐</div>
+          <h3>OAuth 2.1 + PKCE</h3>
+          <p>Secure per-user authentication — listed in the Claude Connectors Directory. No token in the URL required.</p>
+        </div>
+      </div>
+    </div>
+  </div>
+  <div class="section">
+    <div class="container">
+      <div class="section-label">Tools</div>
+      <h2>~101 tools across 6 categories</h2>
+      <p class="lead">Every tool is typed with Zod schemas and returns structured data the model can reason about.</p>
+      <div class="tools-grid">
+        <div class="tool-chip">list_pages</div>
+        <div class="tool-chip">get_page</div>
+        <div class="tool-chip">create_page</div>
+        <div class="tool-chip">update_page</div>
+        <div class="tool-chip">delete_page</div>
+        <div class="tool-chip">publish_page</div>
+        <div class="tool-chip">get_page_contents</div>
+        <div class="tool-chip">update_page_contents</div>
+        <div class="tool-chip">get_page_custom_code</div>
+        <div class="tool-chip">update_page_custom_code</div>
+        <div class="tool-chip">list_global_sections</div>
+        <div class="tool-chip">get_global_section</div>
+        <div class="tool-chip">list_cms_files</div>
+        <div class="tool-chip">get_http_function</div>
+        <div class="tool-chip">create_http_function</div>
+        <div class="tool-chip">update_http_function</div>
+        <div class="tool-chip">delete_http_function</div>
+        <div class="tool-chip">debug_http_function</div>
+        <div class="tool-chip">run_http_function</div>
+        <div class="tool-chip">list_collections</div>
+        <div class="tool-chip">get_collection_schema</div>
+        <div class="tool-chip">query_collection</div>
+        <div class="tool-chip">list_articles</div>
+        <div class="tool-chip">get_article</div>
+        <div class="tool-chip">create_article</div>
+        <div class="tool-chip">update_article</div>
+        <div class="tool-chip">delete_article</div>
+        <div class="tool-chip">get_customer</div>
+        <div class="tool-chip">send_email</div>
+        <div class="tool-chip">get_site_custom_code</div>
+        <div class="tool-chip">update_site_custom_code</div>
+        <div class="tool-chip">+ many more…</div>
+      </div>
+    </div>
+  </div>
+  <div class="section" style="background:var(--bg2);padding-top:56px;padding-bottom:56px">
+    <div class="container">
+      <div class="section-label">Get started</div>
+      <h2>Two ways to connect</h2>
+      <p class="lead">Use the hosted remote URL for instant setup, or run locally via npx for full control.</p>
+      <div class="install-block">
+        <h3>Option 1 — Remote (recommended)</h3>
+        <p>Paste the MCP URL into your AI assistant. OAuth login handles authentication automatically.</p>
+        <div class="code-block">
+          <code id="remote-url">${mcpUrl}</code>
+          <button class="copy-btn" onclick="copyText('remote-url',this)">Copy</button>
+        </div>
+      </div>
+      <div class="install-block" style="margin-top:16px">
+        <h3>Option 2 — Local via npx</h3>
+        <p>Run the MCP server on your own machine. Great for development or offline use.</p>
+        <div class="install-tabs">
+          <button class="tab-btn active" onclick="showTab('npx',this)">npx</button>
+          <button class="tab-btn" onclick="showTab('login',this)">login flow</button>
+          <button class="tab-btn" onclick="showTab('env',this)">env vars</button>
+        </div>
+        <div id="tab-npx" class="code-block">
+          <code id="npx-cmd">${npxCmd} serve --port 3000</code>
+          <button class="copy-btn" onclick="copyText('npx-cmd',this)">Copy</button>
+        </div>
+        <div id="tab-login" class="code-block" style="display:none">
+          <code id="login-cmd">${npxCmd} login</code>
+          <button class="copy-btn" onclick="copyText('login-cmd',this)">Copy</button>
+        </div>
+        <div id="tab-env" class="code-block" style="display:none">
+          <code id="env-cmd">WEBCAKE_TOKEN=your_jwt WEBCAKE_SITE_ID=your_site ${npxCmd}</code>
+          <button class="copy-btn" onclick="copyText('env-cmd',this)">Copy</button>
+        </div>
+      </div>
+    </div>
+  </div>
+  <div class="section">
+    <div class="container" style="text-align:center">
+      <div class="section-label">Open source</div>
+      <h2>MIT licensed, community-driven</h2>
+      <p class="lead" style="margin:0 auto 32px">Contributions welcome. Open an issue or PR on GitHub.</p>
+      <a class="btn btn-primary" href="${GITHUB_URL}" target="_blank" rel="noopener" style="margin:0 auto">View on GitHub</a>
+    </div>
+  </div>
+</main>
+<footer>
+  <div class="container">
+    <div class="footer-links">
+      <a href="${GITHUB_URL}" target="_blank" rel="noopener">GitHub</a>
+      <a href="${NPM_URL}" target="_blank" rel="noopener">npm</a>
+      <a href="${WEBCAKE_URL}" target="_blank" rel="noopener">WebCake</a>
+      <a href="/privacy">Privacy Policy</a>
+      <a href="/terms">Terms of Service</a>
+    </div>
+    <p>WebCake Storefront MCP &copy; ${new Date().getFullYear()} &middot; MIT License</p>
+  </div>
+</footer>
+<script>
+function copyText(id, btn) {
+  const el = document.getElementById(id);
+  if (!el) return;
+  navigator.clipboard.writeText(el.textContent || '').then(() => {
+    const orig = btn.textContent;
+    btn.textContent = 'Copied!';
+    setTimeout(() => { btn.textContent = orig; }, 1500);
+  }).catch(() => {
+    const r = document.createRange();
+    r.selectNodeContents(el);
+    window.getSelection()?.removeAllRanges();
+    window.getSelection()?.addRange(r);
+  });
+}
+function showTab(name, btn) {
+  ['npx','login','env'].forEach(t => {
+    const el = document.getElementById('tab-' + t);
+    if (el) el.style.display = t === name ? '' : 'none';
+  });
+  document.querySelectorAll('.tab-btn').forEach(b => b.classList.remove('active'));
+  btn.classList.add('active');
+}
+</script>
+</body>
+</html>`;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "webcake-storefront-mcp",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "MCP server for the WebCake/StoreCake storefront builder — page CRUD, page authoring, products, orders, and more",
   "mcpName": "io.github.vuluu2k/webcake-storefront-mcp",
   "license": "MIT",